Written by: Lindsay Harden
The FDIC’s independent Office of Inspector General (OIG) issued a report late last week detailing a study it conducted of contracts between financial institutions and technology service providers (TSPs). The report concluded that such contracts are commonly not sufficient to address certain risks that are inherent in these relationships. Specifically, contracts with TSPs frequently lack specificity and completeness with respect to business continuity and incident response procedures and obligations.
For several years the financial regulatory agencies have shown an interest in third-party risk management, including ensuring adequate protection of private customer information. Recently, the FDIC and FFIEC have engaged in further initiatives related to cybersecurity and outsourcing of technology services. However, according to the FDIC’s Division of Risk Management Supervision, contracts with TSPs are generally out of date and do not reflect recent efforts to strengthen cybersecurity.
Based on a review of 48 contracts between financial institutions and TSPs, the OIG report made the following findings:
- Financial institution analyses do not fully consider business continuity and incident response risks presented by TSPs
- Key contract provisions provide limited coverage of the TSP’s business continuity planning and incident response and reporting responsibilities
- Key contract terms lack clear and specific definition
- The FDIC has implemented numerous initiatives to address cybersecurity risks
- Financial institution third-party relationship risks remain and will require continued supervisory attention
In addition, the report provided some examples of necessary types of provisions that are frequently missing from contracts. For instance, only half of the contracts reviewed explicitly included business continuity provisions, and only a handful established clear performance standards and remedies for failure to meet those standards. Furthermore, many key terms used in regulatory and supervisory guidance—including “misuse of information,” “unauthorized access,” “significant disruption,” and “cyber event”—were often unused, undefined, or inadequately defined in TSP contracts.
The FDIC has plans to take certain actions by October of 2018 to follow up on the OIG’s recommendations in the report. One such action is continuing to communicate to financial institutions the importance of effective contracts with TSPs through the FDIC’s risk management supervision program, which includes guidance, examination procedures, examinations, and off-site monitoring.
The OIG report and potential FDIC action provide banks with additional leverage in negotiating TSP contracts. Affected banks should closely review existing contracts, and if your contracts are close to renewal, or if you are considering adding services under those contracts, you have an opportunity to address deficiencies. You should review the terms of the agreement and work with counsel to identify gaps in existing or proposed agreements. Please contact us if you need assistance, as we have significant experience negotiating and drafting contracts with TSPs and assisting banks with TSP vendor diligence.
Written by: Robert Harry
On January 31, 2017, the Consumer Financial Protection Bureau (“CFPB”) published a Consent Order with Prospect Mortgage, LLC (“Prospect”) for alleged violations of the Real Estate Settlement Procedures Act (“RESPA”) prohibitions against kickbacks and unearned fees, commonly referred to as “RESPA Section 8”. RESPA Section 8 states that “no person shall give and no person shall accept any fee, kickback or thing of value pursuant to any agreement or understanding, oral or otherwise, that business incident to or a part of a real estate settlement service involving a federally related mortgage loan shall be referred to any person”. RESPA Section 8 applies to, among others, mortgage lenders, title companies, lawyers, servicers, and real estate agents.
The CFPB alleges that Prospect entered into a series of agreements with two real estate brokerage agencies and a loan servicer for mortgage origination referrals. The CFPB noted that Prospect violated RESPA Section 8 by:
1. Using lead agreements to pay brokers for referrals;
2. Using Marketing Services Agreements, commonly referred to as “MSAs” to pay brokers for referrals;
3. Using desk licensing agreements to pay brokers for referrals;
4. Encouraging brokers and agents to require consumers to loan obtain pre-approvals with Prospect’s loan officers
5. Paying the servicer for referrals;
6. Using a third-party’s website advertising to pay real estate brokers for referrals; and
7. Encouraging brokers to use fees and credits to pressure consumers into using Prospect.
The CFPB ordered Prospect to pay a $3.5 million dollar civil money penalty to the bureau. Further, Prospect may still have liability for any private civil action available under RESPA Section 8 to any consumer harmed by these actions, is prohibited from engaging in the activities described in the Consent Order, and must undergo compliance training, and conduct extensive reporting and recordkeeping.
Additionally, and in a departure from the CFPB’s prior RESPA Section 8 enforcement actions, the CFPB also entered into Consent Orders with the two real estate brokerages for accepting the payments in violation of the law. This is the first time the CFPB has enforced RESPA Section 8’s prohibition against kickbacks against real estate brokers under the common use of MSAs, desk licensing, and co-marketing agreements. The two brokerages agreed to pay a combined $230,000.00 in fines and disgorgement due to the alleged violations and may still be held liable under related consumer private causes of action.
The actions by the CFPB reinforce Richard Cordray’s position that the bureau will analyze marketing arrangements between settlement service providers with great scrutiny. The orders rely on internal communications and statements to demonstrate that the facially lawful arrangements under RESPA Section 8 were likely only a means of circumventing the anti-kickback provisions while still paying for referrals. It’s imperative that all settlement service providers carefully evaluate any marketing or business activities with other settlement service providers to ensure compliance with RESPA.
The attorneys at Stinson Leonard Street are uniquely able to counsel and assist clients in the residential real estate finance and sales industry to navigate the complex regulation that is RESPA Section 8.
With the beginning of a new year comes new opportunities in the banking and financial fields. These opportunities, however, are not without potential challenges, obstacles and pitfalls. Focused attention on strategy and problem avoidance is more critical than ever.
