Compliance - Part 2 Flashcards

Question

What is the Extension of the Schedule for Certain Deposits (§ 229.12(e)) [VI - 1.1]

Answer 1

Extension of the Schedule for Certain Deposits (§ 229.12(e)) Banks in Alaska, Hawaii, Puerto Rico, American Samoa, the Commonwealth of the Northern Mariana Islands, Guam, and the U.S. Virgin Islands that receive checks drawn on or payable through banks located in another state may extend the availability schedules for local checks by one day. The exception does not apply to checks drawn on banks in these states or territories and deposited in banks located in the continental United States.

Answer 2

Exceptions to the Availability Schedule—Section 229.13 The regulation provides for exceptions that allow banks to exceed the maximum hold periods specified in the availability schedule. The exceptions are considered ‘‘safeguards’’ because they offer banks a means of reducing risk based on the size of the deposit, the depositor’s past performance, the absence of a record on the depositor’s past performance, or a belief that the deposit may not be collectible.

Answer 3

Categories of Exception (§§ 229.13(a)–229.13(f)) The regulation provides for exceptions in six situations: (1) * New accounts (2) * Deposits in excess of $5,000 on any one day (3) * Checks that have been returned unpaid and are being redeposited (4) * Deposits to accounts that have been repeatedly overdrawn (5) * Cases in which the bank has reasonable cause to believe the check being deposited is uncollectible (6) * Emergency conditions Acronym: Never - New Accounts Doubt - Deposits in excess of $5,000 Chickens Checks returned unpaid --> redeposited Don't - Deposits to accts repeatedly overdrawn Cook - Cases where collectability is in doubt Everyday - Emergency conditions Although banks may exceed the timeframes for availability in these situations, the exceptions generally may not be invoked if the deposit would ordinarily receive next-day availability.

Answer 4

New Accounts (§ 229.13(a)) "Never" An account is considered a ‘‘new’’ account, under section 229.13(a), for the first 30 calendar daysit is open, beginning on the date the account is established. An account is not considered ‘‘new’’ if ‘‘each customer on the account has had, within 30 calendar days before the account is established, another account at the bank for at least thirty calendar days.’’ *The new-account exception does not cover all deposits made to the account. New accounts are exempted from the availability schedules for deposits of local checks, but next-day availability is required for deposits of cash and for electronic payments. Also, the first $5,000 of a day’s aggregate deposits of government checks (including federal, state, and local governments), cashier’s, certified, teller’s, depository, or traveler’s checks must be given next-day availability. The amount in excess of $5,000 must be made available no later than the ninth business day following the day of deposit. Local checks - exceptions T - check: N/A - made avail. next day and regardless of whether at staffed teller or ATM Cash/electronic - NOT exceptions Government checks, cashier’s, certified, teller’s, depository, or traveler’s checks: First $5,000 first day *NOT required to make the first $225 of a day’s deposits of local checks, or the funds from on-us checks, available on the next business day* To qualify for next-day availability, deposits into a new account generally must be made in person to an employee of the depositary bank. If the deposits are not made in person to an employee of the depositary bank—for instance, if they are made at an ATM—availability may be provided on the second business day after the day of deposit (is this referring to new acct deposits that WOULD receive next day/are not exempt - i.e. cash or electronic?). Treasury check deposits, however, must be given next-day availability regardless of whether they are made at staffed teller stations or ATMs. Banks are not required to make the first $225 of a day’s deposits of local checks, or the funds from on-us checks, available on the next business day.

Answer 5

Large Deposits (Deposits over $5,000) (§ 229.13(b)) "Doubt" A depositary bank may extend hold schedules when deposits other than cash or electronic payments exceed $5,000 on any one day. A hold may be applied to the amount in excess of $5,000. To apply the rule, the depositary bank may aggregate deposits made to multiple accounts held by the same customer, even if the customer is not the sole owner of the accounts. *Does NOT apply to cash or electronic PMTs* *Applied to amt in excess of $5,000 (individual deposits may be aggregated)

Answer 6

Redeposited Checks (§ 229.13(c)) "Chickens" A depositary bank may delay making the funds from a check available if the check had previously been deposited and returned unpaid. The exception does not apply to checks that were previously returned unpaid because of a missing indorsement or because the check was postdated when presented. *Does not apply when checks had to be redeposited since they were missing indorsements or post-dated

Answer 7

Repeated Overdrafts (§ 229.13(d)) "Don't": Deposits to accounts that have been repeatedly overdrawn (repeated overdrafts) If a customer’s account, or accounts, have been repeatedly overdrawn during the preceding six months, the bank may delay making the funds from a check available. A customer’s account may be considered repeatedly overdrawn in two ways. (1) First, the exception may be applied if the account was overdrawn, or would have been overdrawn had check or other charges been paid, for six or more banking days during the preceding six months. *This applies to the payor? (2) Second, the exception may be applied to customers who incurred overdrafts on two banking days within the preceding six-month period if the negative balance in the account(s) at that time was $5,000 or more. The exception may also apply if the account would have been overdrawn by $5,000 or more had the check or other charges been paid.

Answer 8

Reasonable Cause to Doubt Collectability (§ 229.13(e)) "Cook" *Applies to all checks This exception may be applied to all types of checks. To trigger the exception, the depositary institution must have reasonable cause to believe that the check is not collectible and must disclose the basis for the extended hold to the customer. The basis for reasonable cause may include, for example, communication with the paying bank indicating that * A stop-payment order has been placed on the check * There are insufficient funds in the drawer’s account to cover the check * The check will be returned unpaid The reasonable-cause exception may also be invoked in cases in which * The check was deposited six months after the date of the check (stale date) * The check was postdated (future date) * The depositary bank believes that the depositor may be engaged in check kiting * The depositary bank has other confidential information, such as the insolvency or pending insolvency of the customer The reasonable-cause exception may not be invoked based on the fact that the check is of a particular class or is deposited by a particular class of persons. For example, this exception may not be invoked because of: * The race or national origin of the depositor * The fact that the paying bank is located in a rural area and the depositary bank will not have time to learn of nonpayment of the check before the funds have to be made available under the availability schedules in place * The fact that the check is a cashier’s check (without any additional information about the particular check that would provide reasonable cause to doubt collectability) If the depositary bank intends to use this exception, it must notify the customer, in writing, at the time of deposit. If the deposit is not made in person or the decision to place the hold is based on facts that become known to the bank at a later date, the bank must mail the notice by the business day after the day the deposit is made or the facts become known. The notice must indicate that availability is being delayed and must include the reason the bank believes the funds are uncollectable. If a hold is placed on the basis of confidential information, as when check kiting is suspected, the bank need only disclose to the customer that the hold is based on confidential information indicating that the check may not be paid. If the depositary bank asserts that the hold was based on confidential information, it must note the reason on the notice it retains as a record of compliance. The bank must maintain a record of each exception notice, including documents and a brief description of the facts supporting the reasonable-cause exception, for two years.

Answer 9

Emergency Conditions (§ 229.13(f)) Banks may suspend the availability schedule under the following emergency conditions: * An interruption of communications or computer or other equipment facilities * Suspension of payments by another bank * War * Any emergency condition beyond the control of the depositary bank

Answer 10

Notices of Exception (§ 229.13(g)) Whenever a bank invokes one of the exceptions to the availability schedules (other than the new-account exception), it must notify the customer in writing. The bank may send a notice that complies solely with section 229.13(g)(1) (the ‘‘general exception noti

Answer 11

General Exception Notice (§ 229.13(g)(1)) The general notice of exception must include the following: * The customer’s account number * The date of the deposit * The amount of the deposit that will be delayed * The reason the exception was invoked * The time period the funds will be available for withdrawal (unless unknown, as in an emergency situation) If the deposit is made at a staffed facility, the notice may be given to the person making the deposit, regardless of whether that person is the customer who holds the account. If the deposit is not made at a staffed facility, the exception notice may be mailed to the customer no later than the business day following the banking day of deposit. If the depositary bank discovers a reason to delay the funds subsequent to the time the notice should have been given, the bank must notify the customer about the hold as soon as possible, but no later than the business day after the facts become known. Certain exception holds due to emergency conditions do not require notification of customers. For example, if the deposited funds that were subject to a hold during an emergency become available for withdrawal before the time the notice must be sent, the depositary bank need not send a notice.

Answer 12

One-Time Exception Notice for Nonconsumer Accounts (§ 229.13(g)(2)) If most of the check deposits into a particular nonconsumer account qualify for either the large-deposit exception or the redeposited-check exception, the bank may send a one-time notice rather than a notice complying with section 229.13(g)(1) each time the exception is invoked. The onetime notice must be sent either the first time the exception is invoked or before that time. It must state both * The reason the exception may be invoked and * The time period when the funds will generally be made available.

Answer 13

Exception Notice for Repeated Overdrafts (§ 229.13(g)(3)) If most of the check deposits into a particular account qualify for the repeated-overdraft exception, the bank may send an exception notice that covers a specified period of time rather than a notice complying with section 229.13(g)(1) each time the exception is invoked. The ‘‘specified period’’ notice must be sent when the overdraft exception is first invoked. It must state all of the following: * The customer’s account number * The fact that access to the funds is being delayed because the repeated-overdraft exception is being invoked * The time period during which the exception will apply * The time period within which the funds generally will be available for withdrawal

Answer 14

Availability of Deposits Subject to Exceptions (§ 229.13(h)) For deposits subject to exceptions to the availability schedules, other than deposits into new accounts, the depositary bank is permitted to delay availability for a reasonable time beyond the schedule. Generally, a reasonable period is considered to be no more than one business day for on-us checks and five business days for local checks. If a depositary bank extends its availability beyond these timeframes, it must be able to prove that the extended delay is reasonable.

Answer 15

Payment of Interest – §229.14 General Rule (§ 229.14(a)) A depositary bank must begin accruing interest on interest bearing accounts no later than the business day on which it receives provisional credit for the deposited funds. A depositary bank typically receives credit on checks within one or two days following deposit. It receives credit on cash deposits, electronic payments, and checks that are drawn on itself on the day the cash, check, or electronic payment is received. And if a nonproprietary ATM is involved, it usually receives credit on the day the bank that operates the ATM credits the depositary bank for the amount of deposit. A depositary bank may rely on the availability schedule of its Federal Reserve Bank, FHLB, or correspondent bank when determining when the depositary bank receives credit (section 229.14(a)(1)). If availability is delayed beyond the time specified in that schedule, a bank may charge back to the account any interest erroneously paid or accrued on the basis of that schedule. A depositary bank may accrue interest on checks deposited to all of its interest-bearing accounts based on an average of when the bank receives credit for all checks sent for payment or collection (section 229.14(a)(2)). For example, if a bank receives credit on 20 percent of the funds deposited by check on the business day of deposit (such as via on-us checks), 70 percent on the business day following deposit, and 10 percent on the second business day following deposit, the bank may apply these percentages to determine the day on which interest must begin to accrue for check deposits into all interest bearing accounts, regardless of when the bank received credit for deposits into any particular account. Consequently, a bank may begin accruing interest uniformly across all interest bearing accounts rather than having to track the type of check deposited to each account. Nothing in the general rule limits a depositary bank policy that provides that interest may accrue only on balances that exceed a specified amount or on the minimum balance maintained in the account during a given period. However, the balance must be determined according to the date the bank receives credit for the funds. Nor is there a limit on a policy that provides that interest may accrue sooner than required by the regulation. Money market deposit accounts, savings deposit accounts, and time deposit accounts are not subject to the general rule concerning the timing of interest payment. However, for simplicity of operation, a bank may accrue interest on such deposits in the same manner that it accrues interest on transaction accounts.

Answer 16

Exemption for Certain Credit Unions (§ 229.14(b)) Credit unions that do not begin to accrue interest or dividends on their members’ accounts until a date later than the day the credit union receives credit for those deposits, including cash deposits, are exempt from the general rule for payment of interest (section 229.14(a)) as long as they provide notice of their interest-accrual policies in accordance with section 229.16(d).

Answer 17

Exception for Checks Returned Unpaid (§ 229.14(c)) Banks are not required to pay interest on funds deposited in an interest-bearing account by a check that has been returned unpaid, regardless of the reason for return.

Answer 18

General Disclosure Requirements – §229.15 Form of Disclosures (§ 229.15(a)) A bank must disclose its funds availability policy to its customers. The disclosures must be clear and conspicuous and must be in writing. Disclosures other than those posted at locations where employees accept consumer deposits, at ATMs, or on preprinted deposit slips must be in a form that customers can keep. They must be grouped together and must not contain information unrelated to the requirements of Regulation CC. If other account terms are included in the same document, disclosures related to the regulation should be highlighted, for example, by having a separate heading

Answer 19

Uniform Reference to Day of Availability (§ 229.15(b)) In its disclosure, the bank must describe funds as being available for withdrawal on ‘‘the _____ business day after’’ the day of deposit. In this calculation, the first business day is the business day following the banking day the deposit was received, and the last business day is the day on which the funds are made available.

Answer 20

Multiple Accounts and Multiple Account Holders (§ 229.15(c)) A bank is not required to give multiple disclosures to customers who have more than one account if the accounts are subject to the same availability policies. Nor is a bank required to give separate disclosures to joint account holders. A single disclosure to one of the holders of the joint account is sufficient.

Answer 21

Dormant or Inactive Accounts (§ 229.15(d)) A bank is not required to give disclosures to customers who have dormant or inactive accounts.

Answer 22

Specific Availability Policy Disclosure – §229.16 The disclosure describing its funds availability policy that a bank must provide to its customers must reflect the policy followed by the bank in most cases. If the bank wishes to reserve its right to impose longer delays on a case-by-case basis or by invoking one of the exceptions specified in section 229.13, its policy regarding these situations must be reflected in the disclosure

Answer 23

Content of Specific Availability Policy Disclosure (§ 229.16(b)) A bank’s specific availability policy disclosure must include, as applicable, the following: * A summary of the bank’s availability policy * A description of the categories of deposits or checks used by the bank when it delays availability, such as local checks; how to determine the category to which a particular deposit or check (such as a payable-through draft) belongs; and when each category will be available for withdrawal (including a description of the bank’s business days and when a deposit is considered received) * A description of any of the exceptions specified in section 229.13 that may be invoked by the bank, including the time at which the deposited funds generally will become available for withdrawal and a statement that the bank will notify the customer if the bank invokes one of the exceptions * A description of any case-by-case policy of delaying availability that may result in deposited funds being available for withdrawal later than the time periods stated in the bank’s availability policy (specific requirements are laid out in section 229.16(c)(1))

Answer 24

Longer Delays on a Case-by-Case Basis (§ 229.16(c)) A bank that has a policy of making deposited funds available for withdrawal sooner than required may extend the time when funds are available up to the time periods allowed under the regulation on a case-by-case basis. However, the bank must include the following in its specific policy disclosure: * A statement that the time when deposited funds are available for withdrawal may be extended in some cases, and a statement of the latest time deposited funds will be available for withdrawal * A statement that the bank will notify the customer if funds deposited in the customer’s account will not be available for withdrawal until after the time periods stated in its availability policy * A statement that customers should ask if they need to know when a particular deposit will be available for withdrawal When a depositary bank extends the time that funds will be available for withdrawal on a case-by-case basis, it must provide the depositor with a written notice. The notice must include all of the following information: * The customer’s account number * The date of the deposit * The amount of the deposit that is being delayed * The day the funds will be available for withdrawal The notice must be provided at the time of the deposit, unless the deposit was not made in person to an employee of the depositary bank or the decision to delay availability was made after the time of the deposit. If notice is not given at the time of the deposit, the depositary bank must mail or deliver the notice to the customer no later than the first business day following the banking day the deposit was made. A depositary bank that extends the time when funds will be available for withdrawal on a case-by- case basis and does not furnish the depositor with written notice at the time of deposit may not assess any fees for any subsequent overdrafts (including use of a line of credit) or return of checks or other debits to the account if * The overdraft or return of the check or other debit would not have occurred except for the fact that the deposited funds were delayed under section 229.16(c)(1) of the regulation and * The deposited check was paid by the paying bank. However, the depositary bank may assess an overdraft or returned-check fee if it includes a notice concerning overdraft and returned-check fees with the disclosure required in section 229.16(c)(2) and, when required, refunds any such fees upon the request of the customer. The overdraft and returned-check notice must state that the customer may be entitled to a refund of overdraft or returned-check fees that are assessed if the check subject to the delay is paid, and also must state how to obtain a refund.

