Washington Update. Payments News from our Nation s Capital. October Contents. CFPB Finalizes Two Rules Related to International Money Transfers

Transcription

1 Washington Update Payments News from our Nation s Capital October 2014 Contents CFPB Finalizes Two Rules Related to International Money Transfers $25 per Issue $200 Annual Subscription Authors: Craig Saperstein - craig.saperstein@pillsburylaw.com Deborah Thoren-Peden deborah.thorenpeden@pillsburylaw.com Pillsbury Winthrop Shaw Pittman LLP In September, the Consumer Financial Protection Bureau ( CFPB ) published the final versions of two significant rules affecting providers of international money transfer services. The first rule permits banks and credit unions but not non-bank money transmitters operating on closed networks to estimate certain third-party fees and exchange rates associated with remittance transfers through July 21, 2020, extending an exception for such institutions that was scheduled to expire on July 21, The second rule subjects larger participants in the non-bank international money transfer market to CFPB supervision, which means that the Bureau will be empowered to conduct on-site examinations of such entities. OCC Implements New Guidelines Establishing Heightened Standards for Large Banks In September, the Office of the Comptroller of the Currency ( OCC ) published final minimum standards governing a large bank s risk governance framework and the oversight of such framework by the institution s board of directors. The standards, which will enter into effect on November 10, 2014, replace previous heightened expectations established for large banks, savings associations, and federal branches of foreign banks with average total consolidated assets of $50 billion or more.

2 CFPB Finalizes Two Rules Related to International Money Transfers In September, the Consumer Financial Protection Bureau ( CFPB ) published the final versions of two significant rules affecting providers of international money transfer services. The first rule permits banks and credit unions but not non-bank money transmitters operating on closed networks to estimate certain third-party fees and exchange rates associated with remittance transfers through July 21, 2020, extending an exception for such institutions that was scheduled to expire on July 21, The second rule subjects larger participants in the non-bank international money transfer market to CFPB supervision, which means that the Bureau will be empowered to conduct on-site examinations of such entities. Refresher on CFPB Remittance Rules Over the past three years, the CFPB has implemented a comprehensive set of requirements for financial institutions related to money transfers sent by consumers in the United States to individuals and businesses in foreign countries, pursuant to a provision in the Dodd-Frank Act. The rules generally require that a remittance transfer provider disclose information about the actual cost of a money transfer of more than $15, including any fees, exchange rates, and any additional charges, before and at the time a customer pays a remittance transfer provider to send funds to a foreign recipient. The rules also provide that consumers have 30 minutes to cancel a transfer after making payment and that remittance transfer providers must investigate disputes and resolve certain types of errors associated with remittance transfers, among other requirements. Although the remittance regulations generally require a provider to offer exact pricing disclosures to allow consumers to understand the actual cost of a remittance transfer, the Dodd-Frank Act temporarily allows insured institutions to provide estimates of certain third-party fees and exchange rates in cases where exact information cannot be determined because such institutions do not have the mechanisms in place to communicate with foreign financial institutions that execute remittance transfers. The law states that this exception for banks, credit unions, and thrifts will expire on July 21, 2015, but allows the CFPB to extend the exception to July 21, 2020 if it determines that expiration of the temporary exception would negatively affect the ability of insured institutions to send remittance to locations in foreign countries. After extensive consultation with industry stakeholders, the Bureau in April 2014 proposed to extend the temporary exception for an additional five years. Beyond its authority to impose the substantive requirements on money transfers providers described above, the CFPB also has authority under the Dodd-Frank Act to supervise that is, to conduct on-site and off-site examinations of and request documents from large depository institutions, as well as certain larger participants in non-bank financial markets. The purpose of this supervision is to assess financial institutions compliance with federal law and to detect and assess risks to both consumers to consumer financial markets. Pursuant to the Dodd-Frank Act, the Bureau has already begun its supervision of large depository institutions, payday lenders, private education lenders and mortgage originators and services. At the same time, the CFPB has been gradually establishing rules over the past three years to identify which entities and which markets should be subject to its authority under Dodd-Frank to supervise larger participants in non-bank financial markets. The Bureau has already implemented thresholds for supervision typically based on a company s annual receipts of larger participants in the debt collection, consumer reporting, and student loan servicing markets. On January 31, 2014, the CFPB proposed that large money transfer businesses that conduct at least one million international money transfers annually should be subject to supervision. 2

