If the best defense is a good offense, as they say, what’s the best offensive strategy for financial services companies in 2024? Start by reading the signs all around you. Following a volatile 2023 in the financial services industry, we are now anticipating a busy year for bank regulators, in terms of enforcement and supervision. The industry is bracing to navigate a landscape of heightened regulatory scrutiny even as industry trends continue to evolve. In this election year, the political environment is also likely produce some curveballs, at least in terms of regulatory messaging.
Despite all this uncertainty, recent supervisory activity can provide strong guideposts for what is to come and how to prepare. So, here’s what we’re expecting in this new year.
Less Talk and a Lot More Action: Enforcement on the Rise
In the fall of 2023, the Consumer Financial Protection Bureau (CFPB) began recruiting attorneys and non-attorneys to expand its enforcement division. Sources indicate that CFPB Director Rohit Chopra will bring on approximately 75 new fulltime hires, which would increase enforcement staff by 50%. For context, in the past two years, the CFPB filed or resolved 55 enforcement actions resulting in $7.8 billion in consumer relief and penalties. With a bigger staff, achieving a similar volume in a single year wouldn’t be out of the question.
We also saw regulators increase their focus last year on nonbank financial institutions and their digital business models, with special attention paid to risks posed by certain practices that are traditionally handled by supervised banks, such as lending and payments. This year we should start to see the initial results of the new supervision models developed by the Federal Reserve and Office of the Comptroller of the Currency (OCC) for activities they deem “novel” and “complex.” This enhanced oversight of innovative financial services technologies and technology-driven partnerships between banks and nonbanks will likely include early enforcement related to bank use of artificial intelligence (AI).
Moreover, the Treasury Department recently spearheaded an effort vis-à-vis the Financial Stability Oversight Council to adopt a new framework to identify impending risks posed to the financial system by the migration of traditional bank activities to nonbanks. And the CFPB issued its proposed “larger participant rule,” which would allow it to supervise digital wallet and payment app providers.
Given the unprecedented level of supervision, example-setting enforcement actions are likely to follow, underscoring regulators’ commitment to keep pace with rapid advancements in technologies that may pose risks to the safety and soundness of the banking industry. Further, we will likely see a shift from criticism to enforcement on matters related to fees, fair lending, fairness/disparate impacts, and unfair, deceptive, or abusive acts or practices (UDAAP) related to non-traditional areas such as servicing, marketing, appraisal, and the use of AI models.
If that weren’t enough to keep compliance departments busy, other matters in the crosshairs include credit reporting (particularly medical debt), third-party dependencies, data sharing, and a lack of transparency in adverse action notices. And while fears of recession seem to have subsided, any worsening economic conditions could refocus regulators on fairness as it relates to default, servicing, and collection activities. For now, let’s hope all the talk about a “soft landing” for the post-COVID economy holds true in 2024.
A Long and Winding Road: Challenges, Delays, and Finalized Rules
In 2024, banks face a high volume of significant and complex guidance, rules, and standards to understand and implement. We also find ourselves in a period of uncertainty due to ongoing legal proceedings. Notably, a U.S. Supreme Court decision on the funding structure of the CFPB is expected by next summer, with potentially wide-ranging ramifications for the agency’s powers. Here’s what else to prepare for:
Small Business Lending Data
Delays and challenges to the CFPB’s Small Business Lending Data Collection final rule in Regulation B (stemming from Dodd-Frank Act Section 1071) also await a Supreme Court decision, with the possibility of alterations to the rule. The exact timeline and outcome remain unclear, but it’s highly improbable that the rule will be completely abolished. Meanwhile, the enforcement date has been deferred (the extent of the delay is yet to be determined), and there may be modifications to some data fields mandated by the rule.
In December, President Biden vetoed a move in Congress to overturn the CFPB’s small-business loan rule, arguing that the congressional resolution would hinder oversight of predatory lending. The veto is expected to be a significant point of contention as the issue continues to evolve.
Although we don’t know exactly what the final rule for Section 1071 will look like when it is eventually implemented, it would be prudent for banks to utilize any extra time to continue strategizing their compliance plans, from both an operational and technological standpoint. A proactive approach can demonstrate commitment to fair and transparent financial services as well as mitigating risk.
Personal Financial Data Rights
The CFPB’s proposed Personal Financial Data Rights regulation (aka the “Open Banking Rule”), which aims to give consumers more control over their financial data, is expected to be finalized this fall. The rule would give consumers the ability to access their financial data and share it with third parties—typically fintechs—for a specific and limited purpose.