Answer 25

Credit Union Notice of Interest-Payment Policy (§ 229.16(d)) If a credit union begins to accrue interest or dividends on all deposits made into an interest-bearing account, including cash deposits, at a later time than the day specified in section 229.14(a), the credit union’s specific policy disclosures must explain when interest or dividends on deposited funds will begin to accrue.

Answer 26

Initial Disclosures – §229.17 A bank must provide potential customers with the disclosures described in section 229.16 before an account is opened.

Answer 27

Deposit Slips (§ 229.18(a)) All preprinted deposit slips given to customers must include a notice that deposits may not be available for immediate withdrawal.

Answer 28

Locations Where Employees Accept Consumer Deposits (§ 229.18(b)) A bank must post, at a conspicuous place at each location where its employees receive deposits to consumer accounts, a notice that sets forth the time periods applicable to the availability of funds deposited.

Answer 29

Automated Teller Machines (§ 229.18(c)) At each of its ATM locations, a depositary bank must post or provide a notice that funds deposited in the ATM may not be available for immediate withdrawal. A depositary bank that operates an off-premises ATM from which deposits are removed not more than two times each week, as described in section 229.19(a)(4), must disclose at or on the ATM the days on which deposits made at the ATM will be considered received.

Answer 30

Upon Request (§ 229.18(d)) A bank must provide a copy of its specific availability policy disclosure (described in section 229.16) to any person who requests it.

Answer 31

Changes in Policy (§ 229.18(e)) Thirty days before implementing a change in its availability policy, a bank must send notification of the change to all account holders adversely affected by the change. Changes that result in faster availability may be disclosed no later than thirty days after implementation.

Answer 32

Miscellaneous Provisions – §229.19 When Funds Are Considered Deposited (§ 229.19(a)) For purposes of subpart B of Regulation CC (sections 229.10–229.21), the time at which funds must be made available for withdrawal is measured from the day the funds are considered deposited (or ‘‘received’’ by the bank). When funds are considered officially deposited differs according to where, how, and when they are deposited: * Funds deposited at a staffed teller station or an ATM—Considered deposited when received by the teller or placed in the ATM. * Funds mailed to the depositary bank— Considered deposited on the banking day they are received by the depositary bank; in this case, funds are considered ‘‘received’’ at the time the mail is delivered to the bank, even if it is initially delivered to a mail room rather than the check-processing area. * Funds deposited at a night depository— Considered deposited on the banking day the funds are removed from the night depository and are accessible to the depositary bank for processing. For example, some businesses deposit their funds in a locked bag at the night depository late in the evening and return to the bank the following day to open the bag; others have an agreement with the bank that the deposit bag must be opened under the dual control of the bank and the depositor. In both cases, the funds are considered deposited when the customer returns to the bank and opens the deposit bag. * Funds deposited through a lock box arrangement— Considered deposited on the day the funds are removed from the lock box and are accessible to the depositary bank for processing. A lock box is a post office box that is typically used by a corporation for the collection of bill payments or other check receipts. * Funds deposited at off-premises ATMs that are not serviced more than twice a week— Considered deposited on the day they are removed from the ATM. This special provision is geared toward banks whose practice is to service remote ATMs infrequently. A depositary bank that uses this provision must post a notice at the ATM informing depositors that funds deposited at the ATM may not be considered received on the date of deposit. * Funds deposited on a day the depositary bank is closed or after the bank’s cutoff hour—May be considered deposited on the next banking day.

Answer 33

Cutoff Hours Generally, a bank may establish a cutoff hour of 2:00 p.m. or later for receipt of deposits at its main office or branch offices and a cutoff hour of 12:00 noon or later for deposits made at ATMs, lock boxes, night depositories, or other off-premises facilities. (As specified in the commentary to section 229.19(a), the 12:00 noon cutoff time relates to the local time at the branch or other location of the depositary bank where the account is maintained or the local time at the ATM or off premises facility.) Different cutoff hours may be established for different types of deposits—for example, a 2:00 p.m. cutoff for receipt of check deposits and a later time for receipt of wire transfers is permissible. Location can also play a role in the establishment of cutoff hours; for example, different cutoff hours may be established for ATM deposits and over-the- counter deposits, or for different teller stations at the same branch. With the Cutoff Hours Generally, a bank may establish a cutoff hour of 2:00 p.m. or later for receipt of deposits at its main office or branch offices and a cutoff hour of 12:00 noon or later for deposits made at ATMs, lock boxes, night depositories, or other off-premises facilities. (As specified in the commentary to section 229.19(a), the 12:00 noon cutoff time relates to the local time at the branch or other location of the depositary bank where the account is maintained or the local time at the ATM or offpremises facility.) Different cutoff hours may be established for different types of deposits—for example, a 2:00 p.m. cutoff for receipt of check deposits and a later time for receipt of wire transfers is permissible. Location can also play a role in the establishment of cutoff hours;for example, different cutoff hours may be established for ATM deposits and over-the- counter deposits, or for different teller stations at the same branch. With the

Answer 34

Hour of Funds Availability (§ 229.19(b)) Generally, funds must be available for withdrawal by 9:00 a.m. or the time a depositary bank’s teller facilities, including ATMs, are available for customer account withdrawals, whichever is later. (Under certain circumstances, there is a special exception for cash withdrawals—see section 229.12(d).) Thus, if a bank has no ATMs and its branch facilities are available for customer transactions beginning at 10:00 a.m., funds must be available for withdrawal by 10:00 a.m. If a bankhas 24-hour ATM service, funds must be available for ATM withdrawals by 9:00 a.m. The start of business is determined by the local time at the branch or depositary bank holding the account. For example, if funds in an account at a West Coast bank are first made available at the start of business on a given day and a customer attempts to withdraw the funds at an East Coast ATM, the depositary bank is not required to make funds available until 9:00 a.m. West Coast time (12:00 noon East Coast time).

Answer 35

Effects of the Regulation on Depositary Bank Policies (§ 229.19(c)) Essentially, a depositary bank is permitted to provide availability to its customers in a shorter time than that prescribed in the regulation. The bank may also adopt different funds availability policies for different segments of its customer base, so long as each policy meets the schedules in the regulation. For example, it may differentiate between its corporate and consumer customers, or may adopt different policies for its consumer customers based on whether a customer has an overdraft line of credit associated with his or her account. The regulation does not affect a depositary bank’s right to accept or reject a check for deposit, to ‘‘charge back’’ the customer’s account for the amount of a check based on the return of the check or receipt of a notice of nonpayment of the check, or to claim a refund for any credit provided to the customer. Nothing in the regulation requires a depositary bank to have its facilities open for customers to make withdrawals at specified times or on specific days. For example, even though the special cash withdrawal rule set forth in section 229.12(d) states that a bank must make up to $450 available for cash withdrawals no later than 5:00 p.m. on specific business days, if a bank does not participate in an ATM system and does not have any teller windows open at or after 5:00 p.m., the bank need not join an ATM system or keep offices open. In this case, the bank complies with the rule if the funds that are required to be available for cash withdrawal at 5:00 p.m. on a particular day are available for withdrawal at the start of business on the following day. Similarly, if a depositary bank is closed for customer transactions, including ATM transactions, on a day on which funds must be made available for withdrawal, the regulation does not require the bank to open. If a bank has a policy of limiting cash withdrawals at ATMs to $250 a day, the regulation does not require that the bank dispense $400 of the proceeds of the customer’s deposit that must be made available for cash withdrawal on that day. Some small banks do not keep cash on their premises and do not offer cash withdrawal services to their customers. Others limit the amount of cash on their premises, for reasons related to bonding, and as a result reserve the right to limit the amount of cash a customer may withdraw on a given day or to require advance notice for large cash withdrawals. Nothing in the regulation is intended to prohibit these practices if they are applied uniformly and are based on security, operating, or bonding requirements and if the policy is not dependent on the length of time the funds have been in the customer’s account, as long as the permissible hold has expired. However, the regulation does not authorize such policies if they are otherwise prohibited by statutory, regulatory, or common law.

Answer 36

Calculated Availability for Nonconsumer Accounts (§ 229.19(d)) Under calculated availability, a specified percentage of funds from check deposits may be made available to the customer on the next business day, with the remaining percentage deferred until subsequent days. The determination of the percentage of deposited funds that will be made available each day is based on the customer’s typical deposit mix as determined by a sample of the customer’s deposits. Use of calculated availability is permitted only if, on average, the availability terms that result from the sample are equivalent to or more prompt than the requirements of the regulation.

Answer 37

Holds on Other Funds (§ 229.19(e)) If a customer deposits a check, the bank may place a hold on any of the customer’s funds to the extent that the funds held do not exceed the amount of the check deposited and if the total amount of funds held are made available for withdrawal within the times required in the regulation. For example, if a customer cashes a check (other than an on-us check) over-thecounter, the depositary bank may place a hold on any of the customer’s funds to the extent that the funds held do not exceed the amount of the check cashed.

Answer 38

Employee Training and Compliance (§ 229.19(f)) The EFA Act requires banks to inform each employee who performs duties subject to the act about its requirements. The act and Regulation CC also require banks to establish and maintain procedures designed to ensure and monitor employee compliance with the requirements.

Answer 39

Effects of Mergers (§ 229.19(g)) Merged banks may be treated as separate banks for a period of up to one year after consummation of the merger transaction. However, a customer of any bank that is a party to the merger transaction and has an established account with the merging bank may not be treated as a new account holder under the new-account exception of section 229.13(a). A deposit in any branch of the merged bank is considered deposited in the bank for purposes of the availability schedules in accordance with section 220.19(a). This rule affects the status of the combined entity in a number of areas, for example, * When the resulting bank is a participant in a check clearinghouse association * When an ATM is a proprietary ATM * When a check is drawn on a branch of the depositary bank

Answer 40

Relation to State Law – §229.20 General Rule (§ 229.20(a)) If a state has a shorter hold for a certain category of checks than is provided for under federal law, the state requirement supersedes the federal provision. The EFA Act also indicates that any state law providing availability in a shorter period of time than required by federal law is applicable to all federally insured banks in that state, including federally chartered banks. If a state law provides shorter availability only for deposits in accounts in certain categories of banks, such as commercial banks, the superseding state law continues to apply to only those categories of banks, rather than to all federally insured banks in the state. 12 CFR 229.20(a) is applicable to state laws or regulations in effect on or before September 1, 1989.

Answer 41

Preemption of Inconsistent Law (§ 229.20(b)) Provisions of state laws that are inconsistent with federal law, other than those discussed in the preceding section (‘‘General Rule’’), are preempted. State laws requiring disclosure of availability policies for transaction accounts are preempted by Regulation CC. Preemption does not require a determination by the Federal Reserve Board to be effective. Preemption of Inconsistent Law (§ 229.20(b)) Provisions of state laws that are inconsistent with federal law, other than those discussed in the preceding section (‘‘General Rule’’), are preempted. State laws requiring disclosure of availability policies for transaction accounts are preempted by Regulation CC. Preemption does not require a determination by the Federal Reserve Board to be effective.

Answer 42

Statutory Penalties (§ 229.21(a)) Statutory penalties can be imposed as a result of a successful individual or class action suit brought for violations of subpart B of Regulation CC. Basically, a bank can be held liable for * Actual damages, * No less than $100 nor more than $1,000 in the case of an individual action, * The lesser of $500,000 or 1 percent of the net worth of the bank involved in the case of a class action, and * The costs of the action, together with reasonable attorney’s fees as determined by the court. These penalties also apply to provisions of state law that supersede provisions of the regulation, such as requirements that funds deposited in accounts at banks be made available more promptly than required by the regulation, but they do not apply to other provisions of state law. (See commentary in appendix E, section 229.20.)

Answer 43

Bona Fide Errors (§ 229.21(c)) A bank will not be considered liable for violations of Regulation CC if it can demonstrate, by a preponderance of evidence, that violations resulted from bona fide errors and that it maintains procedures designed to avoid such errors

Answer 44

Reliance on Federal Reserve Board Rulings (§ 229.21(e)) A bank will not be held liable if it acts in good faith in reliance on any rule, regulation, model form (if the disclosure actually corresponds to the bank’s availability policy), or interpretation of the Board, even if that rule, regulation, form, or interpretation is subsequently determined to be invalid. Banks may rely on the commentary as well as on the regulation itself.

Answer 45

Exclusions (§ 229.21(f)) The liability established by section 229.21 does not apply to violations of subpart C (Collection of Checks) of Regulation CC or to actions for wrongful dishonor of a check by a paying bank’s customer. (Separate liability provisions applying to subpart C are found in section 229.38.)

Answer 46

Subpart C – Collection of Checks Subpart C covers the check-collection system and includes rules to speed the collection and return of checks. Basically, these rules cover the return responsibilities of paying and returning banks, notices of non-payment for large-dollar returns by the paying bank, and mandatory check indorsement standards. Electronic checks and electronic returned checks are subject to subpart C as if they were checks or returned checks, except where “paper check” or “paper returned check” is specified. Many of the provisions of subpart C can be varied by agreement. Sections 229.30 and 229.31 generally require paying and returning banks to return checks expeditiously using a ‘‘two day’’ test. Under the two-day test, a return is considered expeditious if a local check is received by the depositary bank by 2:00 p.m. (local time of the depositary bank) of the second business day after presentment. Pursuant to section 229.33(a), a paying bank and returning bank may be liable to a depositary bank for failing to return a check in an expeditious manner only if the depositary bank has arrangements in place such that the paying bank or returning bank could return a returned check electronically, directly or indirectly, by commercially reasonable means. Section 229.31(c) also generally requires a paying bank to provide timely notification of nonpayment if it determines not to pay a check of $5,000 or more, regardless of the channel of collection. The regulation addresses the depositary bank’s duty to notify its customers that a check is being returned and the paying bank’s responsibility for giving notice of nonpayment. Other areas that are covered in subpart C are indorsement standards, warranties and indemnities by paying and returning banks, bona fide errors and liability, variations by agreement, insolvency of banks, and the effect of merger transactions. The provisions of subpart C, supersede any state law, but only to the extent that state law is inconsistent with Regulation CC. (Section 229.41) The expeditious return requirements and other specified requirements in subpart C do not apply to checks drawn on the U.S. Treasury, USPS money orders, and checks drawn on states and units of general local government that are presented directly to the state or units of general local government and that are not payable through or at a bank. (Section 229.42)

Answer 47

Subpart D – Substitute Checks General Provisions Governing Substitute Checks – §229.51 A substitute check for which a bank has provided the warranties described in section 229.525 is the legal equivalent of an original check if the substitute check: * Accurately represents all of the information on the front and back of the original check and * Bears the legend ‘‘This is a legal copy of your check. You can use it the same way you would use the original check.’’ 6 The reconverting bank must adhere to Regulation CC’s standards for preserving bank indorsements and identifications. A reconverting bank that receives consideration for a substitute check that it transfers, presents, or returns is also the first bank to provide the warranties described in section 229.52 and the indemnity described in section 229.53.