Join us Tuesday, January 24 for a panel discussion on some of the hot topics in the banking industry. Learn how new regulations will pose significant compliance and operational challenges for your organization and how you can prepare to implement the right steps to avoid complications and scrutiny.
Our presenters will cover critical changes in the market including :
- Strategy and Competition
- Financial Technology
- Regulatory Landscape
- Talent Acquisition and Retention
- Customer Demands
- The Impact of Global Decisions
This program will be presented from various Stinson Leonard Street locations.
Join us in person in the Denver, Kansas City, Minneapolis, St. Louis and Washington, DC offices for this informative event.
Tuesday, January 24
Registration: 8:30 – 9 a.m. (MT) 9:30 – 10 a.m. (CT) 10:30 -11 a.m. (ET)
Program: 9 – 11 a.m. (MT) 10 a.m. – 12 p.m. (CT) 11 a.m. – 1 p.m. (ET)
Lunch reception immediately following in Denver, Kansas City, Minneapolis, St. Louis and Washington, DC.
Stinson Leonard Street
Kansas City [map]
St. Louis [map]
Washington, DC [map]
Written by: P. Michael Campbell
On Friday December 2nd, the Office of the Comptroller of Currency (“OCC”) announced that it would start considering applications for special purpose national bank charters from fintech (financial technology) companies. The OCC believes that providing fintech companies charters will establish a regulatory framework for the fintech industry. As noted by the OCC, a company receiving the special purpose national bank charter will be “held to the same rigorous standards of safety and soundness, fair access, and fair treatment of customers that apply to national banks and federal savings associations.”
In addition to regulation by the OCC, a fintech company receiving a charter could be subject to regulation from other governmental bodies, including the Federal Reserve, Federal Deposit Insurance Corporation and the Consumer Financial Protection Bureau.
Any company seeking a special purpose national bank charter is expected to have a well-developed business plan setting forth in “significant detail” the bank’s activities. The plan must also cover the governance structure, capital, liquidity, compliance risk management, financial inclusion and recovery and exit strategies.
SLS is well positioned to advise any company seeking a special purpose national bank charter. SLS has experts in every aspect of the application process and years of experience working with regulatory agencies.
The OCC’s proposal is open for comment until January 15th and is expected to receive many comments as the move has been both applauded and criticized in the financial and banking industry. SLS will continue to monitor any developments with the OCC’s announcement.
Written by: Maria Macoubrie
On November 15, 2016, the Federal Deposit Insurance Corporation (FDIC) released its final rule regarding deposit account recordkeeping (https://www.fdic.gov/news/news/press/2016/pr16101a.pdf) (Final Rule) to help insure prompt access to funds in the event of a bank failure, particularly in large banks with a high number of accounts that use multiple deposit systems, where data aggregation and account identification is otherwise difficult. The Final Rule is effective April 1, 2017. While the Final Rule is designed to apply to institutions with large numbers of deposit accounts, there is some ambiguity with respect to how those accounts should be counted.
The Final Rule applies only to “covered institutions.” A “covered institution” is an insured depository institution that has 2 million or more deposit accounts in two consecutive quarters. There is some uncertainty within the industry whether deposit accounts for prepaid and similar omnibus relationships that (based on previous guidance regarding brokered deposits) have been treated as a single deposit account, should be counted as a single deposit account for purposes of the Final Rule. The FDIC failed to respond to several comments requesting clarification of this particular issue. This issue will continue to be a top question raised by several industry groups to the FDIC as the effective date looms closer.
The Final Rule requires a covered institution to configure its information technology system to be capable of performing the following tasks within 24 hours of the FDIC being appointed as a receiver: (a) accurately calculating deposit insurance coverage for each deposit account; (b) generating output records in the specified format and layout; (c) restricting access to some or all of the deposits in a deposit account until the FDIC has made a deposit insurance determination using the covered institution’s technology system; and (d) debiting from the deposit account the uninsured amount.
The Final Rule includes both general and alternative recordkeeping requirements. The general recordkeeping requirements are robust and include unique identifying information to determine ownership rights. The alternative recordkeeping requirements apply where the covered institution does not maintain the account holder data itself. Under the alternative recordkeeping requirements, the covered institution need only maintain the unique identifier of the account holder and a file code designating the account type as set forth in the File Rule. In cases where the covered institution is able to use the alternative recordkeeping requirements, the covered institution must certify to the FDIC that the account holder for the omnibus account will provide to the FDIC the information needed for the covered institution’s information technology system to calculate deposit insurance coverage as required within 24 hours after the appointment of the FDIC as receiver.
To the extent the “account holder” is a program manager or other party that maintains records on large numbers of persons that have pass-through FDIC deposit insurance, the Final Rule could present a regulatory risk to covered institutions if those account holders are not prepared to comply with the very specific and detailed recordkeeping requirements imposed by the Final Rule.
Not less than 10 business days after a covered institution becomes subject to the Final Rule, it must notify the FDIC of the person(s) responsible for implementing the recordkeeping and information technology system capabilities required by the Final Rule.
Covered institutions must certify compliance (meeting specific certification requirements) before the effective date and then annually thereafter.
In addition, the FDIC has the right to audit compliance beginning the first calendar quarter following the effective date and every three years thereafter (more frequently if there is a particular risk).
The Final Rule also contains several provisions to request temporary relief from the Final Rule. It also grants the FDIC the right to expedite the effectiveness of the Final Rule for certain covered institutions.