If you look back at all of the regulations, guidance and enforcement actions over the past year, you will notice a very distinct trend. That is, more and more banks are being held responsible for the acts of others. For the acts of their customers. For the acts of their service providers. For the acts of completely unrelated third-parties with whom banks choose to do business. Indeed, in this regulatory environment, the consequences of not minding everyone else’s business can be devastating! Here are just a few examples:
Example – You had Better Mind the Business of your Customers. In September of last year, the FDIC released a Financial Institution Letter (“FIL”) entitled, “FDIC Supervisory Approach to Payment Processing Relationships with Merchant Customers That Engage in Higher-Risk Activities.” In that release, the FDIC emphasized that financial institutions providing payment processing services directly or indirectly for merchant customers engaged in higher-risk activities are expected to perform proper risk assessments, conduct due diligence to determine merchant customers are operating in accordance with applicable law, and maintain systems to monitor relationships over time. The FIL stated that institutions could be exposed to financial or legal risk should the legality of their customers’ activities be challenged. And this has proven to be true in prior enforcement actions. One glaring example is the Department of Justice’s civil action against the First Bank of Delaware. There, the First Bank of Delaware was subjected to concurrent $15 million penalties by the FDIC and FinCEN, along with a $15 million settlement with the Department of Justice. All because the bank was processing purportedly fraudulent payments on behalf of its banking customers and, in continuing to process those payments and collect its fees, the bank allegedly did not perform the types of diligence, risk management and other activities required under the Bank Secrecy Act and recommended by applicable regulatory guidance (such as in the above-referenced Financial Institution Letter).
Example – You had Belter Mind the Business of your Service Providers. Last year, the Federal Reserve and the OCC both issued guidance on managing outsourcing risks. In both issuances, the regulators emphasized that banks will be responsible for ensuring that all activities conducted by service providers comply with applicable laws and regulations and are consistent with safe and sound banking practices. Similar to the above-described FDIC guidance regarding payment processors, the Fed and OCC guidance clarified that banks will be expected to implement service provider risk management programs that address risk assessments, due diligence, standards for contract provisions and ongoing monitoring. Here again, there is ample evidence of regulatory willingness to enforce the principples of the guidance. The CFPB, as just one example, has ordered multiple financial institutions to pay millions in aggregate restitution and civil monetary penalties to settle charges that third party vendors used “deceptive practices” to pressure or mislead consumers into paying for ancillary products to the banks’ credit cards.
Example – You had Better Mind the Business of your Business Partners. In March of last year, the CFPB issued a Bulletin on Indirect Auto Lending. In that Bulletin, the CFPB made it clear that banks will be held responsible for fair lending violations by third-party auto dealers from whom the banks purchase auto loans. In particular, banks will be responsible for pricing disparity as a result of dealer discretion in marking-up the rate offered to auto purchasers in connection with auto loans. The Bulletin makes it clear that banks will be expected to control dealer mark-up policies, monitor and address the effects of dealer mark-up policies and, in general, to ensure that third-party dealers comply with the Equal Credit Opportunity Act. In December, the CFPB was true to these threats when it and the Department of Justice ordered Ally Bank to pay $80 million in damages to borrowers whose auto loans Ally Bank had purchased. Importantly, the enforcement action was not based upon Ally Bank’s own discriminatory acts, but instead, upon alleged discrimination by the third-party dealers from whom Ally Bank purchased loans.
The Message and the Take-Away. The obvious message from the above-described regulatory actions (and many more like them) is that banks can no longer simply mind their own business and expect to avoid criticism. Banks must now take an active role in the business of others—monitoring the activities of customers, service providers and business partners to ensure that those parties also follow the law, and further, that they do not operate in a manner that might harm an unwary consumer. Unfortunately, compliance in this area is likely to be viewed in hindsight. That is, if it is subsequently determined that your customer, vendor or business partner violated the law and you didn’t catch it, your controls are likely to be deemed lacking and so you may be held responsible. It’s a standard that guarantees safety to none. Still, the take-away is that those who follow the guidance and implement proper diligence and controls will be on firmer ground than those who do not. Risk assessment, due diligence and careful monitoring will be the themes for 2014. It’s time to start poking your nose into everyone’s business . . . or else!