Answer 48

Substitute Check Warranties and Indemnity – §§229.52 and 229.53 Starting with the reconverting bank, any bank that transfers, presents, or returns a substitute check (or a paper or electronic representation of a substitute check) and receives consideration for that check warrants that the substitute check meets the legal-equivalence requirements and that a check that has already been paid will not be presented for subsequent payment. Such a bank also provides an indemnity to cover losses that the recipient and any subsequent recipient of the substitute check (or paper or electronic representation of a substitute check) incurred because of the receipt of a substitute check instead of the original check. A bank that rejects a check submitted for deposit and returns to its customer a substitute check (or paper or electronic representation of a substitute check) makes these warranties and indemnifications regardless of whether the bank received consideration. 5 A person other than a bank that creates a substitute check could transfer that check only by agreement unless and until a bank provides the substitute check warranties. 6 A bank may not vary the language of the legal-equivalence legend.

Answer 49

Expedited Recredit for Consumers – §229.54 Section 229.54(a) sets forth the conditions under which a consumer may make an expedited recredit claim for losses associated with the consumer’s receipt of a substitute check. To use the expedited recredit procedure, the consumer must be able to assert in good faith that * The consumer’s account was charged for a substitute check that was provided to the consumer, * The consumer’s account wasimproperly charged or the consumer has a warranty claim, * The consumer suffered a loss, and * The consumer needs the original check or a sufficient copy to determine the validity of the claim. To make a claim, the consumer must comply with the timing, content, and form requirements in section 229.54(b). This section generally provides that a consumer’s claim must be received by the bank that holds the consumer’s account no later than the fortieth calendar day after the later of * The calendar day on which the bank mailed (or delivered by a means agreed to by the consumer) the periodic statement describing the contested transaction or * The calendar day on which the bank mailed (or delivered by a means agreed to by the consumer) the substitute check itself. Section 229.54(b)(1)(ii) requires the bank to give the consumer an additional, reasonable period of time if the consumer experiences ‘‘extenuating circumstances’’ that prevent timely submission of the claim. The commentary to section 229.60 provides that the bank may voluntarily give the consumer more time to submit a claim than the rule allows. Under section 229.54(b)(2)(ii), a complaint is not considered complete, and thus does not constitute a claim, until it contains all of the required information the rule requires. The rule requires that the claim contain7 * A description of why the consumer believes the account was improperly charged or the nature of the consumer’s warranty claim, * A statement that the consumer has suffered a loss, and an estimate of the amount of the loss, * A reason why the original check (or a copy of the check that is better than the substitute check the consumer already received) is necessary to determine whether the consumer’s claim is valid, and * Sufficient information to allow the bank to identify the substitute check and investigate the claim. A bank, at its discretion, may require the consumer to submit the claim in writing. If a consumer makes an oral claim to a bank that requires a written claim, the bank must inform the consumer of the written requirement at that time. Under those circumstances, the bank must receive the written claim by the later of 10 business days from the date of an oral claim or the expiration of the consumer’s initial 40-day period for submitting a timely claim. Aslong asthe original oral claim fell within the 40-day requirement for notification and a complete written claim was received within the additional 10-day window, the claim meets the timing requirements (sections 229.54(b)(1) and 229.54(b)(3)), even if the written claim was received after the expiration of the initial 40-day period.

Answer 50

Bank’s Action on Claims Section 229.54(c) requires a bank to act on a consumer’s claim no later than the tenth business day after the banking day on which it received the consumer’s claim: * If the bank determines that the consumer’s claim is valid, it must recredit the consumer’s account no later than the end of the business day after the banking day on which it makes that determination. The amount of the recredit should equal the amount of the consumer’s loss, up to the amount of the substitute check, plus interest on that amount if the account is an interest-bearing account. The bank must then notify the consumer of the recredit using the notice discussed below (‘‘Notices Relating to Expedited Recredit Claims’’). * If the bank determines that the consumer’s claim is invalid, it must notify the consumer of that decision using the notice discussed below (‘‘Notices Relating to Expedited Recredit Claims’’). * If the bank has not determined the validity of the consumer’s claim by the tenth business day after the banking day on which it received the claim, the bank must recredit the consumer’s account for the amount of the consumer’s loss, up to the amount of the substitute check or $2,500, whichever is less. The bank must also recredit interest on that amount if the consumer’s account is an interest-bearing account. The bank must send a notice to that effect to the consumer using the notice discussed below (‘‘Notices Relating to Expedited Recredit Claims’’). If the consumer’s loss was more than $2,500, the bank has until the end of the forty-fifth calendar day from the date of the claim to recredit any remaining amount of the consumer’s loss, up to the amount of the substitute check (plus interest), unless it determines prior to that time that the claim was invalid and notifies the consumer of that decision. Section 229.54(d) generally requires that recredited funds receive next-day availability. However, a bank that provisionally recredits funds pending further investigation may invoke safeguard exceptions to delay availability of the recredit under the limited circumstances described in section 229.54(d)(2). The safeguard exceptions apply to new accounts and repeatedly overdrawn accounts and also when the bank has reasonable cause to suspect that the claim is fraudulent. A bank may delay availability of a provisionally recredited amount until the start of the earlier of (1) the business day after the banking day on which the bank determines that the consumer’s claim is valid or (2) the forty-fifth calendar day after the banking day on which the bank received the claim if the account is new, the account is overdrawn, or the bank has reasonable cause to believe that the claim is fraudulent. When the bank delays availability under this section, it may not impose overdraft fees on checks drawn against the provisionally credited funds until the fifth calendar day after the day on which the bank sent the notice regarding the delayed availability. If, after providing the recredit, the bank determines that the consumer’s claim was invalid, the bank may reverse the recredit. This reversal must be accompanied by a consumer notification using the notice discussed below (‘‘Notices Relating to Expedited Recredit Claims’’).

Answer 51

Notices Relating to Expedited Recredit Claims Section 229.54(e) outlines the requirements for providing consumer notices related to expedited recredit: * The bank must send the notice of recredit no later than the business day after the banking day on which the bank recredits the consumer’s account. The notice must include the amount of the recredit and the date the recredited funds will be available for withdrawal. * The bank must send notice that the consumer’s claim is not valid no later than the business day after the banking day on which the bank makes this determination. The notice must include the original check or a sufficient copy of it (except as provided in section 229.58; see below). Also, it must demonstrate to the consumer why the claim is not valid. Further, the notice must include either any information or document that the bank used in making its determination or an indication that the consumer may request copies of this information. * The bank must send the notice of a reversal of recredit no later than the business day after the banking day on which the bank made the reversal. The notice must include all the information required in a notice of invalid claim plus the amount (including interest) and date of the reversal (section 229.54(e)(3)(i)). Appendix C to Regulation CC contains model forms that a bank may use to craft the various notices required in section 229.54(e). The Board published these models to assist banks in complying with section 229.54(e). Appropriate use of the models, however, does not offer banks a statutory safe harbor.

Answer 52

Expedited Recredit for Banks – §229.55 Section 229.55 sets forth expedited recredit procedures applicable between banks. A claimant bank must adhere to the timing, content, and form requirements of section 229.55(b) in order for the claim to be valid. A bank against which an interbank recredit claim is made has ten business days within which to act on the claim (section 229.55(c)). The provisions of section 229.55 may be varied by agreement. (No other provisions of subpart D may be varied by agreement.)

Answer 53

Liability – §229.56 Section 229.56 describes the damages for which a bank or person would be liable in the event of breach of warranty or failure to comply with subpart D: * The amount of the actual loss, up to the amount of the substitute check, resulting from the breach or failure and * Interest and expenses (including costs, reasonable attorney’s fees, and other expenses of representation) related to the substitute check. These amounts could be reduced in the event of negligence or failure to act in good faith. It is also important to note that section 229.56 contains a specific exception that allows for greater recovery as provided in the indemnity section. Thus, a person who has an indemnity claim that also involves a breach of a substitute check warranty could recover all damages proximately caused by the warranty breach. Section 229.56(b) excuses failure to meet this subpart’s time limits because of circumstances beyond a bank’s control. Section 229.56(c) provides that an action to enforce a claim under this subpart may be brought in any U.S. district court. Section 229.56(c) also provides the subpart’s statute of limitations: one year from the date on which a person’s cause of action accrues.8 Section 229.56(d) states that if a person fails to provide notice of a claim for more than thirty days from the date on which a cause of action accrues, the warranting or indemnifying bank is discharged from liability to the extent of any loss caused by the delay in giving notice of the claim. 8 For purposes of this paragraph, a cause of action accrues as of the date on which the injured person first learns, or reasonably should have learned, of the facts giving rise to the claim, including the identity of the warranting or indemnifying bank against which the action is brought.

Answer 54

Consumer Awareness – §229.57 Content requirements A bank must provide its consumer customers with a disclosure that explains that a substitute check is the legal equivalent of the original check and describes the consumer’s recredit rights for substitute checks. A bank may use, but is not required to use, the Board’s model form (in appendix C to Regulation CC) to meet the content requirements for this notice. A bank that uses the model form appropriately is deemed compliant with the content requirements for which it uses language from the model form. A bank may provide the notice required by section 229.57 along with other information.

Answer 55

Distribution to Consumer Customers Who Receive Canceled Checks with Periodic Account Statements Under section 229.57(b)(1), a bank must provide this disclosure to existing consumer customers who routinely receive their canceled checks in their periodic statement no later than the first statement after October 28, 2004. For customer relationships established after that date, a bank must provide the disclosure to a new consumer customer who will routinely receive canceled checks in periodic statements at the time the customer relationship is established.

Answer 56

Distribution to Consumer Customers Who Receive a Substitute Check Occasionally Under section 229.57(b)(2), a bank must also provide the disclosure to a consumer customer who receives a substitute check on an occasional basis, including when a consumer receives a substitute check in response to a request for a check or a copy of a check and when a check deposited by the consumer is returned to the consumer as an unpaid item in the form of a substitute check. A bank must provide the disclosure to a consumer customer in these cases even if the bank previously provided the disclosure to the consumer. When the consumer contacts the bank to request a check or a copy of a check and the bank responds by providing a substitute check, the bank must provide this disclosure at the time of the request, if feasible. Otherwise, the bank must provide the disclosure no later than when the bank provides a substitute check in response to the consumer’s request. It would not be feasible to provide the disclosure at the time of the request if, for example, the consumer made his or her request by telephone or if the bank did not know at the time of the request whether it would provide a substitute check or some other document in response. A bank is not required to provide the disclosure if the bank responds to the consumer’s request by providing something other than an actual substitute check (such as a photocopy of an original check or a substitute check). When a bank returns a deposited item unpaid to a consumer in the form of a substitute check, the bank must provide the disclosure when it provides the substitute check.

Answer 57

Mode of Delivery of Information – §229.58 Section 229.58 provides that banks may deliver any notice or other information required under this subpart by U.S. mail or by any other means to which the recipient has agreed to receive account information, including electronically. A bank that is required to provide an original check or a sufficient copy (each of which is defined as a specific paper document) instead may provide an electronic image of the original check or sufficient copy if the recipient has agreed to receive that information electronically.

Answer 58

See p. 25-36 of the manual

Answer 59

Garnishment of Accounts Containing Federal Benefit Payments Introduction Many consumers receive Federal benefit payments that are protected under Federal law from being accessed or “garnished” by creditors, other than the United States government and certain State agencies, through a garnishment order or similar written instruction issued by a court. Despite these protections, developments in debt collection practices and technology, including the direct deposit of benefits, have led to an increase in the freezing of accounts containing Federal benefit payments by financial institutions that receive a garnishment order. As a result, the Department of the Treasury (Fiscal Service), the Social Security Administration, the Department of Veterans Affairs, the Railroad Retirement Board, and the Office of Personnel Management have jointly issued a rule1 (interagency regulation or regulation) that a financial institution must follow when it receives a garnishment order against an account holder who receives certain Federal benefit payments by direct deposit.

Answer 60

The types of Federal benefit payments covered by the interagency regulation are: * Social Security benefits; * Supplemental Security Income benefits; * Veterans benefits; * Federal Railroad retirement, unemployment and sickness benefits; * Civil Service Retirement System benefits; and * Federal Employee Retirement System benefits.

Answer 61

The Federal banking agencies are responsible for enforcing compliance with this regulation.2 Under the regulation, generally, financial institutions that receive a garnishment order are required to follow certain procedures, including the following: (1) determine whether any account held by the named account holder received exempt Federal payments by direct deposit; (2) determine the sum of protected Federal benefits deposited to each individual account during a two month period; and (3) ensure that the account holder has access to an amount equal to that sum or to the current balance of such account(s), whichever is lower. When a financial institution receives a garnishment order, it must first determine whether the order was obtained by the United States or issued by a State child support enforcement agency.3 If so, the financial institution follows its customary procedures for handling the order since Federal benefit payments can generally be accessed or garnished by such agencies. If the garnishment order was not obtained by the United States or issued by a State child support enforcement agency, the financial institution must follow the interagency regulation to protect Federal benefit payments directly deposited into a consumer’s account during a two-month “lookback” period. The interagency regulation contains provisions on the timing of an account review, the determination of the protected amount, notice to the account holder (including a model form) regarding the garnishment order, and record retention. In addition, the interagency regulation allows a financial institution to rely on the presence of certain ACH identifiers (i.e., character “XX” encoded in the appropriate positions of the “Company Entry Description” field and the number “2” in the “Originator Status Code” field of the Batch Header Record) to determine whether a direct deposit payment is a Federal benefit payment for purposes of the regulation. 1 Final rule published in the Federal Register on May 29, 2013. Effective June 28, 2013. 78 FR at 32099. Interim final rule published in the Federal Register on February 23, 2011. Effective May 1, 2011. 76 FR at 9939. 2 The regulation specifically defines “Federal banking agency” to include: the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the National Credit Union Administration. See 31 CFR 212.3.

Answer 62

The financial institution must notify the account holder that the financial institution has received a garnishment order, if all of the following conditions are met: (1) a covered benefit agency deposited a benefit payment into an account during the lookback period; (2) the balance in the account on the date of account review was above zero dollars and the financial institution established a protected amount; and (3) there are funds in the account in excess of the protected amount. For an account containing a protected amount, the financial institution may not charge or collect a garnishment fee against the protected amount. The financial institution may charge or collect a garnishment fee against additional funds deposited to the account up to five business days after the account review date.

Answer 63

Scope (31 CFR 212.2) The interagency regulation applies to financial institutions that hold accounts into which the following benefits have been directly deposited: 1. Social Security Administration * Social Security benefits * Supplemental Security Income benefits 2. Department of Veterans Affairs * Veterans benefits 3. Railroad Retirement Board * Federal Railroad retirement, unemployment and sickness benefits 4. Office of Personnel Management * Civil Service Retirement System benefits * Federal Employee Retirement System benefits 3 A State child support enforcement agency is the single and separate organizational unit in a State that has the responsibility for administering or supervising the State's plan for child and spousal support pursuant to Title IV, Part D, of the Social Security Act, 42 U.S.C. 654. See 31 CFR 212.3.

Answer 64

“Account” means an account, including a master account or subaccount, at a financial institution to which an electronic payment may be directly routed.4 4 An account does not include an account to which a benefit payment is subsequently transferred following its initial delivery by direct deposit to another account. See 76 FR at 9950. If a payment recipient is assigned a customer number that serves as a “prefix” for individual sub-accounts, the individual sub-account (and not the “master account”) is subject to the account review and lookback. See 78 FR at 32100.

Answer 65

“Account holder” means a natural person against whom a garnishment order is issued and whose name appears in a financial institution's records as the direct or beneficial owner of an account.

Answer 66

“Account review” means the process of examining deposits in an account to determine if a benefit agency has deposited a benefit payment into the account during the lookback period.

Answer 67

“Benefit agency” means the Social Security Administration, the Department of Veterans Affairs, the Railroad Retirement Board, or the Office of Personnel Management.

