Waking Up to the Long-Dormant Risk of Deposits
Although often considered a low-risk, stable part of bank products and operations, deposits have been the source of multiple recent risks at a number of financial institutions. These risks, which have been identified by both financial institutions and regulators, are in a number of areas within the deposit life cycle, including advertising, opening accounts, assessing fees, and transaction processing. Driving risk have been factors including electronic funds transfer (EFT) procedures, person-to-person (P2P) payments, digital algorithms, overdraft practices, and pandemic-related stimulus payments.
Regulators Focus on EFT Error Resolution
Federal regulators are increasingly focused on electronic funds transfer (EFT) error resolution processes under Regulation E, with multiple warnings issued by the Consumer Financial Protection Bureau (CFPB), Federal Deposit Insurance Corporation (FDIC), Federal Reserve (FRB), and National Credit Union Administration (NCUA).
The CFPB has mentioned Regulation E error resolution violations in several issues of its Supervisory Highlights.[i] The FDIC discussed similar concerns in two issues of Consumer Compliance Supervisory Highlights,[ii] and the FRB detailed common error resolution shortcomings both in an issue of Consumer Compliance Outlook[iii] and in an Outlook Live webinar.[iv] Regulatory violations found across institutions have included almost every aspect of Regulation E compliance, such as:
- Discouraging consumers from filing error resolution requests;
- Requiring consumers to attempt to resolve issues with merchants before investigating error claims;
- Requiring branch visits or written confirmation of oral requests before beginning an investigation;
- Charging fees for error resolution;
- Failing to investigate within the required time frames;
- Not conducting a reasonable investigation, including assuming that transactions were valid if the consumer had ever done business with a particular merchant;
- Requiring consumers to assist with investigations by signing error claims or affidavits and filing police reports;
- Charging for replacement cards after an EFT dispute related to card fraud;
- Errors in provisional credits, including failing to provide provisional credits, providing provisional credits for less than the full amount of the error, posting provisional credits to the wrong account, and errors in notices relating to provisional credits;
- Mistakes when denying claims, including failing to provide accurate and timely notices when reversing provisional credits or neglecting to notify consumers of their right to obtain the documentation relied on in the institution’s investigation;
- Errors in applying the timing requirements, resulting in excess consumer liability;
- Refusing to refund fees or credit interest associated with the error when remediating errors;
- Failing to notify consumers of the result of an investigation; and
- Reopening investigations after a final determination.
Based on the agencies’ published statements on EFT error resolution and recent consent orders for Regulation E violations, some of the violations identified have arisen from institutions conflating Regulation E error resolution requirements with card association chargeback rights or National Automated Clearing House Association (NACHA) rules.
P2P Payment Complaints Skyrocket
An emerging risk in EFT error resolution under Regulation E is associated with the rise of P2P payment applications. Data from the Federal Trade Commission, Better Business Bureau, and CFPB shows that complaints against P2P payment apps have skyrocketed during the pandemic. Consumers frequently complain that the P2P app provider and the funding financial institution each say the other is responsible for resolving the error. In fact, both financial institutions and consumers are sometimes confused about who has EFT error resolution responsibility, since it depends on the specific circumstances of the relationship (if any) between the app provider and the financial institution.
If the app provider issues an access device, such as a payments app or a debit card, and does not have a relationship with the financial institution, then the app provider is responsible for Regulation E error resolution. In these cases, the app provider is subject to both the general requirements of Regulation E, as well as the special rules in 12 CFR §1005.14. Under these conditions, the financial institution holding the depository account is responsible for producing periodic statements and, upon request, providing information or documentation needed by the app provider (or consumer) to investigate errors. However, if the app or service provider has a relationship with the financial institution holding the account, then the financial institution is responsible for EFT error resolution.
Algorithms Trigger Freezes
Another emerging deposit risk arises from the interplay between consumer protection rules and the algorithms and techniques used to detect potentially fraudulent account activity. One neobank was the subject of numerous CFPB complaints regarding accounts that were locked due to suspected fraud. And although the most recent headlines and calls for investigation involve a neobank, traditional banks have been subject to lawsuits over similar practices.
