Consumer Compliance Outlook > 2023 > First Issue 2023

Consumer Compliance Outlook: First Issue 2023

Digital Banking Compliance Considerations

By Dolores Collazo, Senior Examiner, Federal Reserve Bank of Atlanta

A recent survey found that 78 percent of Americans prefer to bank digitally, including the use of mobile banking applications and bank websites, a trend that accelerated because of the COVID-19 pandemic.¹ To accommodate their customers’ evolving banking preferences, some banks have been exploring partnerships with third-party vendors, particularly fintech companies.²

Since banks may lack expertise in this area, partnering with third parties can help banks better serve their customers. But using third parties also increases risks. Because of this increased activity in digital banking, this article reviews recent interagency guidance on due diligence considerations when banks are vetting fintech companies, discusses the Electronic Signatures in Global and National Commerce Act³ (E-Sign Act) requirements for electronic consumer banking, and lists top consumer complaints related to digital banking.

COMPLIANCE CONSIDERATIONS FOR FINTECH PARTNERSHIPS

Interagency Guide for Community Banks

To assist banks that are considering partnerships with fintech firms, the Board of Governors of the Federal Reserve System (Board), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) (agencies) published a guide in August 2021 titled Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks⁴ (guide). The guide provides helpful suggestions but is not intended to address all types of third-party relationships and risks.

Due Diligence

Performing due diligence is a critical aspect of the process of vetting a potential vendor. The guide discusses six due diligence topics: business experience and qualifications; financial condition; legal and regulatory compliance; risk management and controls; information security; and operational resilience. From a consumer compliance perspective, the legal and regulatory topic is most relevant to this article. The guide provides a nonexhaustive list of factors a bank can consider in conducting legal/regulatory due diligence:

• Reviewing the fintech company’s risk and compliance processes
• Determining if the fintech company has experience with other community banks in complying with consumer laws and regulations
• Reviewing the fintech company’s information for consumer applications, delivery channels, disclosures, and marketing materials to anticipate and address potential consumer compliance issues
• Considering the industry ratings of the fintech company and any complaints for insights into its level of customer service and potential compliance issues

The guide identifies potential sources of information that banks can use in performing this due diligence:

• Proposed marketing materials and regulatory disclosures with product details such as fees, interest rates, or other terms
• The methods used to monitor, remediate, and respond to customer complaints
• Customer complaint records involving the fintech company

Contract Provisions

When banks retain a vendor, their mutual obligations are memorialized in their contract. Because the contract is the governing document for the third-party relationship, it should be carefully drafted by experienced counsel to help mitigate compliance risk. To assist banks in the process of vetting vendors and mitigating risks, the guide discusses some provisions that community banks may want to consider including in their contracts:

• Requiring the vendor to comply with applicable legal and regulatory requirements, including federal consumer protection laws and regulations
• Allowing a community bank and its primary regulator to access the fintech company’s records
• Authorizing a community bank to monitor and periodically review or audit a fintech company for compliance with the agreed-upon terms

• Instituting approval mechanisms (for example, community bank signs off on any changes to marketing materials related to the activity)
• Periodically reviewing customer complaints, if available, of the activity

For a more comprehensive discussion of vendor risk management for banks supervised by the Federal Reserve, refer to Supervision Regulation letter 13-19/Consumer Affairs letter 13-21 (Guidance on Managing Outsourcing Risk).⁵

Additional Compliance Considerations

When a bank partners with a third party, examiners review a bank’s management of third-party relationships as though the bank were conducting the activities itself.⁶ “The use of service providers does not relieve a financial institution of the responsibility to ensure that outsourced activities are conducted in a safe-and-sound manner and in compliance with applicable laws and regulations.”⁷ This includes reviewing a bank’s management of third-party relationships and servicers as part of its overall compliance program. For example, for purposes of complying with the privacy requirements of Regulation P, a financial institution may have a policy of not sharing nonpublic personal information (NPPI) outside of the exceptions in the regulation and discloses this policy to its customers in accordance with the regulation.⁸ Conversely, a fintech partner with access to bank customer information may have a policy of sharing NPPI with outside parties. This difference in policies could violate Regulation P if the actual practice of sharing NPPI does not align with the financial institution’s Regulation P disclosures.

E-Sign Act Requirements

In 2000, Congress enacted the E-Sign Act (Figure 1) to facilitate the rise in electronic transactions. It is important banks ensure that they are complying with the E-Sign Act as digital banking continues to grow.Under the E-Sign Act, electronic signatures, documents, and records for transactions have the same validity as written signatures and printed documents, provided certain requirements are met. The E-Sign Act also preempts state laws to the contrary. Before information related to a consumer transaction required to be in writing can be provided electronically, the E-Sign Act requires that a six-step consumer consent process be completed:

FIGURE 1: FUNDAMENTALS OF ELECTRONIC DISCLOSURES

Step 1 – Availability of Paper Delivery or Paper Copies Before seeking a consumer’s consent to use electronic records, institutions must inform the consumer in a clear and conspicuous statement of any right or option to have the record provided in nonelectronic form, the right to withdraw that consent, the consequences of withdrawing consent (including terminating the relationship), and any fees imposed in the event of withdrawal. Institutions must also inform consumers of their right to request a paper copy of an electronic record and whether any fees apply.

