2023 Regulatory Enforcement Actions

As we move into Q4 2023, it’s a good time to take stock of this year’s enforcement actions.

2023 has been a blockbuster year for regulatory enforcement: we’ve seen large and small financial institutions run into issues of deceptive practices (TILA and other violations), trouble with third-party partnerships (particularly in the space of Banking-as-Service (BaaS) platform service providers), fair lending compliance, Bank Secrecy Act/Anti-Money Laundering (BSA/AML) noncompliance, and employees making fake accounts – no, not Wells Fargo again.

Without further ado, let’s recap 2023’s most significant enforcement actions and other regulatory wrist slaps.

Table of Contents 

• Deceptive banking practices 
• Third-party partnerships
• The DOJ stamps out redlining 
• The high costs of noncompliance 
• Credit and liquidity risk
• Preparing for future regulatory scrutiny
   

Deceptive banking practices

In March 2023, the Consumer Financial Protection Bureau (CFPB) settled for $9 million with $222 billion-asset Citizens Bank for TILA/Reg Z violations. The CFPB first accused Citizens of failing to notify consumers of billing errors and not refunding improperly assessed finance charges back in 2020.

The CFPB also claimed that the bank violated the Credit Card Accountability, Responsibility, and Disclosure Act (CARD) by neglecting to offer counseling referrals to consumers who called their toll-free hotline.

Another bank in California was hit with a $15 million fine from the Office of the Comptroller of the Currency (OCC) for failing to deliver on promised fee waivers and discounts for safety deposit boxes and account fees.

The OCC blamed the lack of adequate “internal controls” resulting in “deceptive practices” that were “part of a pattern of misconduct and resulted in a pecuniary gain to the bank.”

In January, the OCC lowered USAA Bank’s Community Reinvestment Act (CRA) rating from “satisfactory” to “needs improvement” for promising loan applicants discounted rates on auto loans that never materialized.

It couldn’t have helped that USAA (USAA Bank’s parent institution) had previous problems with CRA compliance in 2020.

Lessons Learned: These enforcement actions serve as a reminder that financial institutions need to have systems in place to follow up on advertised offers and promotions. As community banks and credit unions implement new programs to attract deposits in a competitive rate environment, it’s essential to pay attention to follow through.

Regulators must see that your institution delivers on its pledges to consumers.

Regulators also need to see that financial institutions have addressed past enforcement actions, making good on their pledges to consumers. The action against USAA Bank’s sister institution is even more striking because it didn’t take the appropriate corrective actions after earlier CRA missteps.

Third-party partnerships continue to pose regulatory challenges

Guidance from the OCC, FDIC, Federal Reserve, and NCUA clarifies that regulators expect financial institutions to conduct comprehensive risk management assessments for all third-party relationships.

Risk management for FI’s third parties extends beyond collecting documents during onboarding and yearly reviews. Examiners want FIs to have a vendor management program that reviews and assesses risk throughout the lifecycle of their third-party relationships.

Regulators stress many aspects of third-party risk management, including BSA/AML compliance.

Just consider another $15 million civil penalty, this one from the OCC to American National Express Bank in July.  The OCC says the bank failed to produce and maintain records in compliance with Customer Identification Program (CIP) regulations – a part of BSA/AML.

Amex also neglected to ensure that the third party it contracted to market and sell credit card accounts to small businesses “had appropriate call monitoring controls and appropriate mechanisms in place to document and track customer complaints."

Lessons Learned: Don’t slack on vendor management. The regulators are watching, and they will hold institutions accountable for poor vendor oversight and other third-party provider mistakes.

Overwhelmed by regulatory compliance?

Increased regulatory oversight of BaaS partnerships fintech partnerships

An emerging area of regulatory scrutiny for financial institutions’ third-party relationships involves fintech partnerships. Many community banks and credit unions have recently embraced banking-as-a-service (BaaS) to remain relevant and grow their business.

Smaller institutions compete to “win” lucrative deals with fintech companies offering steady revenue streams. Fintechs require institutions with a bank charter to sell products and services to consumers, and financial institutions view fintech partnerships as an easy way to access profitable new markets.

Related: Banking-as-a-Service (BaaS) Explained

However, regulators have begun to look more closely at institutions’ fintech partnerships. This year's major news event in the fintech regulatory space involved a prominent BaaS bank in New Jersey.

The FDIC issued a consent order against the bank for its failure to “establish and maintain internal controls, information systems, and prudent underwriting practices.”

The key provisions of the consent order require the bank to:

• Provide the FDIC with a list of each credit product it offers
• Obtain prior consent from the Agency before entering any new third-party agreement
• Engage an independent third party (acceptable to the FDIC) to determine whether its credit products, credit models, and third parties comply with applicable fair lending laws and regulations
• Conduct a risk assessment for all credit products and third parties
• Develop internal fair lending controls for periodic review
• Enlist an independent third party (acceptable to the FDIC) to assess every credit product offered by a vendor for six months or more

The most burdensome provision of the consent order will be obtaining preapproval from the FDIC before entering new relationships with fintech vendors.

Similarly, a Virginia bank entered a consent order with the OCC that also requires it to seek prior approval from the Agency before securing new fintech partnerships.

Like the New Jersey bank, in addition to the preapproval of fintech partners, the Virginia bank must enlist an independent auditor to assess its third-party risk from fintech partnerships and create robust internal vendor risk controls.

Lesson Learned: If your financial institution currently partners with fintechs or middleware BaaS companies (or plans to), you need a vendor management system with robust compliance oversight.

The DOJ continues its mandate to stamp out redlining

Every time financial institutions turn around, yet another redlining settlement makes headlines. The DOJ remains aggressive in its pursuit of upholding fair lending laws nationwide.

