On June 30, 2015, the FFIEC released a Cybersecurity Assessment Tool and User’s Guide (“Guide”) intended “to help institutions identify their risks and assess their cybersecurity preparedness.” Financial institutions handling sensitive customer data should view this as a mixed blessing.
It is often said by technology and cybersecurity experts that the question is not whether a company will experience a security breach, but when. The important question then is how the company responds to that breach. One implication of these statements is that an institution should do the best that it can, but that no one should be punished too severely when the inevitable breach occurs. It was, after all, unavoidable.
The release of the Cybersecurity Assessment Tool arguably changes that analysis. Now there are more specific standards against which institutions may be judged. Those who fail to conduct an adequate cybersecurity risk assessment and implement appropriate controls can expect, when the inevitable security breach occurs, that plaintiffs and regulators will point to the Cybersecurity Assessment Tool as evidence that the institution failed to take appropriate steps to mitigate the risks.
Every now and then the name of the parties in a case just sort of jumps out and grabs you. A recent decision out of Nevada involved a guaranty given by The Mafia Collection (“Mafia”) for certain loans made to Murder, Inc., LLC (“Murder”). Murder defaulted on the loans and the secured creditors sought to foreclose on the collateral pledged by Mafia comprising some 1500 mob related artifacts.
While the foreclosure case was pending, Mafia acquired some of the secured notes that it had guaranteed. Mafia then filed a counterclaim/third-party claim against the collateral agent for the lenders, Andrew DeMaio, alleging unjust enrichment and breach of fiduciary duty. The lower court ruled in favor of the collateral agent and the secured creditors and awarded attorney fees and costs as allegedly provided for in the parties’ secured notes and security agreement.
On appeal to the Nevada Supreme Court, Mafia raised several issues, one of which dealt with whether the district court erred by dismissing as nonassignable Mafia’s claim for breach of fiduciary duty. A claim for breach of fiduciary duty is similar in nature to a claim arising under fraud as opposed to a breach of contract type of claim. In many states, including Nevada, a claim for fraud is not assignable to third parties, it is deemed to be “personal” to the defrauded party.
The court found that the district court erred by dismissing Mafia’s claim because there was a disputed issue of material fact as to the basis of Mafia’s claim, namely, whether the collateral agent allegedly breached his fiduciary duty to Mafia in its personal capacity, as a guarantor and/or a creditor (after it acquired the secured loans), or whether he allegedly breached his fiduciary duty to the selling noteholders, who in turn attempted to assign their claim to Mafia by virtue of the loan assignments. The former claim would be permissible; the latter would not.
The US Supreme Court has agreed to review a decision by the Eight Circuit Court of Appeals in Hawkins v. Community Bank of Raymore, 761 F3d 937 (CA8 2014) where the court found that the Federal Reserve had overstepped its bounds in adopting rules under the Equal Credit Opportunity Act to protect spousal guarantors. The case arose out of a series of loans in 2005 and 2008 made by the Bank—totaling more than $2,000,000—to PHC Development, LLC to fund the development of a residential subdivision. In connection with each loan and each modification, the principals of the LLC and their spouses (who had no interest in the LLC) executed personal guaranties in favor of Community to secure the loans.
In April 2012, Community declared the loans to be in default, accelerated the loans, and demanded payment both from PHC and from the guarantors. The guarantors defended on the basis that Community had required them to execute the guaranties solely because they were married to their respective husbands. They claimed that this requirement constituted discrimination against them on the basis of their marital status, in violation of the ECOA. The Federal Reserve has adopted Regulation B which prohibits a lender from requiring a person’s spouse to join in on any credit documents unless the parties are applying for joint credit. 12 CFR 202(d)(1).
The ECOA makes it “unlawful for any creditor to discriminate against any applicant, with respect to any aspect of a credit transaction … on the basis of … marital status.” 15 U.S.C. § 1691(a).
A Quick Overview and a Note on Construction Lending
On June 16, 2015, the FDIC issued a notice of proposed rulemaking to revise its calculations for deposit insurance assessments for banks with under $10 billion in assets (excluding de novo banks and foreign branches). The rules would go into effect the quarter after they are finalized but by their terms would not be applicable until after the designated reserve ratio of the Deposit Insurance Fund reaches 1.15%.