3 Final Rule Allows Insured Financial Institutions to Estimate Pricing Until July 2020 In early September, the CFPB published two final rules related to the depository institution exception for pricing disclosures and the supervision of larger participants in the nonbank international money transfer market, respectively. With respect to the pricing disclosures for remittance transfers, the CFPB s final rule establishes that banks, credit unions, and thrifts will remain exempt from the pricing disclosure requirements through July 21, This means that, until that date, insured banks and credit unions will be allowed to estimate the amount of currency to be received in a remittance transfer, so long as the remittance transfer is sent from the sender s account with the provider and the provider cannot determine the exact amount of currency to be received for reasons outside of its control. Pursuant to the determination allowed under the Dodd-Frank Act, the Bureau concluded that a failure to extend the exception would negatively affect the ability of insured institutions to send remittance transfers and that such an impact could cause some remittance transfer providers to stop sending certain transfers. Nevertheless, the CFPB expects insured banks and credit unions to continue to develop systems that will ultimately allow them to provide accurate, exact disclosures of exchange rates and third-party fees for consumers engaging in remittance transfers and believes that bank and credit union reliance on the temporary exception will decrease over time. In a separate publication, the CFPB applied its supervisory authority to large money transfer businesses that conduct at least one million international money transfers annually. The impact of this rule is that such businesses like larger participants in the non-bank debt collection, consumer reporting, and student loan servicing markets will now be subject to examinations and information requests, just like those that large depository institutions must incur. As first explained in its initial proposal to supervise international money transmitters, CFPB concluded that aggregate annual international money transfers is the appropriate metric to determine whether a company is a larger participant because it reflects the number of interactions a company has with consumers and, according to Bureau research, many providers already assemble such data for internal business purposes. The measure includes international money transfers in which an agent such as a grocery store or convenience store acts on a transfer provider s behalf. However, it does not include transfers in which another company provided the transfers and the supervised nonbank financial institution performed activities as an agent on behalf of that other company, unless the nonbank was acting as an agent on behalf of an affiliated company. The CFPB estimates that this threshold will subject approximately 25 international money transfer providers which, collectively, provided about 140 million transfers in 2012, with a total volume of approximately $40 billion to supervision. Any nonbank money transmitter that becomes subject to CFPB supervision will remain a larger participant for the two years after the first tax year in which the entity last met the 1 million aggregate annual international money transfers test. Although, in most cases, the companies that are subject to supervision as a larger participant will be also be regulated under the CFPB s remittance rules, the applicability of the two rules is not entirely the same. The disclosure requirements and consumer protections contained in the remittance regulations apply only to remittance transfers of more than $15; however, the CFPB s threshold for supervision will extend to all types and amounts of money transfers. The Bureau believes that these slightly different standards are necessary because small-value transactions comprise part of the same market as larger transactions and the number of international money transfers provided reflect the extent of a provider s market participation. 3

4 OCC Implements New Guidelines Establishing Heightened Standards for Large Banks In September, the Office of the Comptroller of the Currency ( OCC ) published final minimum standards governing a large bank s risk governance framework and the oversight of such framework by the institution s board of directors. The standards, which will enter into effect on November 10, 2014, replace previous heightened expectations established for large banks, savings associations, and federal branches of foreign banks with average total consolidated assets of $50 billion or more. Previous Heightened Expectations and Proposed Guidelines to Replace Them In the wake of the 2008 financial crisis, the OCC adopted a set of heightened expectations to enhance its supervision of large national banks and to ensure increased attention to risk management by such financial institutions. However, these expectations were not codified under federal regulations and were not enforceable under law. In an effort to formalize expectations and to authorize the enforcement of the standards, the OCC in January 2014 published proposed guidelines to establish minimum standards for the design and implementation of a risk governance framework ( Framework ) for large banks with total average consolidated assets of $50 billion or more. The guidelines articulated specific standards for understanding a large bank s risk profile and ascertaining whether such risk profile exceeds the institution s risk appetite. The proposed guidelines delineated a range of responsibilities to front-line units, independent risk management units, and internal audit units the so-called three lines of defense for risk management within a large bank. They also called upon large banks to prepare written strategic plans and risk appetite statements to formalize their risk management systems. The guidelines also proposed separate minimum standards for a bank s board of directors in overseeing the implementation of the Framework. These standards would have required a bank s board to ensure the implementation of an effective Framework and to actively oversee the bank management s risk-taking activities. Under the proposed standards, at least two members of the board of directors would have been required to be independent of the bank s or the parent company s management. The OCC requested public comments from industry stakeholders and others on certain policies contained in the proposed guidelines, including, among other issues, the interplay between the risk profiles of a bank and its parent company, the structure of a bank s independent risk management leadership, and the appropriateness of the requirement that two board members be independent of management. Final Guidelines Attempt to Clarify OCC s Risk Management Expectations IAfter receiving feedback from stakeholders on the proposed guidelines over the past 7 months, the OCC on September 11, 2014 published final guidelines related to a large bank s Framework and the oversight of such Framework by the bank s board of directors. The final guidelines will generally apply to insured national banks, savings associations, and insured federal branches of foreign banks (collectively, covered banks ) that have average total consolidated assets of $50 billion or more, though OCC may determine that a bank below this threshold will be subject to the guidelines if its operations are highly complex or otherwise present a heightened risk relative to its risk management capabilities. Banks with over $750 billion in average total consolidated assets must comply with the guidelines within 60 days of the November 10, 2014 effective date; in turn, a bank with assets ranging from $100 billion-$750 billion must comply within 6 months of the effective date. Any banks with assets ranging between $50-$100 billion have 18 months to enter into compliance. The OCC noted that, in establishing the final standards, the agency attempted to be responsive to comments made by industry stakeholders. In particular, as 4