Answer 68

“Benefit payment” means a Federal benefit payment referred to in 31 CFR 212.2(b) paid by direct deposit to an account with the character “XX” encoded in positions 54 and 55 of the Company Entry Description field and the number “2” encoded in the Originator Status Code field of the Batch Header Record of the direct deposit entry. 5 5 For more information, see the Treasury Department’s “Guidelines for Garnishment of Accounts Containing Federal Benefit Payments” (https://www.fms.treas.gov/greenbook/Garnishment-Guideline-06-13.pdf).

Answer 69

“Freeze” or “account freeze” means an action by a financial institution to seize, withhold, or preserve funds, or to otherwise prevent an account holder from drawing on or transacting against funds in an account, in response to a garnishment order.

Answer 70

“Garnish” or “garnishment” means execution, levy, attachment, garnishment, or other legal process.

Answer 71

“Garnishment fee” means any service or legal processing fee, charged by a financial institution to an account holder, for processing a garnishment order or any associated withholding or release of funds.

Answer 72

“Garnishment order” or “order” means a writ, order, notice, summons, judgment, levy, or similar written instruction issued by a court, a State or State agency, a municipality or municipal corporation, or a State child support enforcement agency, including a lien arising by operation of law for overdue child support or an order to freeze the assets in an account, to effect a garnishment against a debtor.

Answer 73

Lookback period means the two-month period that (a) begins on the date preceding the date of account review and (b) ends on the corresponding date of the month two months earlier, or on the last date of the month two months earlier if the corresponding date does not exist. For example, under this definition, the lookback period that begins on November 15 would end on September 15. On the other hand, the lookback period that begins on April 30 would end on February 28 (or 29 in a leap year), to reflect the fact that there are not 30 days in February. Other examples illustrating the application of this definition are included in Appendix C of the interagency regulation.

Answer 74

“Protected amount” means the lesser of: 1. The sum of all benefit payments posted to an account between the close of business on the beginning date of the lookback period and the open of business on the ending date of the lookback period; or 2. The balance in an account when the account review is performed. 6 The account balance includes intraday items such as ATM or cash withdrawals. The balance does not include any line of credit associated with the account. See 78 FR at 32101-32102.

Answer 75

Initial Action upon Receipt of a Garnishment Order (31 CFR 212.4) Within two business days after receiving a garnishment order, and prior to taking any other action related to the order, a financial institution must determine whether the order was obtained by the United States or issued by a State child support enforcement agency.7 To make this determination, the financial institution may rely on a “Notice of Right to Garnish Federal Benefits” (see Appendix B of the interagency regulation). For such orders obtained by the United States or issued by a State child support enforcement agency, the financial institution should not follow the interagency regulation but instead should follow its customary procedures for handling a garnishment order. For all other garnishment orders, the financial institution is required to follow the procedures in 31 CFR 212.5 and 212.6. If a State law establishes a minimum protected amount before a garnishment order can be applied, the financial institution need not examine the order to determine if a Notice of Right to Garnish Federal Benefits is attached or included, or take any of the additional steps required under the rule.8 7 Financial institutions will not violate State law by utilizing the two-day period, because the rule preempts any State requirement that an order be processed on the day of receipt. See 78 FR at 32104 8 State law is not inconsistent with the interagency regulation if it protects benefit payments in an account from being frozen or garnished at a higher protected amount than required under the regulation. For further discussion on preemption of State law (31 CFR 212.9), see “Comments and Analysis” section in Part II of Supplementary Information of the final rule. See 78 FR at 32106-32107 8 State law is not inconsistent with the interagency regulation if it protects benefit payments in an account from being frozen or garnished at a higher protected amount than required under the regulation. For further discussion on preemption of State law (31 CFR 212.9), see “Comments and Analysis” section in Part II of Supplementary Information of the final rule. See 78 FR at 32106-32107.

Answer 76

Account Review (31 CFR 212.5) Timing of account review After having been served a garnishment order issued against a debtor, a financial institution must perform an account review: 1. No later than two business days following receipt of both the garnishment order and sufficient information from the creditor to determine whether the debtor is an account holder; or 2. By a later date permitted by the creditor in situations where the financial institution is served a batch of a large number of orders. The date must be consistent with the terms of the orders and the financial institution must maintain records on such batches and creditor permissions, consistent with 31 CFR 212.11(b).

Answer 77

No benefit payment deposited during lookback period If the account review shows that a benefit agency did not deposit a benefit payment into the account during the lookback period, then the financial institution should follow its customary procedures for handling the garnishment order and not the procedures in 31 CFR 212.6.

Answer 78

Benefit payment deposited during lookback period If the account review shows that a benefit agency deposited a benefit payment into the account during the lookback period, then the financial institution must follow the procedures in 31 CFR 212.6.

Answer 79

Uniform application of account review The financial institution must perform an account review without consideration for any other attributes of the account or the garnishment order, such as: 1. The presence of other funds, from whatever source, that may be commingled in the account with funds from a benefit payment; 2. The existence of a co-owner on the account; 3. The existence of benefit payments to multiple beneficiaries, and/or under multiple programs, deposited in the account; 4. The balance in the account, provided the balance is above zero dollars on the date of account review; 5. Instructions to the contrary in the order; or 6. The nature of the debt or obligation underlying the order.

Answer 80

Priority of account review The financial institution must perform the account review prior to taking any other actions related to the garnishment order that may affect funds in the account.

Answer 81

Rules and Procedures to Protect Benefits (31 CFR 212.6) If an account review shows that covered Federal benefits have been directly deposited into an account during the lookback period, the financial institution must comply with the rules and procedures to protect Federal benefits set forth in 31 CFR 212.6.

Answer 82

Protected amount The financial institution must calculate and establish the protected amount for an account, ensuring that the account holder has full access to the protected amount.9 The financial institution may not freeze the protected amount in response to the garnishment order. Further, the account holder may not be required to assert any right of garnishment exemption prior to accessing the protected amount in the account. 9 Where an account holder had debit card access to an account prior to the receipt of a garnishment order, the requirement to provide “full and customary” access to the protected amount means the account holder should have debit card access to that amount. See 78 FR at 32104. Also, the interagency regulation does not limit a Federal credit union’s right to exercise its statutory lien authority against the protected amount in a member’s account. A lien may be enforced against an account when the member fails to satisfy an outstanding financial obligation due and payable to the Federal credit union. 12 U.S.C. 1757(11) and 12 CFR 701.39.

Answer 83

Separate protected amounts The financial institution must calculate and establish the protected amount separately for each account in the name of an account holder, consistent with the requirements in 31 CFR 212.5(f) to conduct distinct account reviews.

Answer 84

Funds in excess of the protected amount For any funds in an account in excess of the protected amount, the financial institution must follow its customary procedures for handling garnishment orders, including the freezing of funds, provided they are consistent with paragraphs (f) and (g) of 31 CFR 212.6.

Answer 85

One-time account review process The financial institution is only required to perform the account review one time after it receives a garnishment order. The financial institution should not repeat the account review or take any other action related to the order if the same order is subsequently served again upon the financial institution. However, if the financial institution is subsequently served a new or different garnishment order against the same account holder, the financial institution must perform a separate and new account review.10 10 A “new” garnishment order means the creditor has gone back to court and obtained a new order, as opposed to re-filing an order previously served (https://www.fms.treas.gov/greenbook/FAQs-May-12-trsy-ver1.pdf). A garnishment order that is re-issued after the return date, under a different execution number, would not constitute a “new” garnishment order.

Answer 86

No continuing or periodic garnishment responsibilities The financial institution may not continually garnish amounts deposited or credited to the account following the date of account review. It also must take no action to freeze any funds subsequently deposited or credited, unless the institution is served with a new or different garnishment order.

Answer 87

Impermissible garnishment fee The financial institution may not charge or collect a garnishment fee against a protected amount. The financial institution may charge or collect a garnishment fee up to five business days after the account review if funds other than a benefit payment are deposited to the account within this period, provided that the fee may not exceed the amount of the non-benefit deposited funds.

Answer 88

Notice to the Account Holder (31 CFR 212.7) A financial institution must send an account holder named in the garnishment order a notice if: 1. A covered Federal benefit payment was directly deposited into an account during the lookback period; 2. The balance in the account on the date of account review was above zero dollars and the financial institution established a protected amount; and 3. There are funds in the account in excess of the protected amount.

Answer 89

Notice content The notice must contain the following information in readily understandable language: 1. The financial institution's receipt of an order against the account holder; 2. The date on which the order was served; 3. A succinct explanation of garnishment; 4. The financial institution's requirement under the interagency regulation to ensure that account balances up to the protected amount specified in 31 CFR 212.3 are protected and made available to the account holder if a benefit agency deposited a benefit payment into the account in the last two months; 5. The account subject to the order and the protected amount established by the financial institution; 6. The financial institution's requirement pursuant to State law to freeze other funds in the account to satisfy the order and the amount frozen, if applicable; 7. The amount of any garnishment fee charged to the account, consistent with 31 CFR 212.6; 8. A list of the Federal benefit payments subject to this interagency regulation, as identified in 31 CFR 212.2(b); 9. The account holder's right to assert against the creditor that initiated the order a further garnishment exemption for amounts above the protected amount, by completing exemption claim forms, contacting the court of jurisdiction, or contacting the creditor, as customarily applicable for a given jurisdiction; 10. The account holder's right to consult an attorney or legal aid service in asserting against the creditor that initiated the order a further garnishment exemption for amounts above the protected amount; and 11. The name of the creditor, and, if contact information is included in the order, means of contacting the creditor.

Answer 90

Optional notice content The financial institution also may provide the account holder in readily understandable language any of the following information: 1. The means of contacting a local free attorney or legal aid service; 2. The means of contacting the financial institution; and 3. A disclaimer that the financial institution is not providing legal advice by sending the required notice to the account holder.

Answer 91

Amending notice content The financial institution may also amend the content of the notice to integrate information about a State's garnishment rules and protections in order to avoid potential confusion or harmonize the notice with State requirements, or to provide more complete information about an account.

Answer 92

Notice delivery The financial institution must issue the notice directly to the account holder, or to a fiduciary who administers the account and receives communications on behalf of the account holder. Only information and documents pertaining to the garnishment order (including other notices or forms that may be required under State or local law) may be included in the communication.

Answer 93

Notice timing The financial institution must send the notice to the account holder within three business days of the date of account review.

Answer 94

One notice for multiple accounts The financial institution may issue one notice with information related to multiple accounts of an account holder.

Answer 95

Record Retention (31 CFR 212.11) A financial institution must maintain records of account activity and actions taken in response to a garnishment order, sufficient to demonstrate compliance with this part, for a period of not less than two years from the date on which the financial institution receives the garnishment order.11 11 The financial institution has discretion in deciding what documentation to retain. The appropriate documentation may vary depending on the circumstances of each situation. See 78 FR at 32107.

Answer 96

Model Notice to Account Holder (31 CFR 212, Appendix A) A financial institution may use the model notice found in Appendix A to the interagency regulation to meet the requirements of 31 CFR 212.7. Although use of the model notice is not required, a financial institution using it properly is deemed to be in compliance with 31 CFR 212.7.

Answer 97

Introduction These examination procedures inform examiners about activities that may constitute unfair, deceptive, or abusive acts or practices and how to evaluate the effectiveness of FDIC supervised institutions’ processes for identifying, measuring, monitoring, and otherwise mitigating the risks associated with them. In this context, unfair, deceptive, or abusive acts or practices are legal standards established pursuant to Section 5 of the Federal Trade Commission Act (FTC Act) and the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act). Throughout these procedures these standards will be referred to, respectively, as “FTC UDAPs” and “Dodd-Frank UDAAPs.”

Answer 98

The FDIC utilizes a risk-focused examination approach to promote, assess, and confirm institutions’ compliance with FTC UDAPs and/or Dodd-Frank UDAAPs. While FTC UDAPs and/or Dodd-Frank UDAAPs occur infrequently, they may result in significant consumer harm and erode consumer confidence in the financial institution. Heightened risk may be present in situations involving: changes to a bank’s products or services; the offering of a complex or atypical product; and marketing and delivery strategies using one or more third party providers. A FTC UDAP and/or Dodd-Frank UDAAP finding is dependent on the relevant specific facts and circumstances; each institution is different and presents distinct potential risks. Accordingly, examination staff should apply the instructions in these procedures consistently as part of their assessment of institutions. In addition, the FDIC will conduct appropriate legal analysis based on the FTC UDAP and/or Dodd-Frank UDAAP standards, and consider the particular facts and circumstances at each institution to determine whether a violation has occurred.

Answer 99

Background In 1938, Congress expanded the FTC Act to not only prohibit unfair methods of competition but to also prohibit “unfair or deceptive acts or practices” in or affecting commerce to allow the FTC to directly protect consumers. See 15 U.S.C. § 45(a) (Section 5 of the FTC Act). These procedures provide information regarding the applicability of Section 5 of the FTC Act. In 2010, Congress passed the Dodd-Frank Act. Section 1036 of the Dodd-Frank Act prohibits a “covered person”1 from engaging in unfair, deceptive, or abusive acts or practices (Dodd-Frank UDAAP). See 12 U.S.C. § 5536. Section 1031 of the Dodd-Frank Act provides authority to the Consumer Financial Protection Bureau (CFPB) to promulgate rules identifying such acts or practices as unfair, deceptive, or abusive in connection with consumer financial products and services generally. See 12 U.S.C. § 5531. These procedures also provide information regarding Sections 1031 and 1036 of the Dodd-Frank Act.2 The legal standards for “unfair” and “deceptive” under Section 5 of the FTC Act and the Dodd-Frank Act are substantially similar. Further, the legal standards for unfair, deceptive, or abusive are independent of each other. Depending on the facts, an act or practice may be unfair or deceptive or abusive or any combination of the three, or not constitute a violation. 1 The term “ covered person” means (1) any person who engages in offering or providing a consumer financial product or service; and (2) any affiliate of a person described in (1) if such affiliate acts as a service provider to such person. See 12 U.S.C. § 5481(6). 2 Information on Dodd-Frank and its standards of unfair, deceptive and abusive begin on page VII-1.4.

Answer 100

Section 5 of the FTC Act The banking agencies 3 have authority to enforce Section 5 of the FTC Act for the institutions they supervise and their institution affiliated parties (IAPs). The FDIC has provided notice to state nonmember institutions of its intent to cite them and their IAPs for violations of Section 5 of the FTC Act, and of its intent to take appropriate action pursuant to its authority under Section 8 of the Federal Deposit Insurance Act (FDI Act) when a FTC UDAP violation is cited. The FTC has authority to take action against nonbanks that engage in a FTC UDAP. If a FTC UDAP involves an entity or entities over which more than one agency has enforcement authority such as, for example, the FDIC and the FTC, the agencies may coordinate their enforcement actions. *Unlike many consumer protection laws, Section 5 of the FTC Act also applies to transactions that may impact business customers as well as individual consumers. 4 On March 11, 2004, the FDIC and the Board of Governors of the Federal Reserve System (FRB) issued additional guidance regarding FTC UDAPs prohibited by Section 5 of the FTC 3 Federal Deposit Insurance Corporation, Federal Reserve Board, and Office of the Comptroller of the Currency. 4 FTC v. IFC Credit Corp., 543 F. Supp. 2d 925, 943 (2008): “The FTC has construed the term ‘consumer’ to include businesses as well as individuals. Deference must be given to the interpretation of the agency charged by Congress with the statute’s implementation.” Act.5 Following the release of the guidance, the FDIC issued examination procedures, which include: * Standards used to assess whether an act or practice is unfair or deceptive * Interplay between the FTC Act and other consumer protection statutes * Examination procedures for determining compliance with the FTC Act standards, including risk assessment procedures that should be followed to determine if transaction testing is warranted * Best practices for documenting a case * Corrective actions that should be considered for violations of Section 5 of the FTC Act * List of resources NOTE: In August 2014, the FDIC, FRB, CFPB, the National Credit Union Administration (NCUA), and the Office of the Comptroller of the Currency (OCC) (collectively, the Agencies) issued guidance regarding certain consumer credit practices as they relate to Section 5 of the FTC Act. The authority to issue credit practices rules under Section 5 of the FTC Act (e.g., Regulation AA, Credit Practices Rule) for banks, savings associations, and federal credit unions was repealed as a consequence of the Dodd-Frank Act. *Notwithstanding the repeal of such authority, the guidance indicated that the Agencies continue to have supervisory and enforcement authority regarding unfair or deceptive acts or practices, which could include those practices previously addressed in the former credit practices rules. Such practices included: (1) the use of certain provisions in consumer credit contracts, (2) the misrepresentation of the nature or extent of cosigner liability, and (3) the pyramiding of late fees. The guidance clarifies that institutions should not construe the repeal of these rules to indicate that the unfair or deceptive practices described in these former regulations are permissible. The guidance makes clear that these practices remain subject to Section 5 of the FTC Act and Sections 1031 and 1036 of the Dodd-Frank Act. 5 See FIL-26-2004, Unfair or Deceptive Acts or Practices Under Section 5 of the Federal Trade Commission Act (March 11, 2004).