At almost 150 pages, there are many facets to the proposed rule that must be carefully analyzed. At the outset, we give credit to the FDIC for attempting to fine tune deposit insurance assessments beyond the blunt instrument that they have always been. We have long held the position that the FDIC should adopt more careful underwriting procedures, similar to private insurers, in order to better serve its function in the industry.
Under the proposal, a number of factors are used in a model to calculate a bank’s deposit insurance assessment rates: CAMELS ratings, Leverage Ratio, net income, non-performing loan ratios, OREO Ratios, core deposit ratios, one year asset growth (excluding growth through M&A, thankfully), and a loan mix index. All of these factors are intended to predict a bank’s risk of future failure, and all are worthy of discussion.
Putting aside our overall hesitancy to fully support faceless numerical models to draw important conclusions (anyone remember subprime lending?), we were initially drawn to the proposed implementation of the “loan mix index” as a factor for calculating deposit insurance assessment rates. As we have previously discussed, construction lenders have recently been disadvantaged by the new HVCRE rules under the Basel III capital standards. Once again, construction loans are the focus of regulatory scorn.
Litigators often talk to clients about the power of judges and juries. The first Decision of Director issued by CFPB’s Richard Cordray should give counselors and clients alike pause. Pause first because of the ultimate outcome ($109 million disgorgement) and interpretations of RESPA offered. And pause second (perhaps more importantly) because of the focused perspectives announced by the Director and their potential to activate others. With all due respect to the Director and the administrative appeal process, the Director clearly is taking advantage of this opportunity to make known his beliefs. Like a jury or a judge he is meting out justice the way he sees fit. What is fascinating, just like polling a jury after the verdict, is looking for the perspectives which drove the result. The Decision presents yet another glimpse of the Director who now shapes not just CFPB supervision and examination, but also may shape going forward the theories asserted by the plaintiffs’ class action bar.
Many are digesting the Decision and Order (2014-CFPB-0002, June 4, 2015). Here, I will not quote chapter and verse, nor will I analyze the overarching regulatory construct of the administrative appeals process which enabled the Decision. Those whose legal work touches financial services institutions should review the Decision themselves. It is the first. It is public. And it has impact. Each of us can draw our own conclusions. Some will see a righteous vision of justice and others may see, at best, the unintended consequences of concentrated partisan power.
Food for thought: We all may want to consider the impact the Decision could have on how financial institutions ought to assess their business operations and how such institutions may be able to justify those operations and defend themselves in court or before an administrative tribunal. (more…)
It is with great pleasure that we announce that we have launched a new blog on consumer banking compliance issues. Authored by Bryan Cave Partner, John ReVeal, the ConsumerBankingBlog provides commentary and perspective on new and proposed consumer compliance regulations, regulatory enforcement actions and trends, and the shenanigans of banking regulators. With John’s unique, unfiltered, opinions, we think you’ll find the ConsumerBankingBlog to be very different from your typical banking compliance site.
John’s goal for the ConsumerBankingBlog is to foster discussion – an open exchange of ideas between readers and John. Comments are strongly encouraged… subject to the site’s Rules for Comments, of course. (We’re still lawyers, after all.)
Many loan transactions are closed today with parties delivering to the lender or lender’s counsel an e-mail with scanned PDF copies of signed loan documents. Increasingly often, the original “wet ink” hard copy paper document never makes it to the lender. This is especially true for documents signed by parties other than the borrower, such as a landlord lien waiver. After the fog has cleared from a closing, a loan officer may call to ask if she really needs to chase down the original document or if having the PDF copy in the loan file is sufficient. Putting aside any internal bank policy requiring original documents, what the loan officer really wants to know is whether that PDF received by e-mail is enforceable against the other party in a court of law. The answer is probably yes.
Recognizing that business in today’s world is often conducted at least partially electronically, forty-seven states have adopted the Uniform Electronic Transactions Act (UETA) to facilitate electronic commerce. The three states that have not adopted the UETA, Illinois, New York, and Washington, have adopted other statutes allowing for the enforceability of electronic signatures and records. The UETA acts as an overlay statute to clarify requirements for originals or signed writings in other laws. UETA gives electronic records such as scanned PDFs of signed documents the same legal effect as paper records. For example, Section 7 of the UETA provides that an electronic record will satisfy another law’s requirement that a record be in writing. With respect to evidentiary rules, Section 13 of the UETA states that a record may not be excluded from evidence solely because it is in electronic form.
