<img src="https://ws.zoominfo.com/pixel/pIUYSip8PKsGpxhxzC1V" width="1" height="1" style="display: none;">

August 2023 Regulatory Brief: Enforcement Actions and the Future of the CFPB & 1071

4 min read
Aug 9, 2023

July was a month full of enforcement actions, litigation, and a few final rules. From the latest with the Consumer Financial Protection Bureau (CFPB) and the courts to three multi-million-dollar enforcement actions covering everything from consumer harm to risk management, there’s a lot to unpack.

Not to worry! Ncontracts team of regulatory professionals are here to break it down for you in our monthly podcast.

And don’t forget, you can always log into Ncomply for updates.

For a deeper dive into what all took place in July, be sure to watch the video here.


Here’s the rundown:

The CFPB, 1071 & the Supreme Court

The Supreme Court will hear oral arguments about the constitutionality of the CFPB funding structure related to 1071 starting October 3, with a decision expected by early 2024. Today the CFPB gets its funding directly from the Federal Reserve instead of through congressional appropriations, which the Fifth Circuit court ruled violates the constitution’s appropriation clause. Even if the CFPB’s funding structure is ruled unconstitutional, it’s not likely to end the agency or its rules.

In related news, 1071 implementation dates for members of the Texas Bankers Association (TBA) and the American Bankers Association (ABA) have been delayed after a Texas court granted injunctive relief until the Supreme Court rules on the constitutionality of CFPB funding. The delay does not apply to credit unions or other lenders.

Meanwhile the CFPB issued its Summer 2023 Supervisory Highlights covering abusive acts and practices in areas including mortgage origination and servicing, auto origination and servicing, consumer reporting, debt collection, deposits, fair lending, information technology, payments and small-dollar lending, and remittances between July 1, 2022, and March 31, 2023.

Enforcement Actions

Third-Party Oversight Failure Leads to $15 Million OCC Fine for Bank

A Utah-based bank is on the hook for a $15 million civil money penalty from the OCC after poor vendor oversight caused the bank to violate customer identification program (CIP) requirements.  

The OCC says the bank “failed to properly govern and oversee the efforts of a third-party affiliate” used to retain small business customers. The third-party affiliate’s call monitoring and documentation processes and its tracking and monitoring of customer complaints missed the mark, causing the bank to fail to gather employer identification numbers, maintain records regarding CIP compliance and customer retention, and present them to the OCC when requested.  

 The OCC says this activity, which occurred between 2015 and 2017, was an unsafe and unsound business practice. It’s an important reminder for institutions to be aware of changes in their third-party risk management (TPRM) program. Examiner lookbacks are real, making it essential to self-identify and correct issues.  

How strong is your vendor oversight program? Are you managing the compliance risk of third-party service provider relationships?  If the answer isn’t a resounding yes, you need to take a closer look at your vendor management program and the interaction of TPRM and your institution's compliance management system (CMS). 

Triple-whammy CFPB fine costs Bank of America $250 million 

Bank of America will have to pay $100 million in customer redress and $150 million in fines to the CFPB and OCC in a consumer harm enforcement action. The CFPB says Bank of America repeatedly charged consumers insufficient funds fees for the same transaction, didn’t allow consumers to cash in promised credit card rewards, and opened fake accounts in consumers’ names.

Credit Suisse Misconduct Costs UBS $268 million 

Unsafe and unsound credit risk management practices involving Credit Suisse and a capital management firm will cost UBS Group $268.5 million, according to a Federal Reserve Board consent order. Credit Suisse ignored warnings about Archegos a counterparty investment firm involved in fraud and racketeering that failed in 2021, resulting in $5.5 billion in losses. Credit Suisse knew it was approaching its internal risk limits in 2020 but didn’t do anything about it.

The Fed expects Credit Suisse to address this and other “longstanding deficiencies in other risk management programs” in its U.S. operations. Listen to the podcast for all the details.

Final and proposed rules

NCUA approves final member expulsion rule

The NCUA finalized its member expulsion rule, making it easier for federal credit unions to close member accounts when members pose a danger to credit union staff or cause significant disruptions. FCUs can adopt this new provision of the model bylaws through a two-thirds vote of their board of directors. Before leveraging the new expulsion bylaws, the FCU has to notify members. The rule takes effect August 25, 2023.

Publicly traded companies have four days to disclose cyber incidents

The Securities and Exchange Commission will require publicly traded companies to disclose material cybersecurity incidents within four days (note that bank regulators impose a more restrictive 36-hour timeline) and annually disclosure information regarding their cybersecurity risk management, strategy, and governance.

HUD proposes new requirements for FHA investing lenders and mortgagees 

HUD proposed rule amendments that would revise requirements for status as an FHA approved lender or mortgagee.

FedNow Launches

The Federal Reserve launched the first phase of its long-awaited FedNow Service real-time payments systems in July. The system operates alongside other services, including FedWire and FedACH.

While the list of participants is initially short, one of the benefits of the FedNow Service is that payments will clear and settle between financial institutions in real time 24x7x365 in a Federal Reserve Bank master account with no prefunding required. This always-on process reduces interbank credit risk, but also means financial institutions may need to upgrade systems to be able to process payments on an ongoing basis. Listen to the podcast for more analysis.

Subscribe to the Nsight Blog