Companies that receive consumer data are prohibited from exploiting or selling it for their own advantage, which includes incorporating it into algorithms or AI models for unrelated tasks like targeted advertising. Importantly, the rule would also ensure that consumers get their data free of junk fees and that the data is made available through dedicated digital interfaces that are safe, secure, and reliable. The CFPB’s action is contested by companies including data aggregators, who advocate for the extensive accumulation and utilization of consumer financial information.
Banks will need to determine what data to make available to customers and how, and prepare for potential consumer inquiries about data usage and disclosure.
Banking Fees
Although many banks have drastically reduced or outright eliminated overdraft fees, scrutiny of fees continues. Both the OCC and the Federal Deposit Insurance Corporation (FDIC) have addressed practices such as “authorize positive, settle negative” overdraft fees, where fees are assessed even when the account had sufficient funds at authorization but not at settlement. The CFPB has also been active in discouraging banks from charging non-sufficient funds (NSF) fees and is considering regulating overdraft plans as “consumer credit” under Regulation Z. Expect a proposed rule to be issued early this year.
The CFPB also issued a proposal under Regulation Z to curb excessive credit card late fees by seeking to ensure that such fees are “reasonable and proportional” to the late payments, as required under the Credit Card Accountability Responsibility and Disclosure Act (CARD Act). Additional details of the proposal include:
- The rule would also lower the immunity provision for late fees to $8 (currently $30) for a missed payment and eliminate the higher dollar amount for late fees for subsequent violations of the same type (currently $41).
- The automatic annual inflation adjustment for the immunity provision amount would be eliminated.
- The maximum late fee amount would be capped at 25% of the required minimum payment. (The maximum late fee amount is currently 100%.)
These regulatory activities are in line with broader efforts to eliminate unfair and deceptive charges and to ensure that all mandatory fees are included in the advertised price, making it easier for consumers to compare costs and avoid unexpected charges. The Federal Trade Commission’s (FTC’s) proposed rule against junk fees and California’s legislation banning them are likely the first of many rules we will see in this area in the coming year. Both aim to eliminate deceptive online practices that make it difficult for consumers to stop recurring charges or understand terms and conditions, including burying the mention of fees in complex documents or using confusing language that tricks consumers into engaging in unintended conduct.
Now is a good time for organizations to document and analyze their fee assessment practices. This should entail a comprehensive evaluation of the fee structure and revenue streams associated with fee income, as well as the business purpose associated with each fee, notices to consumers, and fee-related change management practices. A good place to start is a special 2023 issue of the CFPB’s Supervisory Highlights that focused on fees in deposit accounts and the auto, mortgage, student, and payday loan servicing markets. The publication contained many examples of fees about which regulators are critical and could help guide your analysis of “transparency and full disclosure in pricing,” to quote a regulatory mantra.
Credit Reporting
Fair credit reporting and equal access to credit remain top of mind for regulators. In 2024, the courts will examine the scope of the Equal Credit Opportunity Act (ECOA). A 2023 district court ruling limited ECOA’s application to credit applicants only, excluding prospective applicants in advertising contexts. However, the CFPB later stated that ECOA and Regulation B apply to all aspects of a credit transaction. This ongoing issue, which could redefine ECOA’s reach, will continue to evolve in the courts.
The CFPB is also planning to significantly expand the reach of the Fair Credit Reporting Act (FCRA). The revised regulation is likely to mandate that consumer reporting agencies remove medical bills from credit reports. What’s more, the agency may broaden the definition of “consumer reporting agency” to encompass data brokers and redefine “consumer report” to include consumer-identifying information (such as name, address, and social security number), which could ultimately limit the disclosure or sale of this data without a permissible purpose. So one implication of the CFPB’s plan would be that data brokers—companies that sell or share reports containing consumers’ payment history, income, criminal records, and possibly consumer-identifying information—would essentially become consumer reporting agencies themselves.
Other possible changes to the rule may include:
- Strengthening the process to obtain a consumer’s written permission to obtain a credit report;
- Narrowing the definition of “legitimate business need,” as the FCRA’s catch-all permissible purpose to use consumer report information;
- Making certain types of targeted marketing activities that do not directly share information with a third party subject to the FCRA; and
- Determining that marketing is not a permissible purpose for using consumer report information.
Ahead of the proposed rule, banks should consider creating an inventory of the types of information (including consumer-identifying information) received from credit bureaus and other third parties, and review exactly what is done with that data to easily determine which new restrictions may apply.