The CFPB has previously noted that financial institutions commit unfair acts or practices by placing hard holds or “freezes” on customer accounts to stop all activity when the institutions observe suspicious activity. (See files.consumerfinance.gov/f/documents/201709_cfpb_Supervisory-Highlights_Issue-16.pdf.) Such hard holds can have significant adverse effects on consumers, including rejected deposits, dishonored payments, and loss of access to funds for a period of weeks. This is especially true when the frozen account is the consumer’s only payment account. Banks should be sure to communicate with customers when placing non-Reg CC holds.
Overdraft Transgressions Include Posting, Marketing
Overdraft practices remain subject to significant regulatory scrutiny, and overdraft litigation continues. A number of lawsuits and settlements relate to check posting order. Historically, many banks and credit unions cleared debits from largest to smallest. This posting order increases the likelihood that the largest transactions, which are more likely to be important payments, such as a mortgage or auto loan payment, will be paid. However, processing the largest transactions first also may increase the number of overdraft or insufficient funds fees assessed to an account. Bank regulators and consumer advocates may prefer processing transactions from smallest to largest, as this may result in fewer fees to the accountholder.
As a result of this scrutiny, several financial institutions changed their practices relating to posting order and are now processing in transaction order (using check numbers, for example) or smallest to largest. Some banks also ceased charging overdraft fees on overdraft transactions below a certain dollar threshold, reduced the maximum number of non-sufficient funds (NSF) fees charged each day, or reduced extended overdraft fees.
The State of New York recently passed a law, which will be effective January 1, 2022, to limit overdraft fees by requiring banks regulated by the state to adopt a posting order that posts checks either in the order received or by size from smallest to largest. In addition, the law requires banks that dishonor a check for insufficient funds to pay subsequent checks presented if the account has sufficient funds to pay the subsequent checks. Action by other states, or on the federal level, is possible, as some Democratic members in both chambers of Congress have called for limits on overdraft fees.
In addition, federal regulators have brought several enforcement actions related to overdraft marketing and opt-in practices in recent years, including one in 2020. The CFPB has also noted that its examiners continue to identify violations of Regulation DD where financial institutions disclose available account balances to consumers that include discretionary overdraft credit available to the consumer. Other violations include failures to disclose overdraft fees on periodic statements.
Latest Overdraft Concern: APSN
A newer overdraft risk is “Authorized Positive, Settled Negative” (APSN) transactions. An APSN transaction occurs when a debit card transaction is authorized, with a hold placed, against a positive account balance but later settles on negative funds because intervening transactions settled first. When an overdraft fee is assessed on the first transaction (which was authorized on positive balance), an APSN claim may be brought against the financial institution.
Legal outcomes are mixed on this subject, and hinge on whether the specific wording of deposit agreements is consistent with the bank’s overdraft practices and adequately informs the consumer of settlement and fee assessment practices. Several courts have found the deposit agreements were ambiguous and permitted lawsuits to proceed, while others found the practices in question were consistent with account disclosures, terms, and conditions. In the past, the CFPB has expressed concern regarding the use of available balance in assessing fees, and has determined that APSN fees may be unfair under some circumstances. (See files.consumerfinance.gov/f/201503_cfpb_supervisory-highlights-winter-2015.pdf.)
Multiple Overdraft Fees Create Issues
Another emerging overdraft risk relates to charging multiple NSF or returned item fees on the same transaction, sometimes known as “retry fees.” Multiple fees may be charged on a single transaction when the transaction is resubmitted or reprocessed after being returned for insufficient funds. In these lawsuits, the plaintiffs allege that financial institutions violate their account agreements when additional NSF fees are charged each time a merchant resubmits a check or ACH for processing, since the consumer did not expect or authorize resubmission. At least three banks and credit unions have settled lawsuits involving similar practices. Few such cases are resolved by the court. In one case, the court rejected this theory of liability. Additional litigation is ongoing.
Disclosures Raise Questions
Other deposit account fees may also be subject to scrutiny under the Truth in Savings Act (and Regulation DD) or as Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs). The CFPB has stated that misrepresentations of account fees and fee waivers may be UDAAPs (files.consumerfinance.gov/f/documents/201709_cfpb_Supervisory-Highlights_Issue-16.pdf). Charging fees that have not been disclosed, or fees in a different amount than disclosed, could result in both UDAAPs and violations of Regulation DD.