5 the OCC described it, these stakeholders generally argued that the proposed guidelines issued in January were too prescriptive, were unclear with respect to the interplay between risk management activities conducted by a large bank and its parent company (if applicable), and would have inappropriately assigned managerial responsibilities, rather than mere oversight responsibilities, to a bank s board of directors. Nevertheless, the final guidelines broadly resemble the proposed guidelines published in January. Some of the key features contained in the final guidelines include: Establishment of Framework: A covered bank must establish and implement a Framework to manage and control its risk-taking activities. The bank may use its parent company s Framework if the Framework meets the minimum standards outlined in the guidelines and the risk profiles of the parent company and the covered bank are substantially the same (i.e. the bank s assets represent 95 percent or more of the parent company s assets). The guidelines also allow that, in consultation with the OCC, a large bank may incorporate elements of its parent company s Framework when developing its own Framework to the extent those elements are consistent with the guidelines. Delineation of Responsibilities: A covered bank s independent risk management unit is responsible for designing the Framework while the bank s board of directors (or a committee thereof) is charged with reviewing and approving it. The Framework should cover a wide variety of risk categories, including reputation and strategic risks, even though the OCC acknowledges that industry practices for managing reputation and strategic risks are less developed than those associated with more traditional risk categories. The Framework should also delineate roles and responsibilities related to a bank s front line units responsible for revenue generation, its independent risk management unit responsible for overseeing and assessing the bank s risk-taking activities, and its internal audit function. For purposes of the Framework, a bank s front line unit does not ordinarily include a bank s legal services unit, an exemption that was added in response to stakeholder comments related to the proposed guidelines. Strategic Plan and Risk Appetite Statement: A covered bank s CEO must be responsible for the development of a written three-year strategic plan, with input from the three lines of defense, that comprehensively assesses risks and is updated, as necessary, due to changes in the bank s risk profile or its operating environment. In addition, a covered bank must adopt a risk appetite statement identifying the bank s risk culture that serves as the basis for the bank s Framework. As with the proposed guidelines, the final guidelines do not define risk culture, though the commentary accompanying the final guidelines asserts that it relates to the core values of bank units as they carry out roles and responsibilities. Compensation/Performance: A covered bank should establish a compensation and performance program that ensures that the CEO and three lines of defense adhere to the Framework and that talent is attracted and retained to maintain the Framework. The Framework should also prohibit any incentivebased payment arrangement that encourages inappropriate risks by providing excessive compensation or that could lead to material financial loss. In response to stakeholder comments, the final guidelines state that bank compensation and performance management programs should ensure front line unit compensation plans and decisions appropriately consider the severity of issues and concerns identified by independent risk management and internal audit, as well as the timeliness of corrective action to resolve such issues and concerns. Board of Directors: A covered bank s board of directors is responsible for reviewing, approving, overseeing, and, as appropriate, ratifying a modification to the bank s Framework. The OCC expects the board to actively oversee the bank s risk-taking activities and to 5

6 question, challenge, and when necessary, oppose recommendations and decisions by made by management that could cause the covered bank s risk profile to exceed its risk appetite or to jeopardize the safety and soundness of the covered bank. To ensure board independence from bank management, the guidelines require that at least two board members should: (1) not be an officer or employee of the bank or its parent company; (2) should not be a member of the immediate family of a bank executive; and (3) should qualify as an independent director under the national securities exchange standards. The final guidelines emphasize that the OCC does not expect the board of directors to assume managerial responsibilities; rather, it should rely on independent risk management and internal audit units to meet its active oversight responsibilities. Potential OCC Enforcement Looms for Non-Compliant Banks In adopting the minimum risk management standards as guidelines rather than as regulations, the OCC maintains that, if a covered bank fails to meet the standards, it has flexibility to pursue the course of action that is most appropriate given the specific circumstances. The OCC may require any covered bank that fails to comply with the guidelines to submit within 30 days a compliance plan detailing the steps the institution will take to correct the deficiencies and the time within which it will take those steps. If the covered bank fails to submit an acceptable compliance plan, the OCC may proceed to issue an enforcement order against the bank in federal court or via an assessment of civil monetary penalties. As such, the risks of failing to comply are potentially significant for banks that are subject to the guidelines. About the Authors: Craig Saperstein is an attorney in the Public Policy practice of Pillsbury Winthrop Shaw Pittman LLP in Washington, D.C. In this capacity, he provides legal analysis for clients on legislative and regulatory developments and lobbies congressional and Executive Branch officials on behalf of companies in the payments industry. Deborah Thoren-Peden is a partner and member of the Financial Institutions Team at Pillsbury Winthrop Shaw Pittman LLP. She provides advice to financial institutions, bank and non-bank, and financial services companies. The information contained in this update does not constitute legal advice and no attorney-client relationship is formed based upon the provision thereof Montgomery St, Suite 400 San Francisco CA (415)