<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

Regulatory Brief for May 2023

4 min read
Jun 12, 2023

It’s going to be a long, hot summer – but will financial institutions be feeling the heat when it comes to regulatory compliance?

For a deeper dive into 1071, enforcement actions, and the consequences of “persistent weaknesses”, plus new state laws in Georgia and Maryland, state-level legislation addressing firearms and financial privacy, be sure to watch the video here.


Here’s a rundown of the topics covered: 

1071 Update

CFPB 1071 action

The Consumer Financial Protection Bureau (CFPB) published the final rule implementing Section 1071 of the Dodd-Frank Act in the Federal Register May 31. While there’s a different page count, our analysis reveals that the only difference in the pre-published final rule and the published final rule is the spacing.

The CFPB also issued the Small Business Lending Rule: Small Entity Compliance Guide. It provides a breakdown of the final rule implementing 1071, with illustrative examples and other resources.

One final issuance: the CFPB’s Statement on Enforcement and Supervisory Practices stating that the bureau plans to focus its supervisory and enforcement activities on ensuring covered lenders don’t discourage small business loan applicants from providing 1071-related data. What does that look like? 

Read our blog on reasonably designed procedures for 1071 data collection to find out.

1071 lawsuit

The American Bankers Association (ABA) announced that it joined the lawsuit filed by the Texas Bankers Association (TBA) challenging the CFPB’s 1071 final rule. The lawsuit relies heavily on the opinion of the Fifth Circuit Court that the CFPB’s funding mechanism is unconstitutional. By extension, the suit argues, the use of these funds to issue this final rule is unconstitutional as well. It also argues large number of data points required by the final rule goes beyond the scope of the Dodd-Frank mandate and that the CFPB did not consider industry feedback or conduct a proper cost-benefit analysis.

The ABA and TBA are hoping the court will stay the rule so FIs can hold off on implementing it until the court makes a final decision. (They are also lobbying Congress to rescind Section 1071.)

Pro tip: While it’s tempting to ignore 1071 until the courts suit it out, that’s not a good idea. These lawsuits are rarely successful. Make sure you at least continue to analyze the number of covered originations at your institution and focus on identifying gaps in your processes and systems.

Recent enforcement actions

Violations of credit card servicing rules costs Citizens Bank $9 million

The CFPB reached a $9 million settlement with Citizens Bank over allegations it violated the Truth in Lending Act (Reg Z) by failing to properly manage and respond to customer credit card disputes and fraud claims. The CFPB says the bank did not put in reasonable efforts to investigate and resolve reports of billing errors and unauthorized card use and did not supply the required notifications and disclosures.

FDIC signals increased scrutiny of fintech relationships with banks

A N.J.-based bank is prohibited from entering into any new fintech relationships without prior approval from the FDIC after entering into a consent order with the agency. The consent order alleged unsafe or unsound practices related to fair lending compliance caused by failing to maintain proper internal controls, information systems, and prudent credit underwriting when dealing with fintech partnerships. The bank needs to conduct a fair lending risk assessment, increase board oversight of the bank’s compliance management system (CMS), and ensure there are strong third-party vendor management controls in place to oversee fintech relationships.

This is not the first time a regulator has gone after fintech relationships. The OCC required a V.A.-based bank to improve its oversight of third-party fintech partnerships. The order also raised safety and soundness concerns while focusing mostly on BSA/AML risk management and suspicious activity reporting.

It’s a reminder that while fintechs are not subject to safety and soundness examinations, banks are and need to put in the appropriate third-party vendors controls if they are going to engage in complex, sophisticated, or higher-risk relationships.

Consent order takeaways for bank-fintech relationships

The order highlights the minimum requirements banks must engage in before entering bank-fintech relationships. They include:

  • Conduct a risk assessment to help your institution truly understand the goal of the relationship 
  • Identify and implement controls necessary to mitigate risk 
  • Plan for ongoing third-party monitoring (including independently assessing models used by third parties to determine adherence to fair lending requirements) 
  • Document written agreements with the FinTech 
  • Document board review and approval

Free Download: The Ultimate Guide to Fintech and Third-Party Vendor Onboarding

OCC updates manual to address banks with “persistent weaknesses”

The Office of the Comptroller of the Currency (OCC) updated its policy and procedures manual to address banks with "persistent weaknesses." Although the focus is on larger and high-risk institutions, it's clear any bank can be subject to this framework. Identified weaknesses include poor management ratings, delay in corrective actions, and recurring enforcement actions within a three-year period. The enforcement could range from board-supervised action plans to growth restrictions or compulsory investments. Continuing or prolonged deficiencies will result in more severe actions.

Regulatory news for credit unions

The National Credit Union Administration (NCUA) determined that the amendment to the Wisconsin Member Business Loan rule defining a “member business loan” is no less restrictive than the NCUA’s definition.

The NCUA proposed a rule that would allow federal credit unions to donate to veteran organizations to the list of qualified charities they can donate to via their charitable donation accounts (CDAs). It’s also asking for suggestions of other entities that should be considered qualified charities. 


For a deeper dive into these regulatory changes and enforcement actions, plus new state laws in Georgia and Maryland, state-level legislation addressing firearms and financial privacy, be sure to watch the video here. 

Subscribe to the Nsight Blog