Mortgage Banking Update - November 10, 2022
In This Issue:
- Podcast: Fifth Circuit Rules That the Consumer Financial Protection Bureau Is Unconstitutionally Funded: What Does the Decision Mean? A Deep Dive With Special Guest Isaac Boltansky, Managing Director and Director of Policy Research, BTIG
- CFPB Responds to Fifth Circuit Ruling That its Funding Mechanism Is Unconstitutional
- Populus Financial Group and CFPB Agree to Stay of CFPB Lawsuit Pending Issuance of Fifth Circuit’s Mandate in Decision Holding CFPB’s Funding Mechanism Is Unconstitutional
- Fifth Circuit Denies Rehearing En Banc in Case With Implications for CFPB’s Use of Administrative Law Judges
- VA Issues Proposed Refinance Loan Rule
- FTC Issues Advance Notice of Proposed Rulemaking on ‘Junk Fees’
- FHFA Announces Updated FICO and Vantage Scores for Use by GSEs
- Trade Group Urges CFPB Not to Impose Liability on Banks for Fraudulent P2P Payments
- CFPB Issues Section 1033 SBREFA Outline
- CFPB to Reopen Comment Period on Request for Comments to Inform Inquiry Into Large Technology Companies That Offer Payment Services
- FHFA Addresses Appraisal Bias
- NCRC Files Appraisal Bias Complaints With HUD and Issues a Related Report
- Real Estate GTO Renewed and Expanded – Again
- FinCEN Reports Staggering Increase in Reported Ransomware Attacks
- State Work From Home Update
- Did You Know?
For the latest updates on the COVID-19 pandemic visit the Ballard Spahr COVID-19 Resource Center
Podcast: Fifth Circuit Rules That the Consumer Financial Protection Bureau Is Unconstitutionally Funded: What Does the Decision Mean? A Deep Dive With Special Guest Isaac Boltansky, Managing Director and Director of Policy Research, BTIG
In a decision with enormous potential implications, a unanimous three-judge panel of the U.S. Court of Appeals for the Fifth Circuit has ruled that the manner in which the CFPB is funded violates the Appropriations Clause of the U.S. Constitution. After reviewing the decision, we discuss: the CFPB’s strategic options for next litigation steps; the decision’s potential impact on existing regulations and ongoing rulemakings, ongoing and future enforcement litigation and investigations, and consent orders; and possible legislative fixes and the likelihood of bipartisan support.
Alan Kaplinsky, Senior Counsel in Ballard Spahr’s Consumer Financial Service Group, leads the discussion, joined by John Culhane, Richard Andreano, and Michael Gordon, partners in the Group.
To listen to the podcast episode, click here.
The CFPB has told two courts, an Illinois federal district court and the Ninth Circuit, that the Fifth Circuit panel decision holding that the Bureau’s funding mechanism is unconstitutional is “neither controlling nor correct” and “mistaken.”
The CFPB addressed the panel’s decision in Community Financial Services Association v. CFPB in its response to the Notice of Supplemental Authority filed by TransUnion in the CFPB’s enforcement action against TransUnion in the Illinois court and in a letter to the Ninth Circuit responding to the Notice of Supplemental Authority filed by the defendants in CFPB v Nationwide Biweekly Administration. (TransUnion and the defendants in Nationwide Biweekly are among the defendants in CFPB enforcement actions that are already attempting to use the Fifth Circuit decision as grounds for dismissal.) We expect the CFPB to seek to overturn the Fifth Circuit decision by either petitioning the Fifth Circuit for a rehearing en banc or proceeding directly to the Supreme Court with a certiorari petition. Whichever route the CFPB takes, its responses serve as a preview of the arguments it will likely make in challenging the decision.
Pursuant to the Dodd-Frank Act, the CFPB receives its funding through requests made by the CFPB Director to the Federal Reserve, subject to a cap equal to 12 percent of the Federal Reserve’s budget, rather than through the Congressional appropriations process. In its decision, the Fifth Circuit panel concluded that the CFPB’s funding mechanism did not satisfy the Appropriations Clause because the CFPB was double-insulated from annual or other time limited appropriations. The panel rejected the CFPB’s argument that the funding mechanism satisfied the Appropriations Clause because it was created pursuant to a law enacted by Congress. According to the panel, a law alone did not satisfy the Appropriations Clause’s command that “No money shall be drawn from the Treasury, but in Consequence of Appropriations made by law.” In the panel’s view, to satisfy the Clause, “an appropriation is required.”
In its enforcement action against TransUnion, the CFPB alleges that TransUnion violated a 2017 consent order with the CFPB. In its Notice of Supplemental Authority, TransUnion argues that the CFSA decision establishes that the CFPB’s enforcement action must be dismissed because the consent order is invalid as the CFPB “used unappropriated funds to negotiate and prepare it.” TransUnion also argues that the CFPB “may not expend unappropriated funds prosecuting this suit.”
In its reply to TransUnion’s notice, the CFPB makes the following key arguments for why the panel’s decision is wrong:
- There is no case law support for the Fifth Circuit’s conclusion that a statutory authorization does not constitute an appropriation made by law or that Congress violates the Appropriations Cause or separation of powers when it authorizes spending by statute, as it did for the Bureau.
- The Bureau’s funding is not more insulated from Congressional oversight because it comes from receipts of the Federal Reserve System. The source of funds makes no difference to Congress’s ability to oversee how the Bureau spends that money to carry out its duties. And that point does not differentiate the Bureau from the Federal Reserve Board, which like the Bureau is part of the Federal Reserve System and funded from the same source. Congress is capable of overseeing the Bureau’s spending, including because of provisions in Dodd-Frank that ensure its ability to supervise, such as provisions requiring the Bureau to provide regular audits and reports to Congress.
- The Fifth Circuit’s holding finds no support in the Dodd-Frank provision that states funds transferred to the Bureau “shall not be construed to be Government funds or appropriated monies.” That provision, like similar provisions that apply to the Farm Credit Administration, Federal Reserve Board, and OCC, determines the degree to which various statutory restrictions apply to the Bureau’s use of funds. It has nothing to do with the constitutional requirement that Congress authorize the executive to spend money.
- The Bureau’s funding is not meaningfully different from numerous other agencies such as the Federal Reserve Board, OCC, and FDIC that are funded in ways other than annual spending bills. The decision leaves no way to know what statutory spending authorizations count, in the panel’s view, as an “appropriation” that complies with the Appropriations Clause.
- Even if the court were to agree with the Fifth Circuit panel, it should still reject TransUnion’s request to dismiss the complaint because any defect in the Bureau’s funding authorization would not deprive the Bureau of the power to carry out its statutory responsibility to enforce the law.
In the Ninth Circuit case, a California district court imposed a $7.9 million civil penalty against the defendants for allegedly misleading marketing practices but did not award the nearly $74 million in restitution sought by the CFPB. (The CFPB is seeking in the appeal to have the district court’s denial of restitution reversed.) In their Notice of Supplemental Authority filed with the Ninth Circuit, the defendants argue that based on the Fifth Circuit’s decision, the Ninth Circuit should reverse the district court’s civil penalty award and dismiss the CFPB’s enforcement action. In addition to making several of the same arguments it made to the Illinois court, the CFPB also told the Ninth Circuit that the Fifth Circuit decision should not result in a dismissal.