Property Valuation
We also expect certain property valuation rules to become final this year. As originally mandated by the Dodd-Frank Act, regulatory agencies in June 2023 issued a joint proposal to implement quality control standards concerning automated valuation models (AVMs) used by mortgage originators and secondary market issuers. To minimize appraisal bias, the rules would require institutions that engage in certain mortgage-related credit decisions or make securitization determinations to adopt quality control standards encompassing their policies, practices, procedures, and monitoring and testing. Institutions must design these standards to ensure a high level of confidence that the estimates produced by AVMs are fair and nondiscriminatory.
Lenders will need to preclude data manipulation and avoid conflicts of interest by conducting random sample testing and reviews, as well as ensuring compliance with applicable nondiscrimination laws such as the ECOA and Fair Housing Act (FHA). The precise requirements for how to comply are expected in 2024. For example, will compliance be a direct responsibility of the lender or can it be handled by the AVM provider or other third party?
Additional measures addressing property values and appraisal bias include:
- Regulators are expected to finalize guidance on reconsideration of value (ROV) requests for property valuations. The guidance will clarify how banks can handle ROV requests without compromising appraisal independence. It will also detail procedures for addressing valuation deficiencies and potential bias.
- The Department of Housing and Urban Development (HUD) is developing a process for FHA loan seekers to request appraisal reviews if they suspect racial bias. This represents a step toward ensuring lenders follow proper procedures when borrowers raise discrimination concerns.
- The Appraisal Foundation, under pressure from regulatory agencies, is expected to revise its ethics rule for appraisers, emphasizing federal anti-discrimination laws. Appraisers may face additional requirements such as enhanced anti-bias training and diversity measures. Lenders will need to ensure their appraisers comply with these changes.
- More guidance on detecting and preventing appraisal bias could be coming from the CFPB and HUD, since biased appraisals could violate Regulation B and FHA rules.
Community Reinvestment Act
The updated Community Reinvestment Act (CRA) will significantly impact large banks ($2 billion+ in assets) and moderately affect intermediate-sized banks ($600 million to $2 billion), as it aims to better fulfill the law’s original purpose of encouraging banks to meet the credit needs of their entire communities, especially low- and moderate-income communities. Small banks (less than $600 million) will see minimal changes unless they opt into new requirements. The rule is expected to take effect in 2024, with compliance required from 2026 and data reporting from 2027.
Banks should already be preparing for these changes. And despite legal challenges, institutions should strive for strict adherence to CRA reporting standards. By proactively addressing this area, banks can mitigate risks and demonstrate fairness and transparency.
Adverse Actions
A key area of focus in 2024 will be on adverse action notices, particularly if they utilize any sort of AI models or algorithms in their decisioning. Regulatory agencies are seeking to minimize what they call “digital redlining” and “algorithmic discrimination.”
In September 2023, the CFPB issued guidance stating that creditors must disclose specific reasons for adverse action, even if consumers may be surprised, upset, or angered to learn their credit applications were being graded on data that may not intuitively relate to their finances (but which may have been utilized in an automated model). The guidance specifies that creditors are not absolved from Regulation B’s requirement to specifically and accurately inform consumers of the reasons for denial because the use of predictive decision-making technologies in their underwriting models makes it difficult to pinpoint the specific basis for such adverse actions.
In this and other uses of digital tools, banks should develop and enforce clear policies and procedures for the use of digital tools, with a focus on AI models and algorithms, as well as privacy protections related to data used to train AI models. Inevitably many of these activities are fully or partly supported by partnerships with third parties. As such, it is prudent to enhance third-party risk management to include adherence to new regulatory guidance and examination protocols. This expansion covers not only direct third-party relationships but also extends to fourth-party risks and necessitates robust contingency planning.
Where to Start and How Treliant Can Help
A sound strategy for 2024 would prioritize investment in readiness for the final rules and areas of precedence—the guideposts described above—where we expect the most activity this year. Establish an agenda and secure support from senior leadership and the board of directors on preparations for what’s to come. Mount your best offense and engage your regulators early and often.
Remember that, despite legal challenges in many areas, you should continue to proactively address areas of heightened supervision, both to mitigate risks and demonstrate your commitment to fair and transparent practices. And special attention should go to digital technologies such as AI this year, with regular risk assessments and continuous monitoring systems ensuring effective governance of their use in areas such as marketing and credit operations. Implement a comprehensive change management framework that integrates compliance teams into operational strategy and technology changes.
Treliant’s expert team of former regulators, CCOs, and compliance professionals stands ready to provide advisory guidance and implementation support to navigate the regulatory landscape in the coming year.
Author