In August, we posted an article about redlining settlements for mid-sized banks in New Jersey, Los Angeles, and Ohio.

Now, an Oklahoma bank with $384 million in assets recently settled with the DOJ to the tune of $1.15 million. Under the consent order, the bank will invest $950,000 in loan subsidies in majority-Black and Hispanic neighborhoods, $100,000 in marketing, community outreach, and education, and an additional $100,000 in community partnerships.

It will also need to open a loan office in a majority-Black area in Tulsa, designate at least two loan officers to serve these neighborhoods, host six consumer financial education seminars yearly, and hire a full-time community loan officer.

The same goes for a Pennsylvania bank that forked over $3 million in a redlining settlement brought by the DOJ. With $1.8 billion in assets, the institution agreed to pay $2.92 million in loan subsidies, $250,000 in outreach and marketing in majority-Black and Hispanic neighborhoods, and $125,000 in building community partnerships.

The consent order also requires the bank to hire two new loan officers to serve its branches in West Philadelphia.

Lessons Learned: Regulators are taking a long look at financial institutions' historical record – in the case of the Pennsylvania bank, they looked back six years – of HMDA and CRA-reportable loans in majority-minority neighborhoods within their assessment area. If you’re behind your peer institutions in servicing loans in these communities, examiners will not hesitate to refer cases to the Justice Department. In fact, the DOJ recently announced it has two dozen redlining investigations open.

Analyzing your previous efforts to service loans in minority-majority neighborhoods is critically important. Examiners strongly prefer financial institutions to self–identify fair lending issues and show the steps they’re taking to improve – even when these issues are years (or decades) old.

The high costs of noncompliance

How much is an effective compliance program worth?

For TD Bank, the answer is $225 million. That’s the amount TD Bank will pay First Horizon Bank after backing out of a planned $13.4 billion merger.

It’s been 20 years since regulators blocked a bank merger, but in May 2023, the OCC and Federal Reserve halted the consolidation of TD Bank and First Horizon. Did the Agencies decide to evaluate mergers with greater scrutiny?

Not quite. The OCC and Federal Reserve blocked TD Bank’s merger – a move that would have made it the sixth-largest bank in the United States – because of concerns over its BSA/AML compliance controls.

As it turns out, TD Bank had a history of compliance failures. In 2020, a report emerged that the institution had engaged in a Wells Fargo-esque scandal of employees opening fake accounts. Prior to this, the CFPB dinged the bank for $122 million for misleading customers regarding overdraft fees.

But the straw that broke the camel’s bank arrived in 2021 when the Office of Foreign Assets Control (OFAC) discovered that TD Bank processed more than 1,500 transactions violating sanctions against North Korea.

The bank continuously played fast and loose with BSA/AML compliance, regulators say. In 2017, TD Bank paid a $500,000-dollar civil penalty to OFAC after offering banking services to Iranian and Cuban customers.

Lawmakers quickly pounced on the bank’s history of noncompliance in encouraging regulators to deny the merger.

Community banks and credit unions might wonder why TD Bank’s history of noncompliance matters to them. After all, it’s unlikely that financial institutions with under $20 billion in assets are processing transactions for high-ranking North Korean military personnel.

However, in an era of increased M&A for financial institutions of all sizes, both acquiring FIs and those being acquired must have their compliance house in order.

Lessons Learned: If you’re planning on acquiring a financial institution, you need a firm grasp of the compliance risks they pose. On the flip side, if you’re being acquired, you can expect that the institution acquiring you will want insight into your compliance program.

Credit and liquidity risk is top of mind for regulators

Regulators must take steps after Silicon Valley Bank (SVB) and Signature Bank to address supervisory weaknesses. Vice Chairman of the Federal Reserve, Michael Barr’s March 2023 testimony before Congress admitted that SVB was subjected to “less rigorous capital planning and liquidity risk management standards” than similar-sized entities.

While larger financial institutions bear the brunt of stress testing and reserve requirements, smaller and medium-sized FIs need to know that excessive interest rate and liquidity risk – especially in this environment – will draw the attention of examiners.

In April 2023, an Illinois-based savings bank with $27 billion in assets received a cease-and-desist order from the FDIC to raise its leverage ratio above 10%, reduce its interest rate exposure, and refrain from offering new products.

The FDIC’s enforcement action against the Illinois-based FI was similar to its earlier consent order in January against an Iowa-based bank with just $29 million in assets. The Iowa bank agreed to maintain a 10% or greater leverage ratio, among other provisions. 

Yet another Ilinois bank with $150 million in assets entered an agreement with the Federal Reserve to better monitor and control its interest rate and liquidity risk.

Lessons Learned: The different asset sizes of the financial institutions told by agencies to address liquidity and credit risk delivers a warning. After SVB and Signature, examiners will tailor their approach to evaluating an FI’s interest rate risk and whether it has enough liquid capital on hand.

Preparing your financial institution for new regulations and greater regulatory scrutiny to come

Financial institutions should prepare for increased regulatory scrutiny in late 2023 and 2024. Some key points to consider:

1. The DOJ will continue its aggressive pace of lawsuits against institutions violating fair lending regulations and laws. 
2. Agencies have vowed to examine BSA/AML violations with renewed rigor. 
3. Examiners are paying much closer attention to the compliance risk of third-party relationships and have begun to evaluate institutions’ fintech partnerships. 
4. 1071 is on the horizon, and despite recent injunctions against the CFPB, court watchers don’t expect that the Agency will be deemed unconstitutional. 
5. With escalated market risk, it would be wise for FIs to automate their compliance and risk processes now so they can focus on what matters most in 2024.

Community banks and credit unions that get out in front of compliance risk will be better poised to take advantage of market opportunities in comparison with their peers.

What Goes into a Strong Compliance Management System (CMS)? Find out here!