The CFPB has also identified misrepresentations of the account debiting date on bill-pay transactions as deceptive acts or practices (files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-18_032019.pdf). Other areas with Regulation DD and UDAAP risk include disclosing fee schedules, balance computation practices, or interest accrual and application practices that do not match institution practices.
Pandemic-Related Issues Arise
Don’t forget about pandemic implications for deposit risk. The CFPB’s COVID-19 Prioritized Assessments[v] noted that several institutions failed to “fully implement the protections states put in place to protect consumers’ access to the full amount of their government benefits, specifically Economic Impact Payments and unemployment insurance benefits.” (See files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-23_2021-01.pdf)
Some states’ laws limit or prohibit exercise of the right of setoff and/or garnishment of these types of benefit payments. Depending on the state, the limitations may also apply to payments under the American Recovery Act.
Managing Deposit Risks
In short, any conflict between account disclosures, processing practices, system settings, and regulatory requirements increases compliance risks. What should institutions do to manage these risks? The following six areas should be reviewed as a baseline for risk management:
- Policies and Procedures. First, depository institutions should review their policies, procedures, and operational manuals to ensure that stated practices are compliant with applicable laws and regulations. Walkthroughs and process mapping will help identify potential control points, especially if procedures are not sufficiently detailed. Pay special attention to areas of heightened regulatory risk, such as dispute and chargeback processing, stop payments, posting order, and overdraft fee assessments.
- Customer Complaints. Carefully review complaints, which are a rich source of information regarding customer pain points. Analyzing the root causes of complaints may identify areas of increased compliance risk, such as operational weaknesses and unclear disclosures.
- Account Disclosures. Take a deep dive into your account disclosures, including terms, conditions, and fee schedules, and map them to your system settings. Don’t forget to review product- and account-level settings if you permit exceptions in account set-up or have legacy products that may not be adequately maintained. Do your system settings and processing practices match what you’ve disclosed to your customers? Are disclosures and system settings consistent with regulatory requirements? If the answer to either of these questions is “no,” you have heightened compliance risk.
- Review the correlation of your marketing materials, deposit agreements, and posting practices. Do you have exposure to any of the emerging risks related to APSN fees or retry fees? What are your practices with respect to posting order? Do you charge NSF or overdraft fees on de minimis transactions? Have you implemented caps on daily fees? Practices that are considered unfriendly to consumers or result in assessing more fees to consumer accounts indicate greater compliance risk.
- Evaluate your training. Do staff members receive adequate education to understand deposit compliance requirements? Are they aware of the risks associated with violations of Regulations E, CC, and DD? Do they understand when customer notices are required? If not, training enhancements may be in order.
- Fraud Control. Finally, review your practices associated with suspected fraud. Have you ensured fraud algorithms are subject to strict validation and model governance requirements? Are you placing “hard freezes” on accounts when less stringent measures would serve to control fraud risk? If account restrictions are needed, do you communicate transparently with consumers?
Although deposit operations are often considered low-risk, errors can affect large numbers of customers and actually expose your institution to significant risk. It is a best practice to periodically assess the risks and controls associated with opening, servicing, and closing deposit accounts.
As seen in the January / February 2022 issue of ABA Bank Compliance Magazine
[i] See, for example, the following issues:
Summer 2020: https://files.consumerfinance.gov/f/documents/cfpb_supervisory-highlights_issue-22_2020-09.pdf
Summer 2017: https://files.consumerfinance.gov/f/documents/201709_cfpb_Supervisory-Highlights_Issue-16.pdf
and Fall 2014: https://files.consumerfinance.gov/f/201410_cfpb_supervisory-highlights_fall-2014.pdf
[ii] See the following issues:
March 2021: https://www.fdic.gov/regulations/examinations/consumer-compliance-supervisory-highlights/documents/ccs-highlights-march2021.pdf
and June 2019: https://www.fdic.gov/regulations/examinations/consumer-compliance-supervisory-highlights/documents/ccs-highlights-june2019.pdf
[iii] 2021, Second Issue: https://consumercomplianceoutlook.org/2021/second-issue/error-resolution-and-liability-limitations-under-regulations-e-and-z/
[iv] Outlook Live (December 12, 2019): https://consumercomplianceoutlook.org/outlook-live/2019/regulation-e/