Step 2 – Consent Choices Before seeking a consumer’s consent to the use of electronic records, a financial institution must inform the consumer in a clear and conspicuous statement whether consent relates to a particular transaction only or whether consent relates to broader categories of information. Most financial institutions choose a product-by-product consent process.

Step 3 – Consumer Actions Financial institutions must disclose to consumers the procedures to withdraw consent at a later date and to update the consumer’s contact information, such as notifying the financial institution when the consumer’s email address changes.

Step 4 – Hardware/Software Requirements Financial institutions must provide consumers with a statement detailing the hardware and software requirements to access and retain electronic records.

Step 5 – Affirmatively Consent To ensure a consumer can communicate electronically with the financial institution to which consent has been provided, the E-Sign Act requires that the consumer provide consent electronically “in a manner that reasonably demonstrates that the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.”4

Step 6 – “After Consent” Disclosure To ensure continued electronic access, financial institutions must provide consumers with a statement detailing any revised hardware and software requirements for access to and retention of electronic records as well as the right to withdraw consent without the imposition of any fees for such withdrawal and without the imposition of any condition or consequence that was not disclosed. After providing this statement, institutions must again obtain consumers’ affirmative consent as in Step 5. The procedures in Step 6 must be followed when the changes in hardware and software requirements create a material risk that consumers will not be able to access or retain electronic records.

CCO reviewed this six-step process in a 2009 article, and we encourage financial institutions to review the article and test their systems for compliance.⁹

Institutions should also note that the E-Sign Act does not apply to certain notices, including, but not limited to

• court orders or notices, or official court documents (including briefs, pleadings, and other writings) required to be executed in connection with court proceedings; and
• notice of default, acceleration, repossession, foreclosure, eviction, or the right to cure for a mortgage or lease of an individual’s primary residence.¹⁰

E-Sign Act Risk Mitigants

A sound practice to manage risks for the E-Sign Act is to conduct compliance reviews, tailored to the size and complexity of the bank’s operations, using a checklist such as the one included in Module IV of CA letter 03-10 Consumer Affairs Electronic Banking Examination Checklist.¹¹ Furthermore, when reviewing a bank’s compliance with the E-Sign Act, examiners may look at the following areas consistent with community bank consumer compliance risk-focused supervision guidelines:¹²

• Determine if the bank delivers notices and/or disclosures subject to the consumer consent provisions of the E-Sign Act
• Review the bank’s procedures to ensure that the consumer has affirmatively consented to electronic disclosures and has not withdrawn consent prior to the bank providing electronic disclosures
• Determine if a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain subsequent electronic records subject to the consent

Compliance Considerations

A sound practice for financial institutions is to implement policies and procedures to comply with the technical requirements regarding electronic disclosures. Examples of compliance considerations may include the following:

• Identify the bank’s products, services, and advertisements that use electronic communications, including those offered through fintech partnerships
• Compare the bank’s practices for delivering electronic communications to the requirements in the specific regulation to ensure regulatory requirements are satisfied
• Test a sample of disclosures for compliance on the devices where they can be displayed (e.g., mobile phone, tablet, laptop)
• Address any deficiencies noted in compliance reviews with management and implement corrective action, as needed
• Include reviews of electronic disclosures in change management processes such as for new products or changes to existing products

DIGITAL BANKING COMPLAINT DATA

Banks can review consumer complaints for digital banking to help identify potential compliance risks in this area. This includes complaints from a bank’s customers as well as complaints filed with banking regulators.

Federal Reserve Consumer Help Center Complaint Data

Federal Reserve Consumer Help (FRCH) is the Federal Reserve System’s centralized consumer complaint function. It receives consumer complaints by phone and its website and routes them to the appropriate federal regulator. If the institution is one for which the Federal Reserve is the primary federal regulator for consumer compliance for the law or regulation at issue, the complaint is sent to the appropriate Reserve Bank to investigate. FRCH received approximately 2,620 digital banking related complaints in 2021, 56 percent of which were complaints related to mobile banking, and 44 percent of which were complaints associated with fintech products and services.¹³

The top three themes associated with the complaints related to mobile banking were:

• Error Resolution (approximately 490 complaints)
• Funds Availability/Unable to Access Account (approximately 367 complaints)
• Restricted/Blocked Account (approximately 343 complaints)

The top three types of complaints for fintech products and services were:

• Restricted/Blocked Account (approximately 409 complaints)
• Funds Availability/Unable to Access Funds (approximately 127 complaints)
• Fraud/Forgery (approximately 111 complaints)

Consumer Financial Protection Bureau (Bureau) Complaint Data

In March 2022, the Bureau published its Consumer Response Annual Report January 1–December 31, 2021.¹⁴ The Bureau received approximately 20,900 money transfer, money service, and virtual currency (collectively, money services) complaints in 2021. Of these money services complaints, the report stated: “In 2021, mobile or digital wallet was the most complained about type of product.”¹⁵ The report indicated that: “Consumers also identify the issue that best describes the problem they experienced. The most common issue was managing, opening, or closing your mobile wallet account.” Additionally, the report notes that: “Among the types of products in this category, mobile or digital wallets had the greatest change, increasing 164% from the prior two years’ monthly average.”