As to remedy, the panel failed to heed its own understanding of Collins [v. Yellen]. The court didn’t consider whether “the Bureau would have acted differently “but for” its statutory funding mechanism. Here, applying Collins yields a straightforward answer: the case should not be dismissed because there is no evidence the Bureau “would have acted differently” with different funding.
Pursuant to the agreed motion for a stay filed by the CFPB and Populus Financial Group, Inc., which does business as ACE Cash Express, the Texas federal district court hearing the CFPB’s enforcement action against Populus has stayed the lawsuit until after the Fifth Circuit issues its mandate in Community Financial Services Association of America Ltd. v. CFPB (CFSA Decision). In its lawsuit, which was filed in July 2022, the CFPB alleges that Populus engaged in unfair, deceptive, and abusive acts or practices by concealing the option of a free repayment plan to consumers and making unauthorized debit-card withdrawals.
In September 2022, Populus filed a motion to dismiss in which it argued that the CFPB’s enforcement action is invalid because the CFPB’s funding structure violates the separation-of-powers principle embodied in the Appropriations Clause of the U.S. Constitution. It also filed a motion to stay all proceedings in the case pending the Fifth Circuit’s forthcoming CFSA Decision. On October 19, 2022, a Fifth Circuit panel issued the CFSA Decision holding that the CFPB’s funding mechanism violates the Appropriations Clause.
According to the agreed stay motion, following the Fifth Circuit’s issuance of the CFSA Decision, the CFPB and Populus conferred and agreed to jointly seek a stay until after the Fifth Circuit issues it mandate in the CFSA Decision. The parties assert in the motion that there is good cause for a stay because it “will promote efficient resolution of the case, as the final decision in CFSA will control the resolution of key issues presented in ACE’s pending motion to dismiss.” They further assert that “waiting for the mandate in CFSA will simplify the issues in the case and potentially resolve the motion to dismiss outright.”
In its order granting the stay, the court also vacated all briefing deadlines on Populus’s motion to dismiss and denied its motion to stay as moot. The order directs the parties to file a joint report within 45 days of the conclusion of the stay that contains statements of how the parties wish to proceed.
The CFPB is expected to seek to overturn the CFSA Decision by either petitioning the Fifth Circuit for a rehearing en banc or proceeding directly to the Supreme Court with a certiorari petition. If a rehearing en banc is granted, the CFSA Decision would be vacated.
The issuance of the mandate by the Fifth Circuit in the CFSA case is automatically stayed until the expiration of the 45-day period for the CFPB to file a petition for rehearing. If it files such a petition, the issuance of the mandate is further stayed until disposition of that petition. If no rehearing petition is filed or such a petition is denied, the CFPB can seek a discretionary stay of issuance of the mandate from the Fifth Circuit pending the outcome of its certiorari petition, and if the Fifth Circuit denies a stay, the CFPB can then seek a stay from the Supreme Court.
The U.S. Court of Appeals for the Fifth Circuit recently denied rehearing en banc in Jarkesy v. Securities and Exchange Commission, a case with significant implications for the use of administrative law judges (ALJs) by federal agencies, including the CFPB. The SEC is expected to file a certiorari petition with the U.S. Supreme Court.
The underlying case in Jarkesy involved an SEC investigation that resulted in an administrative action against the petitioners in which the SEC alleged that the petitioners had committed securities fraud and sought both monetary and equitable relief. The petitioners then sued in the U.S. District Court for the District of Columbia to enjoin the proceedings, claiming violations of several constitutional rights. The district court, and subsequently the U.S. Court of Appeals for the D.C. Circuit, refused to issue an injunction, deciding that the district court had no jurisdiction and that the petitioners were required to continue the administrative proceeding and then appeal.
After an evidentiary hearing, an SEC ALJ found that the petitioners had committed securities fraud. The petitioners sought review by the SEC, which affirmed the fraud finding and ordered the petitioners to pay a civil penalty of $300,000, banned the individual petitioner from participating in the securities industry, and ordered the company petitioner to pay nearly $685,000 in disgorgement. Petitioners then sought review by the Fifth Circuit.
A divided three-judge Fifth Circuit panel ruled that the proceedings suffered from three constitutional defects:
- The SEC’s use of an administrative court violated the petitioners’ Seventh Amendment right to a jury trial because the SEC’s fraud claims are analogous to traditional fraud claims at common law to which a right to a jury trial applies when civil penalties are sought. In addition, such actions are commonly considered by federal courts even when the claims are brought by the government rather than private plaintiffs. The SEC’s involvement did not convert the case to one involving the vindication of public rights that could be assigned to agency adjudication.
- Congress unconstitutionally delegated legislative power to the SEC by failing to provide an intelligible principle to guide the SEC’s use of its discretion to decide whether to bring securities fraud enforcement cases either in district court or within the agency. Article I of the U.S. Constitution vests “all legislative Powers” in Congress and the decision whether to assign certain actions to agency adjudication is a power that only Congress possesses.
- The removal restrictions that apply to SEC administrative law judges are unconstitutional because they interfere with the President’s ability to “take Care that the Laws be faithfully executed” as required by Article II of the Constitution. The Administrative Procedure Act (5 U.S.C. § 7521(a)) provides that ALJs may be removed by the agency in which the ALJ is employed “only for good cause established and determined by the Merit Systems Protection Board on the record after opportunity for hearing before the Board.”
These holdings have significant implications for other federal agencies, including the CFPB. First, to the extent the CFPB’s authority to challenge deceptive practices is rooted in common law fraud claims, the CFPB’s use of an ALJ in an enforcement action involving an alleged deceptive act or practice could be found to violate the respondent’s Seventh Amendment right to a jury trial. Second, because the Dodd-Frank Act gives the CFPB unfettered discretion to choose whether to bring an action before an ALJ or in federal district court, the CFPB’s use of an ALJ for any enforcement action could be challenged as an unconstitutional delegation of authority. Third, assuming an ALJ used by the CFPB would be subject to the same APA for-cause removal restriction as an SEC ALJ, the removal restriction could be the basis for a constitutional challenge to the CFPB’s use of an ALJ in any enforcement action.
The CFPB has only used administrative proceedings infrequently to bring enforcement actions and instead has primarily brought enforcement actions in federal district court. Given the cloud that Jarkesy creates for the use of ALJs, it seems unlikely that the CFPB will use administrative proceedings while the constitutional challenges raised in Jarkesy remain a threat. However, in any enforcement action it brings in federal court, the CFPB can expect to face a constitutional challenge to its funding mechanism based on the Fifth Circuit panel decision in Community Financial Services Association v. CFPB.
The Department of Veterans Affairs (VA) recently issued a proposal to update its rules for interest rate reduction refinancing loans (often referred to as IRRRLs) to conform with VA loan refinance provisions in the Economic Growth, Regulatory Relief, and Consumer Protection Act, which was enacted in 2018, and the Protecting Affordable Mortgages for Veterans Act of 2019. Comments on the proposal are due by January 3, 2023.
As the name may suggest, one of the principal uses of an IRRRL is to reduce the interest rate on a veteran’s existing VA loan. However, successive refinancings of a veteran’s VA loan, often referred to as loan churning, may not be in the best interests of the veteran. Congress acted to add safeguards to VA loan refinance requirements to address loan churning concerns. The requirements include:
- A maximum 36-month period for the veteran to recoup the cost of the refinancing.
- The need for the veteran to have made at least six consecutive monthly payments on the existing loan, and the new loan being made at least 210 days after the first payment due date of the existing loan. These requirements are referred to as “loan seasoning.”
