Compliance Solutions quarterly newsletter — December 2024

General

A holiday message to you

With gratitude for our partnership, all of us at TruStage™ Compliance Solutions wish you a safe and happy holiday season and we look forward to continuing to partner with you in 2025.

Our classic document solution (formerly known as LOANLINER) is here to stay

We’ve recently heard from customers that there’s a misunderstanding about our document solution formerly known as LOANLINER — rest assured, we are NOT sunsetting LOANLINER. LOANLINER is now known as TruStage Compliance Solutions — Classic and our commitment to supporting this side of our document business remains as strong as ever. We value your trust and will continue to serve your needs now and in the future.

CFPB’s final Section 1033 open banking rule

The Consumer Financial Protection Bureau (CFPB) finalized its long-awaited open banking rule, the Personal Financial Data Rights Rule. This rule implements Section 1033 of the Dodd-Frank Act. The rule provides consumers a right of access to their financial data and allows them to authorize access to third parties or transfer their data to another provider at no charge.

The rule applies to “data providers,” which include depository institutions such as banks and credit unions, as well as credit card issuers and other financial providers. Depository institutions with less than $850 million in total assets are exempt from this rule, however, although unlikely, this threshold may change based on reevaluation of SBA size standards. Under the rule, covered data would involve information about transactions, charges, and costs, including account balances, historical transactions, upcoming bills, and terms and conditions. The consumer’s data must be available upon request in a standardized, machine-readable format with the providers meeting a minimum response rate.

A third-party seeking access to covered data on behalf of the consumer must provide the consumer with an authorization disclosure that contains key terms of access, certification that the third party will comply with certain obligations set forth in the rule and obtain the consumer’s express consent. The collection, use, and retention of data is limited to what is necessary for the requested services of the consumer. The rule clearly states that “targeted advertising, cross-selling, and the sale of covered data are not part of, or reasonably necessary to provide, any other product or service.”

The CFPB summarizes two main consumer data protections strengthened by the rule: banning bait-and-switch data harvesting and creating revocation and deletion rights. Third parties cannot secretly collect, store, or use consumer data for their own unrelated reasons. When a consumer revokes access to the data, the access ends immediately and deletion is the cited default practice after revocation.

Additionally, the CFPB claims that with an open ability to access and share data, consumers will be able to easily select and switch providers that better fit their needs. Director Rohit Chopra stated in the summary of the rule that the “… action will give people more power to get better rates and service on bank accounts, credit cards, and more.” The CFPB further insists that the rule moves the United States closer to a competitive, safe, and secure “open banking” system.

The financial industry has reacted with mixed results. On the same day of the rule’s publication, a lawsuit was filed in federal court by Forcht Bank, N.A, Kentucky Bankers Association, and Bank Policy Institute. The complaint asserts the CFPB overstepped their statutory authority, and the rule violates the Administrative Procedure Act. More specifically, the complaint states the rule increases the likelihood of fraud, does not hold third parties accountable for data security, and does not effectively eliminate “unsafe” practices, among other things. The press release also mentions the CFPB will develop additional rules to address more products, services, and use cases.

Compliance with the rule will be implemented in phases. The largest covered institutions have a compliance date of April 1, 2026, while the smallest institutions have until April 1, 2030.

Credit union trade name versus legal charter name

TruStage Compliance Solutions has noticed an increasing number of credit unions utilizing a trade name within their documents. This practice may be a result from a merger with another credit union, or it may be centered around a credit union’s marketing strategy.

If the credit union complies with the provisions of Part 740 of the NCUA (National Credit Union Administration) regulations, it may be sufficient to list a trade name within advertising material. However, a credit union must use their legal name for legal documents, certificates of deposit, signature cards, loan agreements, account statements, checks, drafts, and other similar documents.

For credit unions that use a logo with their trade name versus their legal name, the legal name must appear within the document on which the logo is placed.

Example: ABC Federal Credit Union wants to utilize a logo with the name ABC Credit Union.

Action Taken by TruStage Compliance Solutions: ABC Credit Union logo can be inserted onto the documents; however, all documents will need to be reviewed/revised to ensure that the legal name of ABC Federal Credit Union is incorporated within the credit union’s documents where necessary.

Note: NCUA requires the last three words in every Federal Credit Union's name to be “Federal Credit Union” per Interpretive Ruling and Policy Statement 99-1, Chartering and Field of Membership Manual (IRPS991-), ch.1, §VI, as amended by IRPS 00-1 and IRPS 01-1.

NCUA resources pertaining to use of legal name vs trade name:

• Use of Trade Name Without Words Federal Credit Union
• Guidance for Credit Unions that Use More than One Name
• Proposed Signage Change

Deposit

Regulation CC amendments require disclosure, notice and system updates

As we shared in our June 2024 quarterly newsletter, the Federal Reserve Board (FRB) and Consumer Financial Protection Bureau (CFPB) jointly issued a final rule amending Regulation CC. The amendments implement a statutory requirement of the Expedited Funds Availability Act (Act), which requires that the dollar thresholds set out in the Act be adjusted for inflation every five years. The dollar thresholds include amounts of funds from deposits that must be made available for withdrawal by accountholders within prescribed time frames. The amendments will be effective July 1, 2025.

