Procedures for Fraud and Active Duty Alerts

QUESTION

Does a consumer reporting agency have any obligations regarding fraud and active duty alerts? Also, as a lender, what procedures do we have to follow if the credit bureau notifies us of existing fraud or an active duty alert?

ANSWER

Your first question requires an extensive response. However, I think a brief statement can be helpful. The FCRA imposes various obligations on consumer reporting agencies concerning fraud and active duty alerts. The obligations include the requirement to notify prospective users of a consumer report on a consumer who has placed an alert in his or her file that the consumer does not authorize the establishment of a new credit plan or extension of credit (other than under an existing open-end credit plan), unless the user follows certain procedures set forth in the FCRA. [15 USC §§ 1681c-1, 1681c-2]

So, this leads to a brief outline of certain procedures. When a consumer report reflects an existing initial fraud alert or active duty alert, to establish a new credit plan or an extension of credit (other than under an open-end plan) in the name of the consumer, or to grant any increase in the credit limit on any existing credit account, the prospective user must: 

1. Utilize reasonable policies and procedures to form a reasonable belief that the user knows the identity of the person making the request; and

2. If the consumer requesting the alert specified a telephone number to be used for identity verification purposes, either:

a. Contact the consumer at the telephone number; or

b. Take reasonable steps to verify the consumer’s identity and confirm that the application for a new credit plan is not the result of identity theft. [15 USC § 1681c-1(h)(1)] 

To handle procedures for when a consumer report reflects an existing extended fraud alert, to establish a new credit plan or an extension of credit (other than under an open-end plan) in the name of the consumer, or to grant any increase in the credit limit on any existing credit account, the prospective user must contact the consumer in person or use the contact method designated by the consumer to confirm that the application for a new credit plan or increase in credit limit is not the result of identity theft. [15 USC § 1681c-1(h)(2)]

Jonathan Foxx, Ph.D., MBA

Managing Director

Lenders Compliance Group

UDAAP Enforcement Actions: A Brief List

QUESTION

I know that you track all the regulations and acts that affect financial institutions involved in the mortgage industry. I am a little concerned that the CFPB is not enforcing violations of federal regulations since the new Administration came to power. Specifically, I am concerned that the current Administration is not enforcing UDAAP. I would like to know your sense of how much the CFPB is going after such enforcement. What kinds of violations are they going after?

ANSWER

Thank you for your question. Your concern goes to the core of the CFPB’s raison d’être. Since the enactment of the Dodd-Frank Act – and especially since the toning down of CFPB enforcement under the Trump Administration – commentators have speculated about how aggressively the CFPB would continue to pursue its broad regulatory authority. I think an impartial observer would say that enforcement has slowed down, but it has certainly not stopped.

The CFPB has broad authority to regulate unfair, deceptive, or abusive acts and practices (UDAAP). Federal statutes had previously given similar authority to federal agencies, including the Federal Trade Commission under Section 5 of the FTC Act and under Section 511 of the Credit CARD Act of 2009 (regulation of mortgage lending), and the Federal Reserve Board under the FTC Act and the Truth-in-Lending Act. Most of the States have adopted their versions of UDAAP statutes.

In our tracking of regulatory enforcement actions by the CFPB, there has been a slew of enforcements over the years. If we go back four years to July 2015, there have been many enforcement actions involving UDAAP violations. Under the current Administration, such enforcement has continued.

What should be of particular interest is the kinds of violations that the CFPB has pursued since January 2017, the month that the Administration came to power. Therefore, I would like you to consider the following brief list I have compiled of UDAAP allegations and alleged violations since January 2017. Though the list is not meant to be comprehensive, I have endeavored to narrow the focus to only mortgage lenders and servicers. I have given myself some flexibility in identifying regulations that involve UDAAP applicability.

The list will let you learn from the mistakes of others. The companies run the range of small regional financial institutions all way up to the biggest banks in the world. The companies’ names don’t matter. Their size and complexity do not pertain. Don’t let yourself get caught in the regulatory net. What matters are the alleged violations!

• Giving the runaround to borrowers trying to save their homes [RESPA and Reg. X 1024.41; D-F 1031, 1036]
• Collecting illegal fees from struggling borrowers [Telemarketing Sales Rule; D-F 1031]
• Illegal kickback scheme [RESPA 8(a) and Reg. X]
• Accepting illegal kickbacks [RESPA 8(a) and Reg. X]
• Consistently failing to report accurate HMDA data [HMDA]
• Falsely representing that attorneys were involved in collecting debts [D-F 1031, 1036; FDCPA]
• Mortgage servicing failures [D-F 1031, 1036; FDCPA; RESPA; TILA; HPA]
• Deceiving consumers by collecting debt not legally owed [TILA; D-F 1031, 1036, 1064(a)–(b)]
• Failing to provide mortgage borrowers with protections against foreclosure [RESPA, Reg. X]
• Misleading credit repair customers and charging illegal fees [Telemarketing Sales Rule; D-F 1031, 1036]
• Steering consumers to lenders who offered illegal or unlicensed loans void in the consumers’ states [D-F 1031, 1036]
• Lying in loan offerings to consumers awaiting payments from settlements [D-F 1054]
• Steering consumers to an affiliated title insurer without disclosing the affiliation [RESPA § 8]
• Lying about affiliation with the federal government to lure consumers into paying illegal advance fees [Telemarketing Sales Rule; D-F 1031]