- A minimum reduction in the interest rate from the existing loan to the new loan.
- The need for the new loan to provide a net tangible benefit to the veteran.
The proposed rule would provide guidance regarding compliance with the existing statutory requirements.
Maximum Cost Recoupment Period
To determine if the maximum cost recoupment period of 36 months is met, the proposal provides for dividing the sum of the fees, closing costs and expenses incurred by the veteran to refinance the existing loan, whether paid in cash or financed, by the dollar reduction in the monthly principal and interest payment, with the result reflecting the number of months it will take to recoup the refinancing costs. For example, if the applicable costs are $3,600 and the monthly principal and interest payment is reduced by $100, the result would be 36, and the maximum recoupment period would be satisfied. The costs to refinance would not include (1) the VA funding fee, (2) prepaid interest and amounts held in escrow, and (3) taxes and assessments on the property, even when paid outside of their normal schedule, that are not incurred solely due to the refinance transaction, such as property taxes and special assessments. If the monthly payment of principal and interest on the new loan will be equal to or greater than the monthly principal and interest payment on the existing loan, such as when the veteran will refinance a 30-year loan into a 15-year loan, the veteran could not be charged any fees, closing costs or expenses, other than the excluded items listed in the prior sentence.
For purposes of the six consecutive monthly payment requirement, the proposal provides that a monthly payment would consist of the principal and interest, amounts for taxes and insurance and similar charges, fees and charges related to late payments, and amounts owed as part of a repayment plan. Additionally, each monthly payment would need to be made before or in the month in which the payment is due. Multiple partial payments that at least equal the required monthly payment will count toward the six consecutive monthly payment requirements, if all of the partial payments are made before or in the month in which the monthly payment is due.
For purposes of the minimum 210-day period, the proposal provides that the note date of the new loan must be at least 210 days after the first payment due date on the existing loan. The first payment due date on the existing loan is not included in the calculation of the 210-day period, and the note date of the new loan is included in such calculation. For example, if the first payment due date of the existing loan is June 1, 2022, day 1 would be June 2, 2022, and day 210 would be December 28, 2022. The IRRRL note date could be December 28, 2022, or later. The 210-day period would include any days during which the existing loan is delinquent. However, if the existing loan is modified, the note date of the new loan must be at least 210 days after the first payment due date under the modification. Additionally, if the existing loan is assumed, the note date of the new loan must be at least 210 days after the first payment due date following the assumption.
Minimum Interest Rate Reduction
The proposal provides that (1) if both the existing loan and new loan are fixed rate loans, the interest rate must be reduced by a minimum of 50 basis points, and (2) if the existing loan is a fixed rate loan and the new loan is an adjustable rate loan, the interest rate must be reduced by a minimum of 200 basis points. Additionally, when the existing loan is a fixed rate loan and the new loan is an adjustable rate loan, discount points may be included in the loan only if (1) the lower interest rate is not produced solely from discount points (and the lender will need to provide evidence of this to the VA), (2) the lower interest rate is produced solely from discount points, up to one discount point is included in the loan, and the resulting loan balance (inclusive of all fees, closing costs and expenses that are financed) does not exceed 100 percent of the property’s value, or (3) the lower interest rate is produced solely from discount points, more than one discount point is included in the loan, and the resulting loan balance (inclusive of all fees, closing costs and expenses that are financed) does not exceed 90 percent of the property’s value. Existing VA rules permit a maximum of two discount points to be financed. Existing VA rules also address when a veteran uses an IRRRL to replace an existing adjustable rate loan with a fixed rate loan, and those rules are not specifically addressed by the proposal.
Net Tangible Benefit
The refinancing must provide a net tangible benefit to the veteran, which the proposal describes as the new loan being “in the financial interest of the veteran.” The net tangible benefit requirement will be satisfied if (1) the requirements outlined above are satisfied, and (2) the lender provides the veteran with an initial loan comparison disclosure and a final loan comparison disclosure. The disclosures must include:
- The loan payoff amount of the new loan, with a comparison to the loan payoff amount of the existing loan.
- The type of the new loan, whether a fixed rate loan, traditional adjustable rate loan, or hybrid adjustable rate loan, with a comparison to the type of the existing loan.
- The interest rate of the new loan, with a comparison to the current interest rate of the existing loan.
- The term of the new loan, with a comparison to the remaining term of the existing loan.
- The dollar amount of the monthly principal and interest payment under the new loan, with a comparison to the current dollar amount of the monthly principal and interest payment under the existing loan.
The lender would need to provide the initial loan comparison disclosure on the same date that the lender provides the initial Loan Estimate under the TILA/RESPA Integrated Disclosure (TRID) rule. If the lender provides the veteran with a revised Loan Estimate, the lender would be required to provide an updated loan comparison disclosure if there are revisions to the prior loan comparison or the recoupment of the refinancing costs, or there is any other numeric, non-clerical change. Finally, the lender would need to provide the veteran with the final loan comparison disclosure on the date that the lender provides the Closing Disclosure to the veteran under the TRID rule. Following the veteran’s receipt of the final loan comparison disclosure, the veteran must certify to the lender the receipt of the initial and final loan comparison disclosures by signing the final disclosure. For purposes of the disclosure requirements, lenders would be required to use a new standardized form, Interest Rate Reduction Refinancing Loan Comparison Disclosure.
On October 20, 2022, the Federal Trade Commission (FTC) announced that it is issuing an Advance Notice of Proposed Rulemaking (ANPR or Notice) to address “junk fees,” a term used in the Notice to refer to “unfair or deceptive fees that are charged for goods and services that have little or no added value to the consumer.”
In announcing the Notice, the FTC said it is seeking public comment on “the harms stemming from junk fees and associated junk fee practices and on whether a new rule would better protect consumers.” As summarized in the FTC’s press release, the types of fees the FTC is seeking comment on include:
- Unnecessary charges for worthless, free, or fake products or services: Consumers may be slammed with charges for products or services that cost companies nothing to provide, are available for free, or should be included as part of the purchase price. Companies might also upsell consumers on fake products or services that either have no value or never materialize.
- Unavoidable charges imposed on captive consumers: Consumers may be forced to pay junk fees because they have no way to avoid or opt out of them. They might be dealing with a company with a monopoly or exclusive rights that can extract fees because there is no competing option. Or consumers might get hit with fees after they have already sunk costs into a product or service, and they can’t easily walk away.
- Surprise charges that secretly push up the purchase price: Consumers can experience junk fee shock when companies unexpectedly tack on mystery charges they did not know about, consent to, or factor into the purchase. Companies might hide these fees in the fine print, cram them on at the end of a purchase process, or use digital dark patterns or other deception to collect on them. Some companies might claim that they do not charge any fees and then add on fees after the purchase or sign up.
The ANPR was announced just over a month after the comment period closed for the FTC’s proposed Motor Vehicle Dealers Trade Regulation Rule, which also seeks to address unnecessary add-on fees, among other things, in the car buying process. The ANPR seeks to address fees more broadly, and provides examples of charges it views as “junk” fees based on its substantial work in this area, including: “mobile cramming” charges (unauthorized fees on mobile phones), connection and maintenance fees on prepaid phone cards, account fees (including maintenance or inactivity fees on blocked or inaccessible accounts), fees that diminish the amount a borrower receives from a loan, miscellaneous fees levied on fuel cards, auto dealer fees, undisclosed fees for funeral services, hotel “resort” fees, hidden fees for academic publishing, poorly disclosed ancillary insurance products, membership programs, and discounts for food, travel, long-distance calls, and merchandise.