Financial institutions will be required to modify initial funds availability disclosures and deposit hold notices to reflect the adjusted dollar thresholds. Additionally, they will need to ensure that corresponding system updates are made to align with the changes.

Change in terms notices

As a reminder, financial institutions will also need to notify existing accountholders of changes in their funds availability disclosures. Regulation CC generally requires that written notice be sent at least 30 days before implementing a change; however, any change which expedites the availability of funds must be disclosed no later than 30 days after implementation.

Document updates

TruStage Compliance Solutions is updating disclosures and hold notices to comply with the new dollar threshold requirements in advance of the July 2025 compliance date. We will provide more information on specific delivery and availability timelines in the first quarter of 2025.

Questions

Please contact us with any questions you have by completing this information request form.

Simplification of share insurance rules

In September 2024, the NCUA issued a final rule amending Part 745 to simplify its regulations governing share insurance coverage. The final rule aligns with deposit insurance changes adopted by the FDIC in 2022. The amendments to Part 745 accomplish the following:

• (1) Establish a single “trust accounts” category that provides for share insurance coverage of funds in both revocable and irrevocable trusts using a simpler, common calculation method. This new “trust accounts” category includes:
  • (a) informal revocable trust accounts (i.e, payable-on-death, in-trust-for and Totten trust accounts),
  • (b) funds held pursuant to a formal revocable trust agreement under which funds pass to one or more beneficiaries upon the grantor’s death, and
  • (c) funds held pursuant to an irrevocable trust established by written agreement or statute.
• (2) Provide more consistent treatment of mortgage servicing account balances that are held to satisfy principal and interest obligations to a lender, whether they are paid into the account by the borrower or by another party (such as the servicer).
• (3) Increase flexibility for the NCUA to consider various records, including the member’s own records when determining share insurance coverage in the event of an insured credit union’s liquidation.

The effective date of the trust account changes is delayed to December 1, 2026. This delay will allow credit unions, accountholders and the NCUA to prepare for the changes. The remaining changes took effect October 30, 2024.

For more information regarding this final rule, see Federal Register: Simplification of Share Insurance Rules.

Question of the quarter

Question: Our financial institution is working with an outside text messaging service provider. The provider has advised that we must include a statement in our Privacy Disclosure’s “Other important information box” stating that mobile information will not be shared with any third parties for promotional or marketing purposes. Can this statement be included?

Answer: The CFPB’s Regulation P sets out a model privacy form, and financial institutions “seeking to obtain the safe harbor through use of the model form may modify it only as described in [the] Instructions.” The Appendix to Regulation P includes formatting instructions and prescribes the specific type of information that may appear in each section of the model form. The following excerpt from the Appendix clarifies the type of information that is allowed to be presented in the “Other important information” box:

• (c) General instructions for the “Other important information box.” This box is optional. The space provided for information in this box is not limited. Only the following types of information can appear in this box.
  • (1) State and/or international privacy law information; and/or
  • (2) Acknowledgment of receipt form.

Including statements in the Privacy Disclosure other than those that relate to state or international privacy law would not comply with Regulation P’s model form requirements for obtaining safe harbor protection.

Financial institutions will generally have multiple “privacy disclosures,” and the disclosure required by Regulation P is just one of them. They may find that another of their “privacy disclosures” is best suited to accommodate the additional content that is not otherwise contemplated by Regulation P for purposes of the model form.

Lending

Artificial Intelligence and the CFPBs take on adverse action

At this point, most people have heard the term AI or Artificial Intelligence. Financial Institutions are no different. How does AI fit into consummating or denying a consumer or commercial loan? Consumer Financial Protection Bureau has focused on ensuring that financial institutions are complying with regulations, and there are a few items they are focused on (Consumer Financial Protection Bureau Comment on Request for Information on Uses, Opportunities, and Risks of AI in the Financial Services Sector, August 12, 2024): CFPB Comment on Request for Information on Uses, Opportunities, and Risks of Artificial Intelligence in the Financial Services Sector | Consumer Financial Protection Bureau.

1. “Although institutions sometimes behave as if there are exceptions to the federal consumer financial protection laws for new technologies, that is not the case. Regulators have a legal mandate to ensure that existing rules are enforced with respect to all technologies, including those marketed as new or novel. This is what Congress has instructed regulators to do, and what is required to prevent consumer harm.
2. Ensuring that all market participants comply with the rules fosters innovation. When regulators uniformly enforce rules, firms are discouraged from investing in legal evasion to make law-breaking their competitive advantage and instead are incentivized to invest in developing innovative products and services that benefit consumers.
3. Innovation is also fostered by clear regulatory requirements that do not unfairly advantage incumbent businesses or afford special treatment to individual firms. Establishing clear, straightforward rules encourages firms to invest in better products and services, rather than in finding legal gray areas, taking advantage of incumbent-favoring loopholes or seeking out special treatment.