For the UETA to apply to a transaction, the parties to that transaction must agree to conduct business electronically. The good news is that this requirement can be satisfied informally and can be inferred from the parties’ conduct. Going back to the landlord waiver scenario, the parties agreed to conduct business electronically when the landlord e-mailed a PDF of the signed waiver to the lender and the lender accepted that PDF for closing. Despite the ability to infer an agreement to apply the UETA, it is good practice to include language in loan documents providing that delivery by PDF is the same as delivery of a paper original or otherwise opting in to UETA.
In a recent press release, the CFPB announced a public inquiry into student loan servicing. The CFPB is seeking information about: “industry practices that create repayment challenges, hurdles for distressed borrowers and economic incentives that may affect the quality of service.” According to the CFPB, student loans account for the nation’s second largest consumer debt market. The agency states there are more than 40 million federal and private student loan borrowers and those consumers owe more than $1.2 trillion. About $240 billion in such loans are either in default or forebearance.
The CFPB is acting because of numerous borrower complaints about their loan servicers. Complaints include billing problems associated with payment posting, prepayments and partial payments. Borrowers have stated that payments have been processed in ways that make their borrowing more expensive. Servicers are also accused of losing records and slow response times to fix errors. The CFPB thinks student loan servicers fail to provide adequate customer service because they are typically paid a flat fee for each loan so they have no incentive to maintain high standards of serving.
Unlike credit card and mortgage servicers, no comprehensive system for overseeing the student loan servicing industry currently exists, according to the CFPB. Given the CFPB’s penchant for promulgating more and more regulations, we believe this heightened scrutiny by the CFPB will lead to numerous new regulations affecting the student loan servicing industry.
FDIC bank examinations generally include a focus on the information technology (“IT”) systems of banks with a particular focus on information security. The federal banking agencies issued implementing Interagency Guidelines Establishing Information Security Standards (Interagency Guidelines) in 2001. In 2005, the FDIC developed the Information Technology—Risk Management Program (IT-RMP), based largely on the Interagency Guidelines, as a risk-based approach for conducting IT examinations at FDIC-supervised banks. The FDIC also uses work programs developed by the Federal Financial Institutions Examination Council (FFIEC) to conduct IT examinations of third party service providers (“TSPs”).
The FDIC Office of the Inspector General recently issued a report evaluating the FDIC’s capabilities regarding its approach to evaluating bank risk to cyberattacks. The FDIC’s supervisory approach to cyberattack risks involves conducting IT examinations at FDIC-supervised banks and their TSPs; staffing IT examinations with sufficient, technically qualified staff; sharing information about incidents and cyber risks with regulators and authorities; and providing guidance to institutions. The OIG report determined that the FDIC examination work focuses on security controls at a broad program level that, if operating effectively, help institutions protect against and respond to cyberattacks. The program-level controls include risk assessment, information security, audit, business continuity, and vendor management. The OIG noted, however, that the work programs do not explicitly address cyberattack risk.
For a number of community banks, the management and ownership of the institution is truly a family affair. For banks that are primarily controlled by a single investor or family, these concentrated ownership structures can also bring about significant bank regulatory issues upon a transfer of shares to the next generation.
Unfortunately, these regulatory issues do not just apply to families or individuals that own more than 50 percent of a financial institution or its parent holding company. Due to certain presumptions under the Bank Holding Company Act and the Change in Bank Control Act, estate plans relating to the ownership of as little as 5 percent of the voting stock of a financial institution may be subject to regulatory scrutiny under certain circumstances. Under these statutes, “control” of a financial institution is deemed to occur if an individual or family group owns or votes 25 percent or more of the institution’s outstanding shares. These statutes also provide that a “presumption of control” may arise from the ownership of as little as 5 percent to 10 percent of the outstanding shares of a financial institution, which could also give rise to regulatory filings and approvals.
Upon a transfer of shares, regulators can require a number of actions, depending on the facts and circumstances surrounding the transfer. For transfers between individuals, regulatory notice of the change in ownership is typically required, and, depending on the size of the ownership position, the regulators may also conduct a thorough background check and vetting process for those receiving shares. In circumstances where trusts or other entities are used, regulators will consider whether the entities will be considered bank holding companies, which can involve a review of related entities that also own the institution’s stock. For some family-owned institutions, not considering these regulatory matters as part of the estate plan has forced survivors to pursue a rapid sale of a portion of their controlling interest or the bank as a whole following the death of a significant shareholder.