The FTC has sought consumer redress in actions and settlements involving “junk” fees under Section 5 of the FTC Act, including an action settled recently with an auto dealer (Passport Auto Group) which included allegations of “junk” fees. While conceding that certain unlawful fee practices may be covered by existing rules and statutes, the FTC explains in the Notice that its ability to seek consumer redress is limited or unavailable in many instances in light of the Supreme Court’s holding in AMG Capital Management v. FTC that equitable monetary relief is unavailable under Section 13(b) of the FTC Act and the fact that it is challenging to obtain such relief under Section 19(b) without a rule violation. (A podcast featuring an in-depth discussion of AMG Capital Management and its aftermath with Bikram Bandy, FTC Chief Litigation Counsel, Bureau of Consumer Protection, and Ballard Spahr’s Alan Kaplinsky, is availablehere.) Accordingly, the FTC believes a new rule specific to “junk” fees would act as a deterrent in light of the risk of civil money penalties and allow it to more readily obtain redress and damages for consumers.
Publication of the ANPR was approved by a 3-1 vote, with Commissioner Christine S. Wilson voting no. In her dissenting statement, Commissioner Wilson highlighted substantive issues she believes stakeholder input should address, including the ANPR’s breadth, the likelihood of overlap with existing regulations, and, in her view, its flawed assumptions and vague definitions–including how to define the term “junk fee.”
The CFPB is also seeking to address fees it believes are unfair and deceptive, and issued a Request for Information in January 2022, seeking comments related to “fees that are not subject to competitive processes that ensure fair pricing.” Last week, the CFPB issued guidance on two fees it believes are likely unfair, “surprise” overdraft fees (overdraft fees charged when consumers had enough money in their account to cover a debit charge at the time the bank authorizes it) and depositor fees charged to consumers who deposit a check that bounces.
The deadline to submit comments to the ANPR will be 60 days after its publication in the Federal Register.
Recently, the Federal Housing Finance Agency (FHFA) announced the approval of two new credit scoring models, the FICO 10T and the VantageScore 4.0 for use by Fannie Mae and Freddie Mac (the GSEs or Enterprises). Lenders will have a few years to implement use of the new models before being expected to report both scores on loans sold to the GSEs.
Currently, and for the past 20 years, the Enterprises have relied on Classic FICO credit scores. However, in 2014, FHFA, in coordination with the Enterprises and other industry stakeholders, began to develop new credit score requirements that would take into account more factors in order to more accurately reflect the creditworthiness of borrowers with thinner credit files. These efforts have resulted in improved credit scoring models that take into account borrower payment histories, such as payments for rent and utilities.
The FHFA notes, in its fact sheet, that the two new credit scoring models will be more accurate and inclusive than Classic FICO because the new payment history and other factors have gone through extensive testing to ensure accuracy while expanding the datasets relied upon for measuring creditworthiness. Further, the new models are meant to enhance safety and soundness in the housing market by improving accuracy and creating better ways to calculate risks.
In remarks made at the Mortgage Bankers Association Annual Conference, FHFA Director, Sandra Thompson, noted:
The new models bring the benefits of innovation to the table in two ways:
FICO 10T and VantageScore 4.0 both provide more accurate credit scores than Classic FICO. We believe the market, including investors, will be provided with an improved understanding of risk from not just one but two different credit score models.
FICO 10T and VantageScore 4.0 are more inclusive than Classic FICO. While the Enterprises have already taken steps to expand equitable access to credit, such as enhancements to their underwriting systems, both FICO 10T and VantageScore 4.0 factor in new payment histories for borrowers when available, such as rent, utilities and telecom payments.
Director Thompson also noted that requiring these scores “will result in more borrowers that can be evaluated by the Enterprises than a single score alone, which will improve their management of credit risk while also responsibly and sustainably expanding access to credit for borrowers with less robust credit histories.”
The FHFA also announced that the GSEs will require two, rather than three, credit reports from consumer reporting agencies. This additional change in credit report requirements is expected to reduce costs to the industry to encourage further innovation.
Director Thompson explained that a multi-year implementation plan will be put in place, and the agency will coordinate with the industry and affected parties in order to ensure a smooth and manageable transition. We will continue to monitor these developments as an implementation plan is put in place.
The American Bankers Association has sent a letter to CFPB Director Chopra in which it urges the CFPB not to shift liability to banks for peer to peer (P2P) payments using an online-money transfer platform in which the consumer who authorized the payment subsequently claims it was made to a scammer.
The ABA sent its letter as a follow up to a meeting it attended with CFPB staff to discuss financial scams involving P2P payments. It references recent reports that the CFPB is considering issuing new guidance that would require banks to make refunds to victims of scammers who defraud consumers into sending money to a third party using an online money-transfer platform. Under the Electronic Fund Transfer Act (EFTA) and Regulation E, an unauthorized electronic fund transfer (EFT) is an EFT from a consumer’s account initiated by a person other than the consumer without actual authority to initiate the transfer and from which the consumer receives no benefit. The existing Official Staff Commentary specifically states that an unauthorized EFT includes a transfer initiated by a person who obtained the access device from the consumer through fraud or robbery, stopping well short of covering transactions initiated by the consumer as the result of fraud.
Under the EFTA and Regulation E, consumers who provide a bank with timely notice of an error that the bank determines to be an unauthorized EFT are entitled to EFTA/Regulation E liability protection. If the CFPB were to issue the guidance reported to be under consideration, it would conflict with the statutory text by requiring banks to treat fraudulently induced transactions as unauthorized EFTs even when they are initiated by the consumer with the result that banks would be required to repay the amount of such transactions to consumers.
In its letter, the ABA discusses the popularity of P2P services with consumers due to the speed and irreversibility of payments and the de minimus amount of fraud relative to the transaction volume. The ABA also discusses the significant investments that banks have made in fraud controls and consumer education. In addition, the ABA points out banks’ limited ability to intervene in consumers’ payment decisions when using P2P services.
With regard to shifting liability to banks for P2P payments made to scammers, the ABA explains that if an obligation is placed on banks to reimburse consumers for such payments, banks will have to adjust their business models to reflect the risks and potential losses as well as the costs of claims investigation and compliance. This may require banks to consider whether to charge for P2P transactions, which currently are usually free, to limit access to P2P services, to reduce the frequency and amounts of P2P payments, and/or to close accounts. Other steps banks may have to consider include: placing holds on money sent by P2P, thereby fundamentally altering the value and appeal of the product; making account opening eligibility more strict to better screen out scammers, thereby preventing some consumers who can manage and benefit from a bank account from having access; and reducing competition by causing some small banks to exit the P2P payment business.
Finally, the ABA points out that shifting liability to banks will also increase scams and embolden scammers. More specifically, scammers will be able to use a federal policy stating that consumers are entitled to a refund of money sent to scammers as an inducement for consumers to send money (because scammers will assure consumers they bear no risk). In addition, fraud will increase because consumers will have little incentive not to send money despite suspicious circumstances.
The CFPB has taken a significant step towards issuing regulations to implement Section 1033 of the Dodd-Frank Act by releasing an outline of the proposals it is considering in preparation for convening a small business review panel (Panel). Section 1033 authorizes the CFPB to issue rules requiring “a covered person [to] make available to a consumer, upon request, information in the control or possession of such person concerning the consumer financial product or service that the consumer obtained from such covered person, including information related to any transaction, or series of transactions, to the account including costs, charges, and usage data.”