Answer 101

Standards for Determining What is Unfair or Deceptive The legal standard for unfairness is independent of the legal standard for deception. Depending on the facts, an act or practice may be unfair, deceptive, both, or neither. *Section 5 of the FTC Act also applies to commercial transactions and businesses. In applying these statutory factors, the FDIC will identify and take action whenever it finds conduct that is unfair or deceptive, as such conduct that falls well below the high standards of business practice expected of banks and the parties affiliated with them. FTC UDAPs may also violate other federal or state laws. However, practices that fully comply with consumer protection or other laws may still violate Section 5 of the FTC Act. For additional information, please refer to the “Relationship to Other Laws” section further in this document.

Answer 102

Unfair Acts or Practices The FDIC applies the same standards as the FTC in determining whether an act or practice is unfair. These standards were first stated in the FTC Policy Statement on Unfairness. An act or practice is unfair when it (1) causes or is likely to cause substantial injury to consumers, (2) cannot be reasonably avoided by consumers, and (3) is not outweighed by countervailing benefits to consumers or to competition. Congress codified the three-part unfairness test in 1994.6 Public policy may also be considered in the analysis of whether a particular act or practice is unfair. All three of the elements necessary to establish unfairness are discussed further below. Unfair CCI Continue - Causes or is likely to cause substantial injury to consumers Cycling - Cannot be reasonably avoided by consumers Indoors - Is not outweighed by countervailing benefits to consumers or to competition

Answer 103

Continue - Causes or is likely to cause substantial injury to consumers * The act or practice must cause or be likely to cause substantial injury to consumers. Substantial injury usually involves monetary harm, but can also include, in certain circumstances, unquantifiable or non-monetary harm. An act or practice that causes a small amount of harm to a large number of people, or a significant amount of harm to a small number of people, may be deemed to cause substantial injury. An injury may be substantial if it raises significant risk of concrete harm. Trivial or merely speculative harms are typically insufficient for a finding of substantial injury. Emotional impact and other more subjective types of harm will not ordinarily make a practice unfair.

Answer 104

Cycling - Cannot be reasonably avoided by consumers Consumers must not be reasonably able to avoid the injury. An act or practice is not considered unfair if consumers may reasonably avoid injury. Consumers cannot reasonably avoid injury from an act or practice if it interferes with their ability to effectively make decisions or to take action to avoid injury. This may occur if material information about a product, such as pricing, is modified or withheld until after the consumer has committed to purchasing the product, so that the consumer cannot reasonably avoid the injury. It also may occur where testing reveals that disclosures do not effectively explain an act or practice to consumers.7 A practice may also be unfair where consumers are subject to undue influence or are coerced into purchasing unwanted products or services. *Because consumers should be able to survey the available alternatives, choose those that are most desirable, and avoid those that are inadequate or unsatisfactory, the question is whether an act or practice unreasonably impairs the consumer’s ability to make an informed decision, not whether the consumer could have made a wiser decision. In accordance with FTC case law, the FDIC will not second-guess the wisdom of particular consumer decisions. Instead, the FDIC will consider whether an institution’s behavior unreasonably creates an obstacle that impairs the free exercise of consumer decision-making. The actions that a consumer is expected to take to avoid injury must be reasonable. While a consumer could potentially avoid harm by hiring independent experts to test products in advance or bring legal claims for damages, these actions generally would be too expensive to be practical for individual consumers and, therefore, are not reasonable. 7 The FRB’s testing of certain disclosures concluded that consumers cannot reasonably avoid certain payment allocation and billing practices because disclosures fail to adequately explain these practices. See Jeanne M. Hogarth & Ellen A. Merry, Designing Disclosures to Inform Consumer Financial Decision making: Lessons Learned from Consumer Testing, Federal Reserve Bulletin (August 2011), https://www.federalreserve.gov/pubs/bulletin/2011/pdf/designingdisclosure s2011.pdf(summarizing the outcomes of consumer tests on various financial product disclosures). The FTC discusses potential ways to make electronic disclosures clear and understandable in its “Dot Com Disclosures: How to Make Effective Disclosures in Digital Advertising” (March 2013), available at https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staffrevises-online-advertising-disclosureguidelines/130312dotcomdisclosures.pdf.

Answer 105

Inside - Is not outweighed by countervailing benefits to consumers or to competition. The injury must not be outweighed by countervailing benefits to consumers or to competition. To be unfair, the act or practice must be injurious in its net effects — that is, the injury must not be outweighed by any offsetting consumer or competitive benefits that are also produced by the act or practice. Offsetting consumer or competitive benefits may include lower prices or a wider availability of products and services. Nonetheless, both consumers and competition benefit from preventing unfair acts or practices because prices are likely to better reflect actual transaction costs, and merchants who do not rely on unfair acts or practices are no longer required to compete with those who do. Unfair acts or practices injure both consumers and competitors because consumers who would otherwise have selected a competitor’s product are wrongly diverted by the unfair act or practice. Costs that would be incurred for remedies or measures to prevent the injury are also taken into account in determining whether an act or practice is unfair. These costs may include the costs to the institution in taking preventive measures and the costs to society as a whole of any increased burden and similar matters.

Answer 106

Public Policy May be Considered Public policy, as established by statute, regulation, judicial decision, or agency determination, may be considered with all other evidence in determining whether an act or practice is unfair. Public policy considerations by themselves, however, will not serve as the primary basis for determining that an act or practice is unfair. For example, the fact that a particular lending practice violates a state law or a banking regulation may be considered as evidence in determining whether the act or practice is unfair. Conversely, the fact that a particular practice is permitted by statute or regulation may, under some circumstances, be considered as evidence that the practice is not unfair. The requirements of the Truth in Lending Act (TILA), the Truth in Savings Act (TISA), the Fair Credit Reporting Act (FCRA), or the Fair Debt Collection Practices Act (FDCPA) are examples of public policy considerations. However, an institution’s compliance with another statute or regulation does not insulate the institution from liability for an unfair act or practice under Section 5 of the FTC Act. Fiduciary responsibilities under state law may clarify public policy for actions, especially those involving trusts, guardianships, unsophisticated consumers, the elderly, or minors. State statutes and regulations that prohibit FTC UDAPs are often aimed at making sure that lenders do not exploit the lack of access to mainstream banking institutions by low-income individuals, the elderly, and minorities.

Answer 107

Deceptive Acts or Practices A three-part test is used to determine whether a representation, omission, or practice is deceptive. This test was first laid out in the FTC Policy Statement on Deceptive Acts and Practices.8 First, the representation, omission, or practice must mislead or be likely to mislead the consumer. Second, the consumer’s interpretation of the representation, omission, or practice must be reasonable under the circumstances. Third, the misleading representation, omission, or practice must be material. 9 As a general matter, the standards for establishing deception are less burdensome than the standards for establishing unfairness because, under deception, there is no requirement of substantial injury or the likelihood of substantial injury, or the other elements of unfairness related to consumer injury. The following discusses all three of the elements necessary to establish deception.10 8 See FTC Policy Statement on Deceptive Acts and Practices. 9 See FTC Act Policy Statement on Deceptive Acts and Practices. 10 Clear and Conspicuous Disclosures When evaluating the three-part test for deception, the four “Ps” should be considered: prominence, presentation, placement, and proximity. First, is the statement prominent enough for the consumer to notice? Second, is the information presented in an easy to understand format that does not contradict other information in the package and at a time when the consumer’s attention is not distracted elsewhere? Third, is the placement of the information in a location where consumers can be expected to look or hear? Finally, is the information in close proximity to the claim it qualifies? More information is available at: https://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staffrevises-online-advertising-disclosureguidelines/130312dotcomdisclosures.pdf

Answer 108

There must be a representation, omission, or practice that misleads or is likely to mislead the consumer. An act or practice may be found to be deceptive if there is a representation, omission, or practice that misleads or is likely to mislead a consumer. Deception is not limited to situations in which a consumer has already been misled. Instead, an act or practice may be found to be deceptive if it is likely to mislead consumers. A representation may be in the form of express or implied claims or promises and may be written or oral. Omission of information may be deceptive if disclosure of the omitted information is necessary to prevent a consumer from being misled. An individual statement, representation, or omission is not evaluated in isolation to determine if it is misleading, but rather in the context of the entire advertisement, transaction, or course of dealing. Acts or practices that have the potential to be deceptive include: making misleading cost or price claims; using bait-and-switch techniques; offering to provide a product or service that is not in fact available; omitting material limitations or conditions from an offer; selling a product unfit for the purposes for which it is sold; and failing to provide promised services.

Answer 109

The act or practice must be considered from the perspective of the reasonable consumer. In determining whether an act or practice is misleading, the consumer’s interpretation of or reaction to the representation, omission, or practice must be reasonable under the circumstances. In other words, whether an act or practice is deceptive depends on how a reasonable member of the target audience would interpret the marketing material. When representations or marketing practices are targeted to a specific audience, such as the elderly or the financially unsophisticated, the communication is reviewed from the point of view of a reasonable member of that group. If a representation conveys two or more meanings to reasonable consumers and one meaning is misleading, the representation may be deceptive. Moreover, a consumer’s interpretation or reaction may indicate that an act or practice is deceptive under the circumstances, even if the consumer’s interpretation is not shared by a majority of the consumers in the relevant class, so long as a significant minority of such consumers is misled. Written disclosures may be insufficient to correct a misleading statement or representation, particularly where the consumer is directed away from qualifying limitations in the text or is counseled that reading the disclosures is unnecessary. Likewise, oral disclosures or fine print are generally insufficient to cure a misleading headline or prominent written representation. Finally, a deceptive act or practice cannot be cured by subsequent truthful disclosures.

Answer 110

The representation, omission, or practice must be material. A representation, omission, or practice is material if it is likely to affect a consumer’s decision to purchase or use a product or service. In general, information about costs, benefits, or restrictions on the use or availability of a product or service is material. When express claims are made with respect to a financial product or service, the claims will be presumed to be material. While intent to deceive is not a required element of proving that an act or practice is deceptive, the materiality of an implied claim will be presumed if it can be shown that the institution intended that the consumer draw certain conclusions based upon the claim. Claims made with knowledge that they are false will also be presumed to be material. Omissions will be presumed to be material when the financial institution knew or should have known that the consumer needed the omitted information to make an informed choice about the product or service.

Answer 111

Sections 1031 and 1036 of the Dodd-Frank Act (Dodd Frank UDAAP) Title X of the Dodd-Frank Act provides exclusive supervisory authority and primary enforcement authority to the CFPB for insured depository institutions with total assets over $10 billion for the Dodd-Frank UDAAP provisions of Sections 1031 and 1036 of the Dodd-Frank Act. 11 The Dodd-Frank Act provides the FDIC with supervisory and enforcement authority for Dodd-Frank UDAAP, as well as other Federal consumer financial laws, for state, nonmember banks with total assets of $10 billion or less.12 As a result of the provisions contained in the Dodd-Frank Act and Section 5 of the FTC Act, the FDIC has supervisory or enforcement authority that includes both FTC UDAP and Dodd-Frank UDAAP in certain situations.13 The standards for determining whether an act or practice is unfair or deceptive under the Dodd-Frank Act are substantially similar to the FTC Act standards.14 Section 1036 of the Dodd-Frank Act prohibits unfair, deceptive, or abusive acts and practices with respect to consumer financial products and services generally.15 ***An abusive act or practice is one that: * Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service or * Takes unreasonable advantage of: o A lack of understanding on the part of the consumer of the material risks, costs, or conditions of the product or service; or o The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or o The reasonable reliance by the consumer on a covered person16 to act in the interests of the consumer.17 Unlike the standards for unfair or deception under Section 5 of the FTC Act, where all prongs of the test must be met for there to be a violation, the abusive standard lays out individual, stand-alone tests to determine if an act or practice is abusive. Although abusive acts also may be unfair or deceptive, examiners should be aware that the legal standards for abusive, unfair, and deceptive are independent of each other. 11 12 U.S.C. § 5531; 12 U.S.C. § 5536. 12 The Dodd-Frank Act provided the FDIC backup enforcement authority with respect to Dodd-Frank UDAAP over FDIC-supervised institutions with total assets over $10 billion. 13 The FDIC also has the authority to enforcement any federal law or regulation under the general grant of authority provided by Section 8 of the Federal Deposit Insurance Corporation Act, 12 U.S.C. § 1818. 14 See 12 U.S.C. § 5531. 15 See 12 U.S.C. § 5536. 16 The term “ covered person” means (1) any person who engages in offering or providing a consumer financial product or service; and (2) any affiliate of a person described in (1) if such affiliate acts as a service provider to such person. See 12 U.S.C. § 5481(6). 17 See 12 U.S.C. § 5531(d)(1)-(2).

Answer 112

The Role of Consumer Complaints in Identifying Unfair, Deceptive, or Abusive Acts or Practices Consumer complaints play a key role in the detection of a FTC UDAPs and Dodd-Frank UDAAPs. Consumer complaints have often been an essential source of information for possible FTC UDAPs and Dodd-Frank UDAAPs and can also be an indicator of weaknesses in elements of the institution’s compliance management system, such as training, internal controls, or monitoring. While the absence of complaints does not ensure that FTC UDAPs or Dodd-Frank UDAAPs are not occurring, the presence of complaints may be a red flag indicating that a more detailed review is warranted. This is especially the case when similar complaints are received from several consumers regarding the same product or service. One of the three tests in evaluating an apparent deceptive practice is: “The act or practice must be considered from the perspective of the reasonable consumer.” Consumer complaints provide a window into the perspective of the reasonable consumer.

Answer 113

Complaint Resolution Procedures Examiners should interview institution staff about consumer complaints and the institution’s procedures for resolving and monitoring consumer complaints. Examiners should determine whether management has responded promptly and appropriately to consumer complaints. The FDIC expects institutions to be proactive in resolving consumer complaints, as well as monitoring complaints for trends that indicate potential FTC UDAP or Dodd-Frank UDAAP concerns. Institutions should centralize consumer complaint handling and ensure that all complaints are captured, whether they are made via telephone, mail, email, in person, the institution’s regulator, text message, live chat, or other methods. In addition to resolving individual complaints, an institution should take action to improve its business practices and compliance management system, when appropriate. The institution’s audit and/or monitoring function should also include a review of consumer complaints.