Compliance Management System - Exam Readiness

QUESTION

I hope you can help us. We are a bank in the southwest. I am the compliance manager. Recently, we were notified that the FDIC took issue with our compliance management system. I am not making excuses, but we do not have much staff here – really, it’s mostly me! – and providing everything the regulator is asking of us is kind of overwhelming. The CFPB also advised that we show “significant weaknesses” in our compliance management. All of this has to do with our readiness and overall compliance program. I have two questions. 

First, I heard that you offer an inexpensive review of the compliance management system. Can you please tell me about it and send me information? 

And, secondly, I need to know what to read and how to get our compliance program in shape. Where do I start? Our next review is in 90 days, and I want to be ready. Any feedback you offer will be appreciated!

ANSWER

I understand your situation. We received your inquiry a few days ago and, considering the urgency, I have prioritized it for this week's FAQ. The CFPB has spent considerable resources in the enforcement and examination of a financial institution’s Compliance Management System (“CMS”). The Bureau has certainly gotten people’s attention with a myriad of highly publicized consent orders. Since it began issuing such orders in 2011, the CFPB has often used the “significant weaknesses” terminology to describe the integrity of a compliance program, notwithstanding that these findings are usually accompanied by alleged violations of certain federal consumer financial laws. You do not mention a specific area, department, or function, but deficiencies regularly are cited against entities engaged in credit card lending, mortgage lending, auto lending, payday lending, check cashing services, payment processing, collections, and other financial activities.

It can seem at times overwhelming, and even exasperating, to be sure that your firm meets all the CMS compliance requirements – especially if staffing, resources, and research depth may limit the fulfillment of the regulator’s expectations. Whatever the case, you need to be ready to evaluate three interdependent elements: Board and management oversight; the compliance program itself; and the auditing of the compliance program.

So, to your first question about getting prepared for the CMS examination, that is why we developed the CMS Tune-up!™ We pioneered this approach because (1) it is cost-effective, (2) it provides actionable findings, and (3) it is conducted quickly and concisely. You receive a report, with findings and a risk rating. In fact, the CMS Tune-up!™ is designed to act like an actual examination. This means you prepare for the forthcoming examination effectively.

Download the presentation for the CMS Tune-up!™ HERE or download it from the sidebar on the right.

Indeed, considering the urgency, please schedule an appointment with me HERE. 

Or, send me an email HERE. Please do not delay.

Your financial institution should establish a formal, written, ratified compliance program, if you have not already done so. In addition to being a planned and organized effort to guide compliance activities, the written program represents an essential source document that serves as a training and reference tool for all employees. A well-planned, implemented, and maintained compliance program may prevent or at least reduce regulatory violations and provide cost efficiencies. In any event, it is mandatory for safety and soundness.

To be ready for the examination, you must be sure that you meet the examination guidelines for policies and procedures, training, monitoring, and consumer complaint response. The following questions should be at the forefront of your self-assessment.

Risk-based Pricing and Adverse Action

QUESTION

Is it true that an Adverse Action Notice may be issued instead of the Risk-based Pricing Notice?

ANSWER

For purposes of the Risk-based Pricing Notice requirement, “credit” includes credit as defined by the Equal Credit Opportunity Act (ECOA). Business credit is excluded from the requirements. Based on the broad definition of credit under the ECOA, the risk-based pricing notice requirement applies to residential mortgage loans. [12 CFR §§ 222.70(a)(2) and 222.71(h); 16 CFR §§ 640.1(a)(2) and 640.2(h)]

Unless an exception applies, under the risk-based pricing rules the lender must provide the consumer with a risk-based pricing notice containing specific information in the form and manner required by the rules if the lender both: 

1. Uses a consumer report in connection with an application for, or a grant, extension, or other provision of, credit to the consumer that is primarily for personal, family, or household purposes; and
2. Based in whole or in part on the consumer report, such lender grants, extends, or otherwise provides credit to that consumer on material terms that are materially less favorable than the most favorable material terms available to a substantial proportion of the consumers from or through that person. [12 CFR § 222.72(a); 16 CFR § 640.3(a)]

But note my qualifying phrase, “unless an exception applies.” There are various exceptions, one of which happens to be the Adverse Action Notice. A lender is not required to provide a Risk-based Pricing Notice to the consumer if the lender provides an Adverse Action Notice to the consumer pursuant to the FCRA requirements. [12 CFR § 222.74(a); 16 CFR § 640.5(a)] 

The exception reflects a key aspect of the Risk-based Pricing Notice requirements, that is, the notice is required only when credit is actually granted, extended or otherwise provided.

Jonathan Foxx, Ph.D., MBA

Managing Director