The Small Business Regulatory Enforcement Fairness Act (SBREFA) and the Dodd-Frank Act require the CFPB to convene a Small Business Review Panel (Panel) when developing rules that may have a significant economic impact on a substantial number of small businesses. The Panel, which includes representatives from the CFPB, the Small Business Administration’s Chief Counsel for Advocacy, and the Office of Information and Regulatory Affairs in the Office of Management and Budget, is required to consult with representatives of small business entities that will likely be subject to the rules under consideration. The Panel must complete a report on the input received from the small business representatives within 60 days of convening. In its Spring 2022 rulemaking agenda, the CFPB gave an estimated November 2022 date for convening the Panel. This estimate is consistent with remarks given by Director Chopra preceding the release of the SBREFA outline in which he stated that the CFPB will publish its SBREFA report in the first quarter of 2023 and plans to issue a proposed rule later in 2023 to be finalized in 2024.
The Bureau is considering a proposed rule that would include the following provisions:
Coverage. A “covered data provider” is (1) a “financial institution” as defined in Regulation E with respect to an “account” as defined in Regulation E, or (2) a Regulation Z “card issuer” with respect to “a credit card account under open-end (not home-secured) consumer credit plan” as that term is defined in Regulation Z. Consistent with these definitions, a financial institution that does not hold consumer accounts, but that issues access devices (such as digital credential storage wallets) and provides EFT services, such as providing payment services through the wallets) would be a covered data provider with respect to the EFTs it processes notwithstanding that the EFTs rely on funds in an account held by another financial institution. Similarly, a card issuer that does not hold consumer credit card accounts but that issues credit cards, such as by issuing digital credential storage wallets, would be a covered data provider with respect to the consumer credit card transactions it processes notwithstanding that the transactions rely on card accounts held at another financial institution. The CFPB is considering possible exemption criteria such as a threshold based on asset size or activity level, such as number of accounts. The CFPB also notes that it is proceeding to regulate Regulation E accounts and Regulation Z credit card accounts first because they implicate payments and transaction data but intends to evaluate how to proceed with regard to other data providers in the future.
Recipients of information. Section 1033 generally requires data providers to make information available to a “consumer,” which includes making information directly to the consumer and to an agent, trustee, or representative acting on behalf of a consumer (which the outline refers to as “third-party access.”) The proposal includes an authorization procedure under which a third party seeking to access consumer information would be required to (1) provide an “authorization disclosure” to inform the consumer of the key scope and use terms of access, (2) obtain the consumer’s express consent to the key terms of access contained in the disclosure, and (3) certify to the consumer that it will adhere to certain obligations requiring collection, use, and retention of the consumer’s information. Key scope terms to be included in the authorization disclosure might include the general categories of information to be accessed, the identity of the covered data provider and accounts to be accessed, terms related to the duration and frequency of access, and how to revoke access. Key use terms might include the identity of intended data recipients (including any downstream parties) and data aggregators to whom the information may be disclosed, and the purpose for accessing the information.
Types and scope of information a covered data provider must make available. The categories of information that the CFPB is considering requiring covered data providers to make available with respect to covered accounts are:
- Periodic statement information for settled transactions and deposits
- Information regarding prior transactions and deposits that have not yet settled
- Other information about prior statements not shown on periodic statements or portals, such as data elements received from a payment network regarding the interbank routing of a transaction.
- Online banking transactions that the consumer has set up but that have not yet occurred, such as information about companies for which the consumer has provided information to allow the covered data provider to make payments to the companies on the consumer’s behalf.
- Account identity information, such as the consumer’s age, gender, marital status, race, ethnicity, residential and email addresses, and phone, social security and driver’s license numbers.
- Other information, such as consumer reports used by the covered data provider in making decisions about the consumer and fees charged by the covered data provider in connection with its covered accounts.
With regard to the scope of current and historical information that a covered data provider would have to make available, the CFPB is considering proposing that a provider would only be required to make available information going as far back in time as the provider makes transaction history available directly to consumers. The CFPB indicates that this approach reflects Dodd-Frank Section 1033(c) which states that Section 1033 shall not be construed to impose a duty on a data provider to maintain or keep any information about a consumer.
Availability of information. For consumer requests for direct access to information, the CFPB is considering proposing that a covered data provider would be required to make information available through online account management portals if it has enough information to reasonably authenticate the consumer’s identity and reasonably identify the information requested. Providers would be required to allow consumers to export the information in both human and machine readable forms.
For third-party requests for information, the CFPB is considering proposing that covered data providers would be required to establish and maintain a third-party portal that does not require the authorized third party to possess or retain consumer credentials. The third-party portal would have to meet certain availability requirements dealing with (1) the portal’s general reliability in responding to electronic requests for information by an authorized third party, (2) the length of time between the submission of a request to a portal and a response, (3) system maintenance and development that involve planned interruptions of data availability and responses to unplanned interruptions, (4) responses to notices of errors from authorized third parties, and (5) limits on fulfilling a request for information even when data are otherwise available.
The CFPB is also considering what role screen scraping should play in the context of a covered data provider’s compliance with the rule. However, the CFPB is concerned that screen scraping has significant limitations and risks for consumers, data providers, and third parties, including risks related to possession of a consumer’s credentials. In the outline, the CFPB asks the Panel for input on a variety of issues relating to screen scraping. For example, the CFPB suggests the possibility of staggered implementation periods and asks for input on how the appropriate time for required compliance might be impacted if covered data providers were permitted to rely on screen scraping to comply with an obligation to make information available to authorized third parties before they establish a third-party access portal. It also seeks input on how the CFPB could mitigate the consumer risks associated with screen scraping to the extent screen scraping is a method by which covered data providers are permitted to satisfy their obligations to make information available, such as by requiring covered data providers to provide access tokens to authorized third parties to use to screen scrape so that third parties would not need a consumer’s credentials to access the online financial account management portal.
With respect to availability and accuracy of information, the CFPB is considering (1) requiring covered data providers to establish and maintain reasonable policies and procedures to ensure availability and that the transmission of information through the portal does not introduce inaccuracies, (2) establishing performance standards related to third party portal availability and accurate transmission of information through portals, (3) prohibiting covered data provider conduct that adversely affects the third-party portal availability factors or the accurate transmission of information, and (4) requiring a combination of (1) through (3).
With respect to security of third-party access portals, the CFPB states that because all, or nearly all, covered data providers must comply with the Safeguards Rule or Guidelines issued under the Gramm-Leach-Bliley Act (GLBA), it is not considering proposing new or additional data security standards other than with respect to the method for authenticating the authorized third party. The CFPB is considering proposing that a covered data provider would be required to make information available to a third party, upon request, when the provider has received evidence of the third party’s authority to access information on behalf of a consumer, information sufficient to identify the scope of the information requested, and information sufficient to authenticate the third party’s identity. To implement this requirement, the CFPB is considering proposing that:
- To be an authorized third party, a third party would generally have to provide the consumer an “authorization disclosure” as discussed above. For data recipients that partner with data aggregators to facilitate linking consumers’ financial accounts to the data recipients’ systems, the CFPB expects that in many cases, data aggregators would likely provide the required authorization disclosure and certification statement on behalf of the third parties involved.
- A covered data provider would be required to make information available on the durational terms and frequency requested by the third party unless the authorization has been revoked or has lapsed.