The Bureau Determined a Mobile Deposit Hold Practice Was Unfair

The Spring 2022 issue of the Bureau’s Supervisory Highlights¹⁶ discussed an unfair act or practice where institutions failed to lift initial automatic holds on mobile check deposits after a suspicious deposit hold was placed on the account. This practice harmed consumers:

Through transaction testing, examiners identified accounts where the institutions had charged a consumer overdraft fees because the institutions failed to lift the initial automatic holds on the amounts of mobile check deposits after an additional suspicious deposit hold was placed on the account. This practice caused, or was likely to cause, substantial injury due to consumers incurring fees and losing access to funds that were unrelated to the suspicious mobile check deposit. Consumers could not reasonably avoid the injury, given that they could not have prevented the institutions from failing to comply with their own internal procedures. And the injury was not outweighed by countervailing benefits to consumers or to competition.

The institutions’ failures to implement policies and procedures that address these technical limitations led to the unfair practices. The institutions revised their policies and procedures governing holds and developed controls to monitor for and detect instances of duplicate holds. The institutions refunded the fees caused by these duplicate holds.¹⁷

Reviewing complaint data is the first step to using these data to mitigate risk. CCO previously published an article titled “Enhancing the Compliance Management Program with Complaint Data,” that discussed how banks can use these data to enhance their compliance management programs that may be of interest.¹⁸

CONCLUSION

Consumers are increasingly migrating to digital banking platforms, and some banks have been expanding their platforms in response, including partnering with fintech companies. While these changes can benefit consumers, they also increase compliance risks. This article discussed some of the ways in which banks can proactively mitigate risks in this area. Specific issues and questions should be raised with the financial institution’s primary regulator.

ENDNOTES

¹ See “PYMNTS Data: More Than Three-Quarters of Consumers Prefer Digital Banking,” PYMNTS (April 2, 2022).

² See Melanie Wheeler, “5 Key Factors for Fintech Partnerships,” Bank Director (March 4, 2022).

³ See 15 U.S.C. §7001 et seq.

⁴ See Federal Reserve SR letter 21-15/CA letter 21-11 Conducting Due Diligence on Financial Technology Firms: A Guide for Community Banks (August 27, 2021).

⁵ In 2021, the agencies issued “Proposed Interagency Guidance on Third-Party Relationships: Risk Management,” 86 Federal Register 38182 (July 19, 2021). The final rule has not yet been issued.

⁶ See CA letter 16-8 FFIEC Guidance on the Uniform Interagency Consumer Compliance Rating System.

⁷ Guidance on Managing Outsourcing Risk, p. 2.

⁸ Consumer Compliance Outlook previously reviewed these requirements. See Kenneth Benton, “Overview of Federal Consumer Privacy and Security Laws for Financial Services,” Consumer Compliance Outlook (Third Issue 2021).

⁹ Jeffrey T. Paul and Gary Louis, “Moving from Paper to Electronics: Consumer Compliance Under the E-Sign Act,” Consumer Compliance Outlook (Issue 4 2009).

¹⁰ See 15 U.S.C. §7003(b).

¹¹ See CA letter 03-10, Consumer Affairs Electronic Banking Examination Checklist.

¹² See CA letter 13-19, Community Bank Risk-Focused Consumer Compliance Supervision Program.

¹³ See FRCH Center Federal Reserve Consumer Help complaints data. Fintech products and services are considered products offered to consumers through the fintech’s technology (e.g., application, mobile devices, software). The state member bank holds the account and processes the transactions, but the account is accessed by the consumer through the fintech’s technology.

¹⁴ See the Bureau’s 2021 Consumer Response Annual Report.

¹⁵ The Bureau’s mobile or digital wallet complaints comprised 6,300 or 47 percent of total money services complaints closed with explanation or relief in 2021. See Supervisory Highlights (Issue 26 Spring 2022), p. 43.

¹⁶ See Consumer Financial Protection Bureau’s Supervisory Highlights (Issue 26 Spring 2022), p. 16.

¹⁷ See Endnote 16.

¹⁸ Andrea Sovich, “Enhancing the Compliance Management Program with Complaint Data,” Consumer Compliance Outlook (Second Quarter 2012).