Answer 114

Sources for Identifying Complaints Consumer complaints can originate from many different sources. The primary sources for complaints are those received directly by the institution and those received by the FDIC National Center for Consumer and Depositor Assistance Consumer Response Unit (Consumer Response Unit). Secondary sources for complaints include State Attorneys General or Banking Departments, the Better Business Bureau, the FTC’s Consumer Sentinel database, the CFPB’s Consumer Complaint Database, consumer complaint boards, and web blogs. In many cases, complaints have been identified through simple Internet searches with the institution’s name or particular product or service that it offers. At times, former employees may post complaints. These can be an important information source. For institutions that have significant third party relationships, complaints may have been directed to the third party, rather than to the institution. Examiners should determine if the institution is provided with copies of complaints received by third parties. If they are not, this would be a red flag and should be examined further.

Answer 115

Analyzing Complaints Examiners should consider conducting transaction testing when consumers repeatedly complain about an institution’s product or service. However, even a single complaint may raise valid concerns that would warrant transaction testing. Complaints that allege misleading or false statements, missing disclosure information, excessive fees, inability to reach customer service, or previously undisclosed charges may indicate a possible FTC UDAP or Dodd-Frank UDAAP. 18 If a large volume of complaints exists, examiners should create a spreadsheet that details the complainant, date, source (i.e., institution, website, etc.), product or service involved, summary of the issue, and action taken by the institution. The spreadsheets can then be used to identify trends by type of product or issue. The Consumer Response Unit can be of assistance during this process by creating spreadsheets for complaints that were received by the FDIC. When reviewing complaints, examiners should look for trends. While a large volume of complaints may indicate an area of concern, the number of complaints alone is not dispositive of whether a potential FTC UDAP or Dodd-Frank UDAAP exists. Conversely, a small number of complaints does not undermine the seriousness of the allegations that are raised. If even a single complaint raises valid concerns relative to a FTC UDAP or Dodd-Frank UDAAP, a more thorough review may be warranted. It is important to focus on the issues raised in the complaints and the institution’s responses, and not just on the number of complaints. Note also that high rates of chargebacks or refunds regarding a product or service can be indicative of potential FTC UDAP or Dodd-Frank UDAAP violations. This information may not appear in the consumer complaint process. When reviewing complaints, also look for any complaints lodged against subsidiaries, affiliates, third-parties, and affinity groups regarding activities that involve the institution, a product offered through the institution, or a product offered using the institution’s name. While the institution may not be actively involved in the activity, if it is a branded product or product offered through a third-party relationship, the institution can be held responsible and face the same risks as if the activity was housed within the institution. In re Columbus Bank and Trust Company, First Bank of Delaware, First Bank and Trust (Brookings, South Dakota), and CompuCredit Corporation19 is an example of where complaints against a third-party directly related to the institutions and the institutions were held accountable for the activities of the third-party. ____________________ 18 See Supervisory Insights FDIC, Supervisory Insights, Winter 2006, Vol. 3, Issue 2, Chasing the Asterisk: A Field Guide to Caveats, Exceptions, Material Misrepresentations, and Other Unfair or Deceptive Acts or Practices. 19 Available at http://www.fdic.gov.

Answer 116

Relationship to Other Laws Unfair, deceptive, or abusive acts or practices that violate the FTC Act or the Dodd-Frank Act may also violate other federal or state laws. These include, but are not limited to, TILA, TISA, the Equal Credit Opportunity Act (ECOA), the Fair Housing Act (FHA), the FDCPA, the FCRA, and laws related to the privacy of consumer financial information. On the other hand, certain practices may violate the FTC Act or the Dodd Frank Act while complying with the technical requirements of other consumer protection laws. Examiners should consider both possibilities. The following laws may warrant particular attention in this regard:

Answer 117

Truth in Lending Act (TILA) Pursuant to TILA, creditors must “clearly and conspicuously” disclose the costs and terms of credit. An act or practice that does not comply with these provisions of TILA may also violate the FTC Act or the Dodd-Frank Act. Conversely, a transaction that is in technical compliance with TILA may nevertheless violate the FTC Act or the Dodd-Frank Act. For example, an institution’s credit card advertisement may contain all the required TILA disclosures, but limitations or restrictions that are obscured or inadequately disclosed may be considered a FTC UDAP or Dodd-Frank UDAAP.

Answer 118

Truth in Savings Act (TISA) TISA requires depository institutions to provide interest and fee disclosures for deposit accounts so that consumers may compare deposit products. TISA also provides that advertisements cannot be misleading or inaccurate or misrepresent an institution’s deposit contract. As with TILA, an act or practice that does not comply with these provisions may also violate the FTC Act or the Dodd-Frank Act, but transactions that are in technical compliance with TISA may still be considered as unfair, deceptive, or abusive. For example, consumers could be misled by advertisements of “guaranteed” or “lifetime” interest rates when the creditor or depository institution intends to change the rates, even if the disclosures satisfy the technical requirements of TISA.

Answer 119

Equal Credit Opportunity (ECOA) and Fair Housing (FHA) Acts ECOA prohibits discrimination in any aspect of a credit transaction against persons on the basis of race, color, religion, national origin, sex, marital status, age (provided the applicant has the capacity to contract), the fact that an applicant’s income derives from any public assistance program, and the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The FHA prohibits creditors involved in residential real estate transactions from discriminating against any person on the basis of race, color, religion, sex, handicap, familial status, or national origin. FTC UDAPs and Dodd-Frank UDAAPs that target or have a disparate impact on consumers in one of these prohibited basis groups may violate the ECOA or the FHA, as well as the FTC Act or the Dodd-Frank Act. Moreover, some state and local laws address discrimination against additional protected classes, e.g., handicap in non-housing transactions, or sexual orientation. Such conduct may also violate the FTC Act or the Dodd-Frank Act.

Answer 120

Fair Debt Collection Practices Act (FDCPA) The FDCPA prohibits unfair, deceptive, and abusive practices related to the collection of consumer debts. Although this statute does not apply to institutions that collect their own debts in their own name, failure to adhere to the standards set by the FDCPA may violate FTC UDAP.20 Moreover, institutions that either affirmatively or through lack of oversight permit a third-party debt collector acting on their behalf to engage in deception, harassment, or threats in the collection of monies due may be exposed to liability for participating in or permitting a FTC UDAP. 20 The same conduct could also violate Dodd-Frank UDAAP; however, interpretive authority for the Dodd-Frank Act rests with the CFPB.

Answer 121

Fair Credit Reporting Act (FCRA) The FCRA contains significant responsibilities for institutions that obtain and use information about consumers to determine the consumer’s eligibility for products, services, or employment; share such information among affiliates; and furnish information to consumer reporting agencies. The FCRA was substantially amended with the passage of the Fair and Accurate Credit Transactions Act (FACT Act) in 2003, which contained many new consumer disclosure requirements as well as provisions to address identity theft. Violations of the FCRA may also be considered as a FTC UDAP or DoddFrank UDAAP. For example, obtaining and using unsolicited medical information (outside of the exceptions provided by the rule) to make credit decisions may also be considered as unfair.

Answer 122

Privacy of Consumer Financial Information Regulation P (12 CFR Part 1016.12) prohibits an institution or its affiliates from disclosing a customer’s account number or similar access code for a credit card, deposit, or transaction account to a nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail. There are only three exceptions to this prohibition. A financial institution may disclose its customers’ account numbers to: (1) a consumer reporting agency; (2) its agent to market the institution’s own products or services, provided that the agent is not authorized to directly initiate charges to the account; or (3) another participant in a private label credit card or an affinity or similar program involving the institution. Depending upon the totality of the circumstances, an institution that does not comply with these requirements may be also engaging in FTC UDAPs. 21 The same conduct could also violate Dodd-Frank UDAAP; however, interpretive authority for the Dodd-Frank Act rests with the CFPB.

Answer 123

Introduction The board of directors and management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risks arising from such relationships, to the same extent as if the activity were handled within the institution. The use of third-party relationships does not relinquish responsibility of the board of directors and management. The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors. The more significant the third party program, the more important it is that the institution conduct regular periodic reviews of the adequacy of its oversight and controls over third-party relationships. Examiners should evaluate all applicable activities conducted through third-party relationships as though the activities were performed by the institution itself. It must be emphasized that while an institution may properly seek to mitigate the risks of third-party relationships through the use of indemnity agreements with third parties, such agreements do not insulate the institution from its ultimate responsibility to conduct banking-related activities in a safe and sound manner and in compliance with applicable consumer protection laws and regulations including fair lending laws and regulations s (for example, the Equal Credit Opportunity Act (ECOA) and the Fair Housing Act). The Federal Financial Institutions Examination Council’s Uniform Interagency Consumer Compliance Rating System (CC Rating System), which is a supervisory policy for evaluating financial institutions’ adherence to consumer compliance requirements, addresses third-party relationships. Under the CC Rating System, each financial institution is assigned a consumer compliance rating. The CC Rating System requires examiners to review a financial institution’s management of third-party relationships and servicers as part of its overall consumer compliance program. These examination procedures provide additional context and guidance for compliance examiners when evaluating an institution’s third-party relationships. These procedures include a description of potential risks arising from third-party relationships and provide examiners with insight on how to assess compliance risk for third-party business relationships.

Answer 124

A third-party relationship could be considered “significant” if: * the institution’s relationship with the third party is a new relationship or involves implementing new institution activities; * the relationship has a material effect on the institution’s revenues or expenses; * the third party performs critical functions; * the third party stores, accesses, transmits, or performs transactions on sensitive customer information; * the third-party relationship significantly increases the institution’s geographic market; * the third party provides a product or performs a service involving lending or card payment transactions; * the third party poses risks that could materially affect the institution’s earnings, capital, or reputation; * the third party provides a product or performs a service that covers or could cover a large number of consumers; * the third party provides a product or performs a service that implicates several or higher risk consumer protection regulations; * the third party is involved in deposit taking arrangements such as affinity arrangements; or * the third party markets products or services directly to institution customers that could pose a risk of financial loss to the individual.

Answer 125

Background For purposes of this guidance, the term “third party” is broadly defined to include all entities that have entered into a business relationship with the institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, a wholly- or partially-owned subsidiary, or a domestic or a foreign institution. Institutions generally enter into third-party relationships by outsourcing1 certain operational functions to a third party or by using a third party to make products and services available that the institution does not originate. Also, institutions may enter into arrangements with third parties in which the institution funds directly or indirectly through a line of credit certain products originated by a third party. As the financial services industry continues to evolve, some institutions are also using third parties for functions that are either new or have traditionally been performed in-house, e.g., outsourcing the institution’s audit function. The use of third parties can aid institution management in attaining strategic objectives by increasing revenues or reducing costs. The use of a third party also serves as a vehicle for management to access greater expertise or efficiency for a particular activity. Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness and compliance management system (CMS) of the institution. However, third-party arrangements also present risks if not properly managed. Specifically, failure to manage these risks can expose an institution to supervisory action, financial loss, litigation, and reputational damage. To that end, the decision about whether to use a third party should be considered by an institution’s board of directors and management, taking into account the circumstances unique to the potential relationship. Institutions have also been presented with increasing opportunities to enter into contractual arrangements with foreign-based third-party service providers to fulfill outsourcing needs. Examiners should evaluate these relationships with, at least, the same level of vigilance and scrutiny as with domestic third-party service providers (see discussion of Country Risk below). These examination procedures provide a framework for examining the effectiveness of an institution’s CMS as it relates to the policies and procedures for overseeing, managing, and controlling third-party relationships. More importantly, this guidance supplements, but does not replace, previously issued information on third-party risk and is intended to aid in the examination of third-party arrangements.2 1 The term “outsourcing” is a vernacular expression that refers to a company or business that contracts or subcontracts a service or function to a third party that might otherwise be performed by in-house employees. Institutions may use the terms “outsourcing” and “third-party” interchangeably. However, examiners should remember that services and functions outsourced by an institution contain varying degrees of risk. Therefore, when reviewing for third-party risk, examiners should request a listing of all functions and services outsourced to ensure that appropriate relationships that have third-party risk are captured for review. 2 Financial Institution Letter 44-2008 dated June 6, 2008, entitled Third Party Risk, Guidance for Managing Third-Party Risk

Answer 126

Potential Risks Arising from Third-Party Relationships There are numerous risks that may arise from an institution’s use of third parties. Some of the risks are associated with the underlying activity itself, similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from or are heightened by the involvement of a third party. Failure to prevent or mitigate these risks can expose an institution to supervisory action, financial loss, litigation, and reputation damage, and may even impair the institution’s ability to establish new or service existing customer relationships. Not all of the following risks will be applicable to every third party relationship; however, complex or significant arrangements may have definable risks in most areas. The institution’s board of directors and management should understand the nature of these risks in the context of the institution’s current or planned use of third parties and in establishing and evaluating the institution’s risk oversight and control systems. The following summary of risks is not considered all-inclusive.

Answer 127

“Compliance Risk” Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with the institution’s internal policies or procedures or business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, or ethical standards. For example, some third parties may engage in product marketing practices that are deceptive in violation of Section 5 of the Federal Trade Commission Act, or lending practices that are discriminatory in violation of the ECOA and the Consumer Financial Protection Bureau’s Regulation B. The ability of the third party to maintain the privacy of customer records and to implement an appropriate information security and disclosure program is another compliance concern. Liability could potentially extend to the institution when third parties experience security breaches involving customer information in violation of the safeguarding requirements of customer information, as set out in Federal Deposit Insurance Corporation (FDIC) and Federal Trade Commission regulations. Compliance risk is exacerbated when an institution has inadequate oversight, monitoring, or audit functions over third-party relationships.

Answer 128

“Reputation Risk” Reputation risk is the risk arising from negative public opinion. Third-party relationships that result in dissatisfied customers, unexpected customer financial loss, interactions not consistent with institution policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and violations of laws and regulations are all examples that could harm the reputation and standing of the institution. Any negative publicity involving the third party, whether or not the publicity is related to the institution’s use of the third party, could result in reputation risk.

Answer 129

“Strategic Risk” Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals. The use of a third party to perform banking functions or to offer products or services that do not help the institution achieve corporate strategic goals and provide an adequate return on investment exposes the institution to strategic risk.

Answer 130

“Operational Risk” Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. Third-party relationships often integrate the internal processes of other organizations with the institution’s processes and can increase the overall operational complexity.

Answer 131

“Transaction Risk” Transaction risk is the risk arising from problems with service or product delivery. A third-party’s failure to perform as expected by customers or the institution due to reasons such as inadequate capacity, technological failure, human error, or fraud, exposes the institution to transaction risk. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk. Weak control over technology used in the third-party arrangement may result in threats to security and the integrity of systems and resources. These issues could result in unauthorized transactions or the inability to transact business as expected.

Answer 132

“Credit Risk” Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the institution or to otherwise financially perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Some contracts provide that the third party ensures some measure of performance related to obligations arising from the relationship, such as loan origination programs. In these circumstances, the financial condition of the third party is a factor in assessing credit risk. Credit risk also arises from the use of third parties that market or originate certain types of loans, solicit and refer customers, conduct underwriting analysis, or set up product programs for the institution. Appropriate monitoring of the financial activity of the third party is necessary to ensure that credit risk is understood and remains within board-approved limits.

Answer 133

“Country Risk” Country risk is the exposure to the economic, social and political conditions and events in a foreign country that may adversely affect the ability of the foreign-based thirdparty service provider (FBTSP) to meet the level of service required by the arrangement, resulting in harm to the institution. In extreme cases, this exposure could result in the loss of data, research and development efforts, or other assets. Contracting with a FBTSP exposes an institution to country risk, a unique characteristic of these arrangements. Managing country risk requires the ability to gather and assess information regarding a foreign government’s policies, including those addressing information access, as well as local political, social, economic, and legal conditions.

Answer 134

“Other Risks” The types of risk introduced by an institution’s decision to use a third party cannot be fully assessed without a complete understanding of the resulting arrangement. Therefore, a comprehensive list of potential risks that could be associated with a third-party relationship is not possible. In addition to the risks described above, third-party relationships may also subject the institution to liquidity, interest rate, price, legal, and foreign currency translation risks.