- In addition to determining that a third party is authorized to act on a consumer’s behalf before making information available, a covered data provider would need to have received information sufficient to authenticate the third party’s identity.
Third party obligations. The CFPB is considering proposals to limit authorized third parties’ collection of information to what is reasonably necessary to provide the product or service the consumer has requested. As used in the outline, a third party is generally a “data recipient” or a “data aggregator.” A “data recipient” is a third party that uses consumer-authorized information access to provide (1) products or services to the authorizing consumer or (2) services used by entities that provide products or services to the authorizing consumer. A “data aggregator” is an entity that supports data recipients and data providers in enabling consumer-authorized information access. Third parties would be:
- Permitted to access consumer-authorized information for only as long and as often as would be reasonably necessary to provide the product or service the consumer has requested. The CFPB is considering proposing a maximum authorized duration after which third parties would need to seek reauthorization for continued access.
- Required to provide consumers with a simple way to revoke authorization at any point consistent with the method used by the consumer to provide authorization.
- Limited in their use of consumer-authorized information to what is reasonably necessary to provide the product or service that the consumer has requested, including the third party’s own use and the sharing of data with downstream entities. The approaches under consideration by the CFPB include prohibiting: all secondary uses; certain high risk secondary uses; any secondary use unless the consumer opts into such uses; or any secondary uses that the consumer has opted out of.
- Obligated to delete consumer information that is no longer reasonably necessary to provide the product or service that the consumer has requested or upon revocation of the consumer’s authorization, subject to an exception for compliance with other laws.
While the CFPB believes that authorized third parties are also likely subject to the GLBA data security safeguards framework, it is nevertheless considering whether it should impose specific data security standards on authorized third parties. General approaches under consideration include requiring authorized third parties to develop, implement, and maintain a comprehensive data security program appropriate to the third party’s size and complexity and the volume and sensitivity of the consumer information involved. This approach could be combined with a provision incorporating the GLBA framework as a specific option for complying with any CFPB data security requirements. Alternatively, the CFPB could require compliance with the GLBA framework.
Other proposals for authorized third party users that the CFPB is considering include:
- A requirement for third parties to maintain reasonable policies and procedures to ensure the accuracy of the information they collect and use to provide the product or service the consumer has requested, including procedures related to addressing disputes submitted by consumers. (The CFPB notes that while the FCRA, EFTA, and TILA impose accuracy requirements relating to, respectively, information furnished to consumer reporting agencies, errors in connection with EFTs, billing and servicing errors, there is no law that creates general accuracy requirements regarding the collection of data by authorized users.)
- A requirement for third parties to periodically remind consumers how to revoke authorization and to provide consumers with a mechanism to request information about the extent and purposes of the third party’s access.
- A record retention requirement to demonstrate compliance with certain requirements of the rule. (The CFPB is also considering a record retention requirement for covered data providers.)
At a high level, the regulatory regime that the CFPB is considering imposing on data providers and data users is very similar to what all of the new U.S. state privacy laws require: data access rights, data minimization, and limitations on third party sharing and usage of covered data. The U.S. state privacy laws largely exempt financial institutions and GLBA-covered data from their scope. If the CFPB were to adopt the requirements it is considering in something approaching their current form, it likely will disrupt compliance programs and policies of financial institutions who created such programs and policies based on their understanding that they could use GLBA-covered data without concern about the types of requirements found in state privacy laws. For example, financial institutions have already begun taking steps to comply with the California Privacy Rights Act’s contracting requirements for service providers, which go into effect in January 2023. The California law imposes obligations on financial institutions only for data they collect that is not subject to GLBA. The new obligations that the CFPB is considering imposing on the use of both GLBA-covered data and data that is not covered by GLBA could require amendments to service provider and third-party contracts.
The CFPB has announced that it will be reopening the comment period on its November 2021 request for public comments to inform its inquiry into large technology companies that offer payment services. In October 2021, the CFPB sent orders to six large technology platforms offering payment services that directed them to provide information to the Bureau about their payments products and services and their collection and use of personal payments data.
The original comment period closed on December 6, 2021. The CFPB stated that it will reopen the comment period for 30 days and add additional questions. It also stated that the additional comments are intended to “broaden our understanding of the risks consumers face and potential policy solutions” and that “[i]n particular, we are seeking additional public input on companies’ acceptable use policies and their use of fines, liquidated damages provisions, and other penalties.”
The CFPB will provide additional details in a notice to be published in the Federal Register.
The Federal Housing Finance Agency (FHFA) addresses appraisal bias reflected in the recently released Uniform Appraisal Dataset (UAD) Aggregate Statistics Data File and Dashboard. The UAD information is derived from more than 47 million appraisals conducted between 2013 and June 30, 2022. As the name suggests, the UAD standardizes various data elements regarding an appraisal. Lenders selling loans to Fannie Mae and Freddie Mac must submit appraisal information in the UAD format.
FHFA focuses on appraisals that report a valuation lower than the contract sales price of the home, which the FHFA refers to as an “undervaluation.” The FHFA assesses the relative rates of undervaluation in census tracts in which Whites comprise up to 50 percent of the residents (White tracts), minorities comprise between 50.1 percent and 80 percent of the residents (minority tracts), and minorities comprise over 80 percent of the residents (high minority tracts). The FHFA notes that while “controlling for observable characteristics may explain some of the gap in undervaluation between White and . . . minority areas, it is not likely to explain all of the difference.”
The FHFA cites 2021 appraisal statistics that reflect a rate of undervaluation of 13.4 percent in White tracts, 19.2 percent in minority tracts and 23.3 percent in high minority tracts. The FHFA notes that, based on these numbers, the proportion of properties that are undervalued in high minority tracts is 74 percent higher than in White tracts, and the proportion of properties that are undervalued in minority tracts is 43 percent higher than in White tracts. The FHFA also notes that in 2021 on a national basis, 15.2 percent of appraisals were below the contract sales price, 26.7 percent of appraisals were equal to the contract sales price, and 58.1 percent of appraisals were above the contract sales price.
The FHFA advises that:
From a practical perspective, compliance departments of lenders and appraisal management companies could use the UAD Aggregate Statistics Dashboards to narrow the scope of an exam or compliance review related to appraisal bias. For example, in 2021 in the Charlotte, North Carolina Metropolitan Statistical Area, reviewers may want to focus on minority tracts …which have a higher proportion of undervaluation than high minority and White tracts.
The FHFA concludes by stating:
This research note highlights a few ways that the UAD Aggregate Statistics Dashboards can be used to explore potential appraisal bias—using the ‘tract percent minority population’ property characteristic and the ‘percent of appraisals below contract price’ property statistic. The gap in undervaluation is notable, and the new datasets may be helpful in better understanding the disparities.
The National Community Reinvestment Coalition (NCRC) recently filed two complaints against appraisers with the Department of Housing and Urban Development asserting different treatment based on race in violation of the Fair Housing Act. One complaint asserts different service levels based on race, and the other asserts different home valuations based on race, with White individuals receiving better service or home valuations than Black individuals.
The related report is entitled Faulty Foundations: Mystery-Shopper Testing in Home Appraisals Exposed Racial Bias Undermining Black Wealth. As the title would suggest, the report addresses tests involving mystery-shopping regarding appraisals conducted by the NCRC. The tests were conducted in the Baltimore, MD, metropolitan area in 2021 and 2022 and included four interracial couples—one spouse was Black, and one spouse was White. Two or more appraisals were conducted of each of their homes, and in some cases only the Black spouse was present for the appraisal and all indications that a White individual lived in the home were removed, and in other cases only the White spouse was present for the appraisal and all indications that a Black individual lived in the home were removed. The report addresses the results of the testing that formed the bases of the two complaints that the NCRC filed with HUD, and the results of other testing.