As CFPB Director Rohit Chopra has said, “there is no ‘fancy new technology’ carveout to existing laws.”

Therefore, the CFPB has made it clear that financial institutions are required to continue to comply with all federal regulations including, but not limited to, the Equal Credit Opportunity Act (12 CFR Part 1002), Truth in Lending Act (12 CFR Part 2026), and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) which is part of the Consumer Financial Protection Act (Dodd-Frank Act).

According to the Comment for Request for Information, the CFPB states, “The CFPB believes that innovation need not be at odds with compliance with federal consumer protection laws. Specifically, the CFPB is:

• Making clear that there is no exception to the federal consumer financial protection laws for new technology;
• Ensuring regulations don’t stifle competition in pricing or favor incumbents;
• Ensuring consistent treatment under the law for similar products and services;
• Combatting anticompetitive practices; and
• Monitoring the market and ensuring accountability”

Following the CFPB’s Comment, they issued guidance on ‘Credit Denials by Lenders Using Artificial Intelligence,’ September 19, 2024: CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence | Consumer Financial Protection Bureau.

The guidance is clear that financial institutions need to be specific and accurate when issuing reasons for adverse action notices. Financial institutions have the option of utilizing a list of adverse action reasons from the model form issued by the CFPB (12 CFR Part 1002) Appendix C to Part 1002 — Sample Notification Forms | Consumer Financial Protection Bureau, but the CFPB has said that this is not all-inclusive. If a financial institution is using ‘purchasing history’ as a reason, but the true reason is based on behavioral spending data, more details are expected than just ‘purchasing history’.

The current year, 2024, is not the only time that the CFPB has commented on Artificial Intelligence and Compliance with adverse action notices.

The CFPB shares examples of the specificity of reasons in the Consumer Financial Protection Circular 2023-03: Consumer Financial Protection Circular 2023-03: Adverse action notification requirements and the proper use of the CFPB’s sample forms provided in Regulation B | Consumer Financial Protection Bureau.

It is imperative as financial institutions continue to delve into the world of artificial intelligence, they must be cognizant of risk and challenges that accompany the compliance of utilizing AI.

In the CFPB’s Guidance on Credit Denials by Lenders, CFPB Director Rohit Chopra said, “Technology marketed as artificial intelligence is expanding the data used for lending decisions, and also growing the list of potential reasons for why credit is denied. Creditors must be able to specifically explain their reasons for denial. There is no special exemption for artificial intelligence.”

Reconsideration of Value

Most consumer real estate secured loan transactions require an appraisal for a valuation of the property’s fair market value to determine if the value of the property is sufficient to support the requested loan amount. In some circumstances, the applicant may believe the value is unsupported, deficient due to unacceptable appraisal practices, or reflects prohibited discriminatory practices.

Earlier this year, Fannie Mae, Freddie Mac, FHA, and other government-sponsored entities released new requirements related to reconsideration of value requests for appraisals. The new requirements require the financial institution to have a Reconsideration of Value (ROV) process within their policies and procedures. The steps for the applicant to appeal an appraisal through the ROV process must be disclosed at application and again when the appraisal report is provided to them.

TruStage Compliance Solutions has developed a Reconsideration of Value Disclosure. This new disclosure gives financial institutions an opportunity to disclose their ROV policies and procedures to their applicants to be more transparent with what steps the applicant may take to request a reconsideration of value.

The new disclosure is primarily intended to be used with conforming transactions; however, it is optionally available for all consumer real estate transactions. Please note that for conforming transactions, the borrower-initiated ROV request must be submitted BEFORE the closing of the loan and that only one borrower-initiated ROV is permitted per appraisal.

Making this disclosure available for non-conforming transactions is in line with interagency guidance on reconsiderations of value from the Department of Treasury, Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, and the Consumer Financial Protection Bureau. The interagency guidance provides that financial institutions may consider developing risk-based ROV-related policies, procedures, control systems, and compliant resolution processes that, among other things, “establish a process to inform consumers how to raise concerns about the valuation early enough in the underwriting process for any errors or issues to be resolved before a final credit decision is made.

This may include educating consumers on the type of information that may be provided when communicating with the financial institution about potential valuation deficiencies.” The guidance further provides that the processes and procedures should establish standardized processes to increase the consistency of consideration of requests for ROVs, including using “clear, plain language in notices to consumers of how they may request the ROV” and “establish guidelines for the information the financial institution may need to initiate the ROV process.”

Please note that the agencies are not publishing a model form or standardized language. Fannie Mae released a set of frequently asked questions on September 26, 2024, and they stated, “lenders are responsible for creating and providing the forms that include the information required by the Fannie Mae Selling Guide.” Additionally, TruStage Compliance Solutions has made the business decision to develop only the disclosure at this time. With variations in financial institutions’ policies and procedures and the lack of guidance from the agencies, TruStage Compliance Solutions has not developed a borrower-initiated ROV request form but will continue to monitor these new requirements.