Answer 135

* Where the institution lends its name or regulated entity status to products and services originated by others or activities predominantly conducted by others, and those vendors engage in practices that may be considered predatory, abusive, or unfair and deceptive to consumers; * When possible violations of fair lending and consumer protection laws and regulations occur, particularly when the actual involvement of the institution and the third party is invisible to the customer; * Where the third-party relationships do not meet the expectation of the institution’s customers; * Where, due to the third party, the customer experiences poor service, disruption of service, financial loss resulting from not understanding product or service risks or alternatives, and inferior choices stemming from lack of disclosure(s); * When privacy of consumer and customer records is not adequately protected; * Where the third party is unable to deliver products or services due to fraud, error, inadequate capacity, or technology failure, and where there is a lack of effective business resumption and contingency planning for such situations; * Where a problem or issue lies with a service being rendered by a third party that went undetected by the institution because an appropriate audit or monitoring program was not in place for the third-party relationship; and * Where the third party is the auditor for the institution’s CMS and management failed to properly oversee and manage the scope and intensity of these audits to ensure reviews were comprehensive or covered areas of significant risk.

Answer 136

Compliance Management System Review The key to the effective and successful use of a third party in any capacity is for the institution’s management to appropriately assess, measure, monitor, and control the risks associated with the relationship and weave that process into its CMS. While engaging another entity may aid management and the board in achieving strategic goals, such an arrangement reduces management’s direct control. Therefore, the use of a third party increases the need for robust oversight of the process from start to finish. This guidance provides four main elements of an effective third-party risk compliance management process: 1. Risk Assessment – The process of assessing risks and options for controlling third-party arrangements. 2. Due Diligence in Selecting a Third Party – The process of selecting a qualified entity to implement the activity or program. 3. Contract Structuring and Review – The process of ensuring that the specific expectations and obligations of both the institution and the third party are outlined in a written contract prior to entering into the arrangement—a contract should act as a map to the relationship and define its structure. 4. Oversight – The process of reviewing the operational and financial performance of third-party activities over those products and services performed through third-party arrangements on an ongoing basis, to ensure that the third party meets and can continue to meet the terms of the contractual arrangement. While these four elements apply to any third-party activities, the precise use of this process is predicated upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risks identified. These examination procedures are not intended to result in an expansion or a decrease in the use of third parties by institutions, but to provide a framework for assessing, measuring, monitoring, and controlling risks associated with third parties. A comprehensive risk management process, which includes management of any third-party relationships, will enable management to ensure that the third party is operating in a manner consistent with federal and state laws, rules, and regulations, including those intended to protect consumers. With that, the aforementioned four elements will serve as the nexus for examining the effectiveness of an institution’s oversight and management of third-party relationships.

Answer 137

Title V, Subtitle A of the Gramm-Leach-Bliley Act (“GLBA”)1 governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless (i) the institution satisfies various notice and opt-out requirements, and (ii) the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions. 1 15 U.S.C. Sections6801-6809.

Answer 138

GLBA: FRB and other agencies made rules to implement subpart of the GLBA Part of Dodd-Frank Act gave rulemaking authority to the CFPB CFPB can also examine/enforce privacy provisions under GLBA for entities it supervises; FTC has some rulemaking authority (i.e. for motor vehicle dealers) In 2011, CFPB re-codified regulations implementing privacy provisions of GLBA into Reg P In 2000, the Board of Governors of the Federal Reserve System (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), the National Credit Union Administration (“NCUA”), the Office of the Comptroller of the Currency (“OCC”), and the former Office of Thrift Supervision (“OTS”), published regulations implementing provisions of GLBA governing the treatment of nonpublic personal information about consumers by financial institutions.2 Title X of the Dodd-Frank Act Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”)3 granted rulemaking authority for most provisions of Subtitle A of Title V of GLBA to the Consumer Financial Protection Bureau (“CFPB”) with respect to financial institutions and other entities subject to the CFPB’s jurisdiction, except securities and futures-related companies and certain motor vehicle dealers. The Dodd-Frank Act also granted authority to the CFPB to examine and enforce compliance with these statutory provisions and their implementing regulations with respect to entities under CFPB jurisdiction.4 In December 2011 the CFPB recodified in Regulation P, 12 CFR Part 1016, the implementing regulations that were previously issued by the Board, the FDIC, the Federal Trade Commission (“FTC”), the NCUA, the OCC, and the former OTS.5 2 The NCUA published its final rule in the Federal Register on May 18, 2000 (65 FR 31722). The Board, the FDIC, the OCC, and the former OTS jointly published their final rules on June 1, 2000 (65 FR 35162). 3 Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Pub. L. No. 111-203, Title X, 124 Stat. 1983 (2010). 4 Dodd-Frank Act Sections 1002(12)(J), 1024(b)-(c), and 1025(b)-(c); 12 U.S.C. Sections5481(12)(J), 5514(b)-(c), and 5515(b)-(c). Section 1002(12)(J) of the Dodd-Frank Act, however, excluded financial institutions’ information security safeguards under GLBA section 501(b) from the CFPB’s rulemaking, examination, and enforcement authority. 5 76 FR 79025 (Dec. 21, 2011). Pursuant to GLBA, the FTC retains rulemaking authority over any financial institution that is a person described in 12 U.S.C. Section5519 (with certain statutory exceptions, the FTC generally retains rulemaking authority for motor vehicle dealers predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both).

Answer 139

The regulation establishes rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. * A financial institution must provide notice of its privacy policies and practices, and allow the consumer to opt out of the disclosure of the consumer’s nonpublic personal information to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14, or 15 of the regulation. If the financial institution provides the consumer’s nonpublic personal information to a nonaffiliated third party under the exception in section 13, it must provide notice of its privacy policies and practices to the consumer. Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If the financial institution complies with these requirements, it is not required to provide an opt out notice. * Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notice of its privacy policies and practices to its customers. * A financial institution generally may not disclose consumer account numbers to any nonaffiliated third party for marketing purposes. * A financial institution must follow redisclosure and reuse limitations on any nonpublic personal information it receives from a nonaffiliated financial institution. In general, the privacy notice must describe a financial institution’s policies and practices with respect to collecting and disclosing nonpublic personal information about a consumer to both affiliated and nonaffiliated third parties. Also, the notice must provide a consumer a reasonable opportunity to direct the institution generally not to share nonpublic personal information about the consumer (that is, to “opt out”) with nonaffiliated third parties other than as permitted by exceptions under the regulation (for example, sharing for everyday business purposes, such as processing transactions and maintaining customers’ accounts, and in response to properly executed governmental requests). The privacy notice must also provide, where applicable under the Fair Credit Reporting Act (“FCRA”), a notice and an opportunity for a consumer to opt out of certain information sharing among affiliates. Section 728 of the Financial Services Regulatory Relief Act of 2006 required the four federal banking agencies (the Board, the FDIC, the OCC, and the former OTS) and four additional federal regulatory agencies (the Commodity Futures Trading Commission (“CFTC”), the FTC, the NCUA, and the Securities and Exchange Commission (“SEC”)) to develop a model privacy form that financial institutions may rely on as a safe harbor to provide disclosures under the privacy rules. On December 1, 2009, the eight federal agencies jointly released a voluntary model privacy form designed to make it easier for consumers to understand how financial institutions collect and share nonpublic personal information.6 The final rule adopting the model privacy form was effective on December 31, 2009. On October 28, 2014, the CFPB published a final rule amending the requirements regarding financial institutions’ provision of their annual disclosures of privacy policies and practices to customers by creating an alternative delivery method that financial institutions can use under certain circumstances.7 The amendment was effective immediately upon publication. The alternative delivery method allows a financial institution to provide an annual privacy notice by posting the annual notice on its web site, if the financial institution meets certain conditions. As of December 4, 2015, section 75001 of the Fixing America’s Surface Transportation Act8 (“FAST Act”) amended section 503 of GLBA to establish an exception to the annual privacy notice requirements whereby a financial institution that meets certain criteria is not required to provide an annual privacy notice to customers. The amendment was effective upon enactment. There are fewer requirements to qualify for the exception to providing an annual privacy notice pursuant to the FAST Act GLBA amendments than there are to qualify to use the CFPB’s alternative delivery method; any institution that meets the requirements for using the alternative delivery method is effectively excepted from delivering an annual privacy notice. 6 74 FR 62890. 7 79 FR 64057. 6 74 FR 62890. 7 79 FR 64057.

Answer 140

Financial Institution: A “financial institution” is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.9 9 Certain functionally regulated subsidiaries, such as brokers, dealers, and investment advisers, are subject to GLBA implementing regulations issued by the SEC. Other functionally regulated subsidiaries, such as futures commission merchants, commodity trading advisors, commodity pool operators, and introducing brokers in commodities, are subject to GLBA implementing regulations issued by the CFTC. Insurance entities may be subject to privacy regulations issued by their respective state insurance authorities.

Answer 141

Nonpublic personal information: “Nonpublic personal information” generally is any information that is not publicly available and that: * a consumer provides to a financial institution to obtain a financial product or service from the institution; * results from a transaction between the consumer and the institution involving a financial product or service; or * a financial institution otherwise obtains about a consumer in connection with providing a financial product or service. ***Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or security interest filing. ***Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies). There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution’s depositors would be nonpublic personal information even though the same names and addresses might be published in local telephone directories, because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information. However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers from public mortgage records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about those customers without having to provide notice or opt out.

Answer 142

Nonaffiliated third party: A “nonaffiliated third party” is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate. An “affiliate” of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.

Answer 143

Opt Out Right and Exceptions: The Right—Consumers must be given the right to “opt out” of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulation and described below. As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer’s transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a tollfree telephone number. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

Answer 144

The Exceptions Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulation. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

Answer 145

Section 13: To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution’s own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides an initial notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the disclosure and confidentiality requirements of section 13.

Answer 146

Consumer and Customer: The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. Under the regulation, all customers are consumers, but not all consumers are customers. A “consumer” is an individual, or that individual’s legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes. A “financial service” includes, among other things, a financial institution’s evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender’s evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn. Consumers who are not customers are entitled to an initial privacy and opt out notice before the financial institution shares nonpublic personal information with nonaffiliated third parties outside of the exceptions in sections 13, 14, and 15. Consumers who are not customers are entitled to an initial privacy notice before the financial institution shares nonpublic personal information with a nonaffiliated third party under the exception in section 13. Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If a financial institution complies with these requirements, it is not required to provide an opt out notice. Does this mean consumers who are not customers get initial and opt-out notices, unless exception 13 applies, where they'll get the initial but not opt-out? And under exceptions 14 or 15 they don't get the initial or opt-out? A “customer” is a consumer who has a “customer relationship” with a financial institution. A “customer relationship” is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. * For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution: ° maintains a deposit or investment account; ° obtains a loan; ° enters into a lease of personal property; or ° obtains financial, investment, or economic advisory services for a fee. Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution unless an exception to the annual privacy notice requirement applies. There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer. * Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.

Answer 147

Financial Institution Duties The regulation establishes specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions in sections 13, 14, and 15 will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide initial and annual notices of their privacy policies and practices to their customers (unless an exception to the annual privacy notice requirement applies) and to provide an initial notice to consumers who are not customers before disclosing nonpublic personal information to a nonaffiliated third party other than under sections 14 and 15. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions. A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulation.

Answer 148

Notice and Opt Out Duties to Consumers: Before a financial institution discloses nonpublic personal information about any of its consumers to a nonaffiliated third party, and an exception in section 14 or 15 does not apply, then the financial institution must provide to the consumer: * an initial notice of its privacy policies and practices; * an opt out notice (including, among other things, a reasonable means to opt out); and * a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out. Before a financial institution discloses nonpublic personal information about a consumer to a nonaffiliated third party under the exception in section 13, the financial institution must provide to the consumer an initial notice of its privacy policies and practices. Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If a financial institution complies with these requirements, it is not required to provide an opt out notice. The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out (where applicable). Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice. Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions in sections 14 and 15. A financial institution that discloses nonpublic personal information about a consumer to a nonaffiliated third party under the exception in section 13 must provide an initial notice. Under the exception in section 13, the financial institution must also enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to perform services for the institution or functions on the institution’s behalf, including use under an exception in sections 14 or 15 in the ordinary course of business to carry out those services or functions. If these requirements are met, the financial

Answer 149

Notice Duties to Customers: In addition to the duties described above, there are several duties unique to customers. In particular, regardless of whether the institution discloses or intends to disclose nonpublic personal information, a financial institution must provide notice to its customers of its privacy policies and practices at various times. * A financial institution must provide an initial notice of its privacy policies and practices to each customer, not later than the time a customer relationship is established. Section 4(e) of the regulation describes the exceptional cases in which delivery of the notice is allowed subsequent to the establishment of the customer relationship. * A financial institution must provide an annual notice at least once in any period of 12 consecutive months during the continuation of the customer relationship unless an exception to the annual privacy notice requirement applies. * Generally, new privacy notices are not required for each new product or service. However, a financial institution must provide a new notice to an existing customer when the customer obtains a new financial product or service from the institution, if the initial or annual notice most recently provided to the customer was not accurate with respect to the new financial product or service. * When a financial institution does not disclose nonpublic personal information (other than as permitted under section 14 and section 15 exceptions) and does not reserve the right to do so, the institution has the option of providing a simplified notice.

Answer 150

Requirements for Notices Clear and Conspicuous. Privacy notices must be clear and conspicuous, meaning they must be reasonably understandable and designed to call attention to the nature and significance of the information contained in the notice. The regulation does not prescribe specific methods for making a notice clear and conspicuous, but does provide examples of ways in which to achieve the standard, such as the use of short explanatory sentences or bullet lists, and the use of plain-language headings and easily readable typeface and type size. Privacy notices also must accurately reflect the institution’s privacy practices.

Answer 151

Delivery Rules. Privacy notices must be provided so that each recipient can reasonably be expected to receive actual notice in writing, or if the consumer agrees, electronically. To meet this standard, a financial institution could, for example, (1) hand deliver a printed copy of the notice to its consumers, (2) mail a printed copy of the notice to a consumer’s last known address, or (3) for the consumer who conducts transactions electronically, post the notice on the institution’s web site and require the consumer to acknowledge receipt of the notice as a necessary step to completing the transaction. For customers only, a financial institution must provide the initial notice (as well as any annual notice and any revised notice) so that a customer can retain or subsequently access the notice. A written notice satisfies this requirement. For customers who obtain financial products or services electronically, and agree to receive their notices on the institution’s web site, the institution may provide the current version of its privacy notice on its web site. As of October 28, 2014, a financial institution may use an alternative delivery method for providing annual privacy notices to customers through posting the annual notices on their web sites if: (1) no opt out rights are triggered by the financial institution’s information sharing practices under GLBA or under FCRA section 603, and opt out notices required by FCRA section 624 and Subpart C of Regulation V have previously been provided, if applicable, or the annual privacy notice is not the only notice provided to satisfy those requirements; (2) certain information included in the annual privacy notice has not changed since the previous notice; and (3) the financial institution uses the model form provided in the regulation as its annual privacy notice. In order to use this alternative delivery method, an institution must: (1) insert a clear and conspicuous statement at least once per year on an account statement, coupon book, or a notice or disclosure the institution issues under any provision of law that informs customers that the annual privacy notice is available on the institution’s web site, that the institution will mail the notice to customers who request it by calling a specific telephone number, and that the notice has not changed; (2) continuously post the current privacy notice in a clear and conspicuous manner on a page on its web site, on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the web site; and (3) mail its current privacy notice to those customers who request it by telephone within ten calendar days of the request. As of December 4, 2015, pursuant to the FAST Act’s GLBA amendment, a financial institution is not required to provide an annual privacy notice to its customers if it: (1) solely shares nonpublic personal information in accordance with the provisions of GLBA sections 502(b)(2) (corresponding to Regulation P section 1016.13) or 502(e) (corresponding to Regulation P sections 1016.14 and .15) or regulations prescribed under GLBA section 504(b); and (2) has not changed its policies and practices with regard to disclosing nonpublic personal information since its most recent disclosure to its customers that was made in accordance with GLBA section 503. An institution that at any time fails to comply with either of the criteria is not eligible for the exception and is required to provide an annual privacy notice to its customers.