In the complaint regarding different service, the NCRC asserts that an appraisal of a home presented as being owned by a Black individual was performed on April 14, 2022. The NCRC also asserts that (1) on April 26, 2022, the NCRC employee who ordered the appraisal called the appraiser and left a message inquiring when the appraisal report would be received and the call was not returned, (2) the appraiser never contacted the homeowner regarding the status of the appraisal report, and (3) the appraisal report was provided on June 28, 2022. The NCRC also asserts that (1) the same appraiser was engaged to perform an appraisal of a home presented as being owned by a White individual on June 14, 2022, (2) the appraiser emailed the homeowner on June 23, 2022, to advise that the appraisal report should be ready by the beginning of the next week, and (3) the appraisal report was provided on July 1, 2022. (With the home presented as being owned by a Black individual, the appraiser actually provided a valuation that was $5,000 higher than the valuation provided by another appraiser with the home being presented as being owned by a White individual.)
In the complaint regarding different valuations, the NCRC asserts that in November 2021 it ordered two appraisals of the same home from different appraisers. The NCRC also asserts that (1) with one appraisal, conducted by the appraiser that is the subject of the complaint, the home was presented as being owned by a Black individual and the appraised value was $310,000, and (2) with the other appraisal the home was presented as being owned by a White individual and the appraised value was $350,000. The NCRC adds that in June 2022 it had two additional appraisals of the home performed, with appraised values of $370,000 and $380,000. In August 2022, the NCRC engaged the appraiser that is the subject of the complaint and another appraiser to perform appraisals on another home. The NCRC asserts that (1) with the appraisal performed by the appraiser that is the subject of the complaint, the home was presented as being owned by a While individual and the appraised value was $553,000, and (2) for the other appraisal the home was presented as being owned by a Black individual and the appraised value was $507,000. The NCRC adds that four additional appraisals of the same home were performed, and that range in the five valuations performed by other appraisers was $460,000 to $510,000, with the $553,000 valuation by the appraiser that is the subject of the complaint being the last and highest of the appraisals. The NCRC asserts that the appraiser that is the subject of the complaint rendered higher valuations if a home was presented as being owned by a White individual. (The NCRC does not indicate with the other four appraisals if the home was presented as owned by a Black or White individual.)
In the report, the NCRC advises that seven tests were conducted in which full appraisals of the same home were performed with the home being presented as owned by a Black individual and being presented as owned by a White individual. The total valuations of the homes when presented as being owned by a Black individual was $2,377,000, and the total valuations of the homes when presented as being owned by a White individual was $2,418,000. The total valuation difference of $41,000 reflects an average difference of about $6,833. However, the report reflects that with three of the tests, the valuation was higher when the home was presented as being owned by a Black individual, and with another test the valuation was $500,000 when the home was presented as being owned by a Black individual and $510,000 when the home was presented as being owned by a White individual.
In the report, the NCRC addresses the service provided by another appraiser (not the appraiser who is the subject of a complaint) who was engaged to appraise two homes, one presented as being owned by a Black individual and one presented as being owned by a White individual. With regard to the home presented as being owned by a Black individual, the NCRC advises that when contacted after visiting the home, the appraiser said that an appraisal report had been sent by email, although no report was received at the time, and in the end the appraiser would not respond to contact attempts and never provided an appraisal report. With regard to the home presented as being owned by a White individual, the NCRC advises that the appraiser provided an appraisal report and did not engage in unprofessional conduct.
The NCRC makes the following recommendations in the report to address appraisal bias, several of which are similar to recommendations made by federal government agencies in the Property Appraisal and Valuation Equity action plan issued earlier this year:
- Conduct more testing of appraisers. In particular, the NCRC notes that the tests it conducted were limited to comparing appraisals with Black and White homeowners, and that tests can be expanded to include Latino and Asian homeowners.
- Create incentives for the appraisal industry to recruit a more diverse appraisal pool. The NCRC cites the Bureau of Labor Statistics in noting that 97.7 percent of real estate appraisers are White, and that 69.6 percent are men.
- Require appraisers to report on the demographics of their clients and the values they assign to their clients’ homes.
- Create a more meaningful process for the reconsideration of appraisals.
- Require fair lending training in the licensing process for appraisers.
- Increase funding for enforcement resources.
- Issue industry standards for fair appraisals.
We recently reported on the Federal Fair Housing Agency addressing appraisal bias as reflected in the Uniform Appraisal Dataset (UAD) Aggregate Statistics Data File and Dashboard.
FinCEN has announced that, once again, it is extending the Geographic Targeting Order, or GTO, which requires U.S. title insurance companies to identify the natural persons behind so-called “shell companies” used in purchases of residential real estate not involving a mortgage. FinCEN also has expanded slightly the reach of the GTOs.
The terms of the new GTO are effective beginning October 27, 2022, and ending on April 24, 2023. The only change is that FinCEN has expanded the coverage of the GTO to counties encompassing the Texas cities of Houston and Laredo. The effective period of the GTOs for purchases in these newly added areas begins on November 25, 2022. The GTO will continue to cover certain counties within the following major U.S. metropolitan areas: Boston; Chicago; Dallas-Fort Worth; Honolulu; Las Vegas; Los Angeles; Miami; New York City; San Antonio; San Diego; San Francisco; Seattle; parts of the District of Columbia, Northern Virginia, and Maryland (DMV) metropolitan area, the Hawaiian islands of Maui, Hawaii, and Kauai, and Fairfield County, Connecticut. The purchase amount threshold remains $300,000 for each covered metropolitan area, with the exception of the City and County of Baltimore, where the purchase threshold is $50,000.
The GTO continuation and expansion is not occurring in a regulatory vacuum. FinCEN issued on December 6, 2021, an Advanced Notice of Proposed Rulemaking (AMPRM) to solicit public comment on potential requirements under the Bank Secrecy Act for certain persons involved in real estate transactions to collect, report, and retain information. As we have blogged, the ANPRM envisions imposing nationwide recordkeeping and reporting requirements on specified participants in transactions involving non-financed real estate purchases, with no minimum dollar threshold.
If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. Please click here to find out about Ballard Spahr’s Anti-Money Laundering Team. Please also check out our detailed chapter on these issues, The Intersection of Money Laundering and Real Estate,
The Financial Crimes Enforcement Network (FinCEN) on November 1 issued a Financial Trend Analysis regarding ransomware-related Bank Secrecy Act (BSA) filings during the second half of 2021 (the Report). This publication follows up on a similar ransomware trend analysis issued by FinCEN regarding the first half of 2021, on which we blogged here.
In the most recent analysis, FinCEN found that both the number of ransomware-related Suspicious Activity Reports (SAR) filed, and the dollar amounts at issue, nearly tripled from 2020 to 2021. The notable takeaways from the Report include:
- Ransomware-related SARs were the highest ever in 2021 (both in number of SARs and in dollar amounts of activity reported).
- Ransomware-related SARs reported amounts totaling almost $1.2 billion in 2021.
- Approximately 75 percent of ransomware-related incidents between June 2021 and December 2021 were connected to Russia-related ransomware variants.
The Report, which stated that the majority of these ransomware payments were made in Bitcoin, serves as a particular reminder to cryptocurrency exchanges of their role in both identifying and reporting ransomware-related transactions facilitated through their platforms. The Report stresses that SAR filings play an essential role in helping FinCEN identify ransomware trends.
Ransomware Trends and SAR Data
Ransomware is malicious software that encrypts a victim’s files and holds the data hostage until a ransom is paid, generally in cryptocurrency like Bitcoin. Over the past two years, FinCEN has noted a shift in ransomware strategy from high-volume, opportunistic attacks to more selective ransomware attacks, targeting larger enterprises and bigger payouts. This included an increase in “double extortion” tactics, in which ransomware operators not only hold the victim’s data hostage, but also threaten to publish the stolen data if ransom demands are not met. FinCEN also noted that the ransomware “business model” has expanded to include Ransomware-as-a-Service (Raas), in which ransomware creators sell user-friendly ransomware kits on the dark web in exchange for a percentage of the ransom.
FinCEN observed a staggering increase in the number and monetary amount of ransomware-related SAR filings in 2021. In 2020, 487 ransomware-related SARs were filed, totaling nearly $416 million. In 2021, 1,489 ransomware-related SARs were filed, totaling nearly $1.2 billion. On average, there were 132 ransomware-related incidents per month in the second half of 2021. This increase in filings may have resulted from FinCEN’s and Treasury’s Office of Foreign Assets Control’s (OFAC) Fall 2021 advisories promoting reporting of ransomware-related incidents (here, here, and here). As we have blogged, OFAC has indicated that it may impose civil penalties for sanctions violations resulting from ransomware payments based on strict liability–i.e., a company can be held liable even if it did not know or have reason to know that it was engaging in a transaction that was prohibited by OFAC–even if OFAC states that it applies a self-imposed presumption of non-enforcement that it still may disregard in any particular case.
Uptick in Russia-Related Ransomware Variants
FinCEN reported that in the second half of 2021 alone, roughly 75 percent of ransomware-related SARs, and 69 percent of ransomware incident value, were connected to Russia-related ransomware variants. Although it is difficult to attribute malware, these variants were identified as using Russian-language code, being specifically coded not to attack Russia or post-Soviet states, or as advertising primarily on Russian-language sites. Combined, the top five Russia-related ransomware variants were connected to 376 ransomware incidents, totaling $219.5 million.
Role of Cryptocurrency Exchanges Facilitating Ransomware Payments
In its November 8, 2021, Advisory on Ransomware and the Use of the Financial System to Facilitate Ransomware Payments, FinCEN outlined the typical flow of funds in a ransomware attack, highlighting the role that financial institutions, including money services businesses (MSB), play in facilitating these ransom payments. Most ransomware payments involve a victim transmitting funds via wire transfer, ACH transfer, or credit card payment to a convertible virtual currency (CVC) exchange, in order to purchase the type and amount of CVC specified by perpetrator. The victim then sends the CVC, often from a virtual wallet hosted by the cryptocurrency exchange, directly to the perpetrator’s designated account or CVC address. The perpetrator then launders the funds to convert them into other CVCs. Cyber insurance companies (CIC) and digital forensic incident response companies (DFIR) may also play a role in ransomware transactions. CICs may reimburse victim policyholders for remediation services, including hiring DFIRs to negotiate with cybercriminals and facilitate payments.
While ransom payments are most commonly requested in Bitcoin, cybercriminals are increasingly incentivizing victims to pay in Anonymity-Enhanced Cryptocurrencies (AEC), such as Monero, in order to reduce transparency of financial flows through anonymizing features. Monero recently received a specific “shout out” in the FinCEN enforcement action against Bittrex, which described Monero as including “features that prevent tracking by using advanced programming to purposefully insert false information into every transaction on its private blockchain.”
Ransomware incidents also may trigger OFAC-related restrictions, if payments involve sanctioned persons or jurisdictions. In October 2021, OFAC issued a 28-page sanctions compliance guide for the virtual currency industry, explaining reporting instructions, consequences for non-compliance, and best practices.
Detection, Mitigation, and Reporting
Ransomware continues to pose a significant threat to the U.S. critical infrastructure sectors, businesses, and the public. Financial institutions and MSBs dealing in CVCs play an important role in protecting the U.S. financial system from these types of attacks, through compliance with BSA and OFAC obligations. To detect and mitigate ransomware attacks, FinCEN recommends:
- Incorporating indicators of compromise (IOC) from threat data sources into intrusion detection and security alert systems to enable blocking and reporting.
- Contacting law enforcement immediately upon identifying ransomware-related activity, and contacting OFAC where the ransom involves sanctioned payments.
- Reporting suspicious activity to FinCEN by highlighting the presence of “Cyber Event Indicators,” and including IOCs like suspicious email addresses, file names, hashes, domains, and IP addresses on the SAR form.
FinCEN also reminds financial institutions to review the potential “red flag” financial indicators of ransomware in FinCEN’s November 8, 2021, Advisory, which are:
- A financial institution or its customer detects IT enterprise activity that is connected to ransomware cyber indicators or known cyber threat actors. Malicious cyber activity may be evident in system log files, network traffic, or file information.
- When opening a new account or during other interactions with the financial institution, a customer provides information that a payment is in response to a ransomware incident.
- A customer’s CVC address, or an address with which a customer conducts transactions is connected to ransomware variants, payments, or related activity. These connections may appear in open sources or commercial or government analyses.
- An irregular transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, health care) and a DFIR or CIC, especially one known to facilitate ransomware payments.
- A DFIR or CIC customer receives funds from a counterparty and shortly after receipt of funds sends equivalent amounts to a CVC exchange.
- A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution, yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.
- A customer that has no or limited history of CVC transactions sends a large CVC transaction, particularly when outside a company’s normal business practices.
- A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.
- A customer uses a foreign-located CVC exchanger in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities.
- A customer receives CVC from an external wallet, and immediately initiates multiple, rapid trades among multiple CVCs, especially AECs, with no apparent related purpose, followed by a transaction off the platform. This may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.
- A customer initiates a transfer of funds involving a mixing service.
- A customer uses an encrypted network (e.g., the Onion router) or an unidentified web portal to communicate with the recipient of the CVC transaction.
On November 3, 2022, Pennsylvania enacted Act No. 142, effective immediately. The Act modifies the existing statutory provisions permitting remote work by revising the definition of “remote location” set forth in section in section 6102 of Title 7 of the Pennsylvania Consolidated Statutes. Specifically, the Act revises the required conditions under which “a mortgage originator sponsored by the licensee, a person excepted from this chapter or excepted from licensure under section 6112 or any other employee of the licensee, may engage [at a remote location] in licensed activities on behalf of the licensee.” The Act: (1) prohibits in-person consumer interaction at the remote location “if it is his or her personal residence”; and (2) removes the requirement that physical records regarding the licensee’s mortgage loan business be maintained at the location.
Did You Know?
The CFPB has issued a request for information regarding mortgage refinances and forbearances. The CFPB is seeking public comment about (1) ways to facilitate mortgage refinances for consumers who would benefit from refinancing, especially consumers with smaller loan balances; and (2) ways to reduce risks for consumers who experience disruptions in their financial situation that could interfere with their ability to remain current on their mortgage payments. The public comment period closes November 28, 2022.
Subscribe to Ballard Spahr Mailing Lists
Copyright © 2023 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.