Answer 152

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not also customers a “short form” initial notice together with an opt out notice stating that the institution’s privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable: 1. categories of information collected; 2. categories of information disclosed; 3. categories of affiliates and nonaffiliated third parties to whom the institution may disclose information; 4. policies and practices with respect to the treatment of former customers’ information; 5. categories of information disclosed to nonaffiliated third parties that perform services for the institution or functions on the institution’s behalf and categories of third parties with whom the institution has contracted (Section 13); 6. an explanation of the opt out right and methods for opting out; 7. any opt out notices that the institution must provide under the FCRA with respect to affiliate information sharing; 8. policies and practices for protecting the security and confidentiality of information; and 9. a statement that the institution makes disclosures to other nonaffiliated third parties for everyday business purposes or as permitted by law (Sections 14 and 15).

Answer 153

Model Privacy Form. The Appendix to the regulation contains the model privacy form. A financial institution can use the model form to obtain a “safe harbor” for compliance with the content requirements for notifying consumers of its information-sharing practices and their right to opt out of certain sharing practices. To obtain the safe harbor, the institution must provide a model form in accordance with the instructions set forth in the Appendix of the regulation. Additionally, institutions using the alternative delivery method for providing annual privacy notices to customers must use the model form.

Answer 154

Limitations on Disclosure of Account Numbers (section 12): A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. ***The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution’s own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer’s account). The regulation also does not bar a financial institution from disclosing account numbers to participants in private-label or affinity card programs, if the participants are identified to the customer when the customer enters the program.

Answer 155

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received (section 11): If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited. * For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to: ° Disclosing the information to the affiliates of the financial institution from which it received the information; ° Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and ° Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). * For nonpublic personal information received other than under a section 14 or 15 exception, the recipient’s use of the information is unlimited, but its disclosure of the information is limited to: ° Disclosing the information to the affiliates of the financial institution from which it received the information; ° Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and ° Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list in accordance with the privacy policy of the financial institution that provided the list, subject to any opt out election or revocation by the consumers on the list, and in accordance with appropriate exceptions under sections 14 and 15.

Answer 156

Fair Credit Reporting Act The regulation does not modify, limit, or supersede the operation of the FCRA.

Answer 157

State Law The regulation does not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulation. A state statute, regulation, order, or interpretation is consistent with the regulation if the protection it affords any consumer is greater than the protection provided under the regulation, as determined by the CFPB, on its own motion or upon the petition of any interested party, after consultation with the agency or authority with jurisdiction under section 505(a) of GLBA over either the person who initiated the complaint or that is the subject of the complaint.

Answer 158

Guidelines Regarding Protecting Customer Information The regulation requires a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution’s policies. The four federal banking agencies published guidelines, pursuant to section 501(b) of GLBA, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution’s disclosure regarding information security.

Answer 159

Children’s Online Privacy Protection Act (COPPA) Introduction COPPA was enacted to prohibit unfair and deceptive acts or practices in connection with the collection, use, or disclosure of personal information from children under the age of 13 in an online environment. Generally, the Act requires operators of Web sites or online services directed to children, or that have actual knowledge that they are collecting or maintaining personal information from children online, to provide certain notices and obtain parental consent to collect, use, or disclose information about children. The FDIC is granted enforcement authority under the Act. Federal Trade Commission regulations (16 CFR 312) that implement COPPA became effective April 21, 2000. Examiners should consider conducting a compliance review using these procedures only when an institution is operating a Web site or online service directed to children that collects or maintains personal information about children, or operating a general audience Web site or online service and knowingly collecting or maintaining personal information from a child online.

Answer 160

Right to Financial Privacy Act Introduction The 1978 Right to Financial Privacy Act (RFPA) establishes specific procedures that federal government authorities must follow in order to obtain information from a financial institution about a customer’s financial records. Generally, these requirements include obtaining subpoenas, notifying the customer of the request, and providing the customer with an opportunity to object. The Act imposes related limitations and duties on financial institutions prior to the release of information requested by federal authorities. For purposes of RFPA, a customer is defined as any person or representative of that person who utilized or is utilizing any service of a financial institution, or for whom a financial institution is acting or has acted as a fiduciary, in relation to an account maintained in the person’s name. “Person” is defined by the RFPA as an individual or a partnership of five or few individuals. Therefore, restrictions in the Act do not apply to the financial records of corporations or partnerships with six or more partners. The RFPA has been amended several times, most recently in 2001, to permit greater access without customer notice to customer information requested for criminal law enforcement purposes and for certain intelligence activities.

Answer 161

Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 Introduction Under Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM or Act)1 , the Federal Trade Commission (FTC) is charged with issuing regulations for implementing CAN-SPAM.2 The FTC has issued regulations, effective as of March 28, 2005, that provide criteria to determine the primary purpose of electronic mail (e-mail) messages. The FTC has also issued regulations that contain criteria pertaining to warning labels on sexually oriented materials, which became effective as of May 19, 2004. 1 15 USC 7701–7713 2 Final rules relating to the established criteria for determining when the primary purpose of an e-mail message is commercial were published in the Federal Register on January 19, 2005 (70 FR 3110). Final rules relating to governing the labeling of commercial e-mail containing sexually oriented material was published in the Federal Register on April 19, 2004 (69 FR 21024).

Answer 162

The goals of the act are to: * Reduce spam and unsolicited pornography by prohibiting senders of unsolicited commercial e-mail messages from disguising the source and content of their messages. * Give consumers the choice to cease receiving a sender’s unsolicited commercial e-mail messages. Compliance authority was expressly granted to the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the Office of Thrift Supervision to be enforced under Section 8 of the Federal Deposit Insurance Act. The National Credit Union Association was granted authority through the Federal Credit Union Act 12 USC 1751. The FTC has researched and determined that a “Do Not Spam” registry (similar to the highly effective “Do Not Call” registry) would not be effective or practicable at this time.

Answer 163

“Affirmative Consent” (usage: commercial e-mail messages) * The recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient’s own initiative; and * If the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient’s e-mail address could be transferred to such other party for the purpose of initiating commercial e-mail messages.

Answer 164

“Commercial E-mail Message” Any e-mail message the primary purpose of which is to advertise or promote for a commercial purpose, a commercial product or service (including content on the Internet). An e-mail message would not be considered to be a commercial e-mail message solely because such message includes a reference to a commercial entity that serves to identify the sender or a reference or link to an Internet Web site operated for a commercial purpose.

Answer 165

“Dictionary Attacks” Obtaining e-mail addresses by using an automated means that generates possible e-mail addresses by combining names, letters, or numbers into numerous permutations.

Answer 166

“Harvesting” Obtaining e-mail addresses using an automated means from an Internet Web site or proprietary online service operated by another person, where such service/person, at the time the address was obtained, had provided a notice stating that the operator of such Web site or online service would not give, sell, or otherwise transfer electronic addresses.

Answer 167

“Header Information” The source, destination, and routing information attached to the beginning of an e-mail message, including the originating domain name and originating e-mail address.

Answer 168

“Hijacking” The use of automated means to register for multiple e-mail accounts or online user accounts from which to transmit, or enable another person to transmit, a commercial e-mail message that is unlawful.

Answer 169

“Initiate” To originate, transmit or to procure the origination or transmission of such message but shall not include actions that constitute routine conveyance. For purposes of the Act, more than one person may be considered to have initiated the same message.

Answer 170

“Primary Purpose” The FTC’s regulations provide further clarification regarding determination of whether an e-mail message has “commercial” promotion as its primary purpose. [16 CFR 316.3] (1) The primary purpose of an e-mail message will be deemed to be commercial if it contains only the commercial advertisement or promotion of a commercial product or service (commercial content); (2) The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content and “transactional or relationship” content (see below for definition) if either: * a recipient reasonably interpreting the subject line of the e-mail message would likely conclude that the message contains commercial content; or * the e-mail message’s “transactional or relationship” content does not appear in whole or substantial part at the beginning of the body of the message. (3) The primary purpose of an e-mail message will be deemed to be commercial if it contains both commercial content as well as content that is not transactional or relationship content if a recipient reasonably interpreting either: * the subject line of the e-mail message would likely conclude that the message contains commercial content; or * the body of the message would likely conclude that the primary purpose of the message is commercial. (4) The primary purpose of an e-mail message will be deemed to be transactional or relationship (non-commercial) if it contains only “transactional or relationship” content.

Answer 171

“Recipient” An authorized user of the electronic mail address to which the message was sent or delivered.

Answer 172

“Sender” A person who initiates an e-mail message and whose product, service, or Internet Web site is advertised or promoted by the message.

Answer 173

“Sexually Oriented Material” Any material that depicts sexually explicit conduct unless the depiction constitutes a small and insignificant part of the whole.

Answer 174

“Transactional or Relationship E-mail Message” An e-mail message with the primary purpose of facilitating, completing or confirming a commercial transaction that the recipient had previously agreed to enter into; to provide warranty, product recall, or safety or security information; or subscription, membership, account, loan, or other information relating to an ongoing purchase or use.

Answer 175

General Requirements of the CAN-SPAM Statute: * Prohibits the use of false or misleading transmission information [§7704(a)(1)] such as: − False or misleading header information; − A “from” line that does not accurately identify any person who initiated the message; and − Inaccurate or misleading identification of a protected computer used to initiate the message because the person initiating the message knowingly uses another protected computer to relay or retransmit the message for purposes of disguising its origin. * Prohibits the use of deceptive subject headings. [§7704(a)(2)] * Requires a functioning e-mail return address or other Internet-based response mechanism. [§7704(a)(3)] * Requires that commercial e-mail messages be discontinued within 10 business days after receipt of optout notification from recipient. [§7704(a)(4)] * Requires a clear and conspicuous identification that the message is an advertisement or solicitation; clear and conspicuous notice of the opportunity to decline to receive further commercial e-mail messages from the sender; and a valid physical postal address of the sender. [§7704(a)(5)] * Prohibits address harvesting (obtaining e-mail addresses using an automated means from an Internet Web site or proprietary online service operated by another person, where such service/person, at the time the address was obtained, had provided a notice stating that the operator of such Web site or online service will not give, sell, or otherwise transfer electronic addresses) and dictionary attacks (obtaining e-mail addresses by using an automated means that generates possible e-mail addresses by combining names, letters, or numbers into numerous permutations). [§7704(b)(1)] * Prohibits hijacking, the use of automated means to register for multiple e-mail accounts or online user accounts from which to transmit, or enable another person to transmit, a commercial e-mail message that is unlawful. [§7704(b)(2)] * Prohibits any person from knowingly relaying or retransmitting a commercial e-mail message that is unlawful. [§7704(b)(3)] * Requires warning labels (in the subject line and within the message body) on commercial e-mail messages containing sexually oriented material. [§7704(d)] * Prohibits a person from promoting, or allowing the promotion of, that person’s trade or business, or goods, products, property, or services in an unlawful commercial e-mail message. [§7705)(a)]

Answer 176

Telephone Consumer Protection Act Introduction and Overview TheTelephone Consumer Protection Act of 1991 (TCPA) amended theCommunications Act of 19341 and was enacted to address telephone marketing calls and certain telemarketing practices. The Federal Communications Commission (FCC) has regulatory authority under the statute. 1 47 U.S.C. § 227

Answer 177

In 1992, the FCC adopted rules to implement the TCPA, including the requirement that entities making telephone solicitations institute procedures for maintaining companyspecific do-not-call lists. 2 n 2003, the FCC, in coordination with the Federal Trade Commission (FTC), revised its TCPA rules to establish a national Do-Not-Call registry.3 The national registry is nationwide and covers almost all telemarketers. The FTC administers the registry, which went into effect on October 1, 2003. To reduce the number of hangup and dead air calls consumers experience, the FCC’s TCPA regulations also contained restrictions on the use of autodialers and requirements for transmitting Caller ID information. Subsequently, the Junk Fax Prevention Act of 2005 amended provisions of the TCPA related to unsolicited advertising faxes and became effective on July 9, 2005. In 2010, the TCPA was amended to prohibit manipulation of caller identification information, and was amended again in 2015 to provide an exception for calls to collect a debt owed to or guaranteed by the United States from the prohibitions on autodialed calls or prerecorded calls to cell phones and residential lines. However, the Supreme Court deemed this exception unconstitutional in July 2020.4 In 2012, the FCC revised its regulations to require telemarketers to (1) no longer allow telemarketers to use an “established business relationship” to avoid getting consent from consumers, (2) obtain prior express written consent from consumers before making calls with an autodialer or that contain a message made with a prerecorded or artificial voice, and (3) require telemarketers to provide an automated, interactive opt-out mechanism during each of the type of calls mentioned above in “(2)” so that consumers can immediately tell the telemarketer to stop calling. The FCC revised its regulations twice in 2019 to provide a safe harbor from liability for making calls to reassigned telephone numbers and to eliminate the requirement for an opt-out notice on fax advertisements sent with the recipient’s prior express permission or consent. The FCC further revised its regulation in 2021 to implement the Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), in which it codified exemptions for calls to wireless numbers, amended exemptions for artificial or prerecorded voice calls made to residential telephone lines, and included exemptions for calls by financial institutions provided the call is not charged to the called person’s plan limits on minutes or texts.5 The FCC’s TCPA regulations apply without exception to financial institutions, including banks, savings associations, and credit unions engaged in any of the telemarketing activities targeted by the TCPA and the FCC’s final rulemaking. Occasionally, the FCC issues declaratory rulings, also referred to as declaratory orders. The declaratory rulings are issued for the purpose of clarifying the interpretation and application of the TCPA and its implementing regulations, usually to resolve uncertainty and terminate controversies, and are authoritative as to the FCC’s view on the laws and rules they administer. Therefore, the declaratory rulings are included in the examination procedures in this chapter as reference materials and guidance about how the FCC would interpret the TCPA and its implementing regulations in a given factual scenario. However, when examiners discover TCPA violations, financial institutions should be cited for violations of the TCPA and/or its implementing regulations, not the related FCC declaratory rulings. Pursuant to section 8 of the Federal Deposit Insurance Act, 12 U.S.C. § 1818, the FDIC, the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency have authority to enforce compliance with any laws or regulations in connection with its regulated banks. This section 8 authority allows the agencies to impose cease and desist orders, restitution, and/or civil money penalties when they discover violations of the TCPA. Moreover, the National Credit Union Administration has supervisory and enforcement authority under the Federal Credit Union Act, 12 U.S.C. § 1786(e) and §1786(k). This authority allows the NCUA to consider instituting civil enforcement actions against credit unions and institution affiliated parties when the agency discovers violations of the TCPA. In this chapter, the use of the words “person” and “entity” includes banks, savings associations, and credit unions, and third parties acting on behalf of those financial institutions. 2 47 C.F.R. § 64.1200 3 FTC’s regulation (16 C.F.R. §310.4), the Telemarketing and Consumer Fraud and Abuse Prevention Act, and the Do Not Call Implementation Act (15 USC 6151-6155) form the basis of the Do-Not-Call registry. 4 Barr v. American Association of Political Consultants, Inc., 140 S.Ct. 2335 (2020) 5 The 2021 revisions became effective on March 29, 2021, except for the amendments to 47 C.F.R. §§ 64.1200(a)(3)(ii) through (v), (b)(2) and (b)(3), and (d), which are delayed indefinitely. See 86 Fed. Reg. 11443 (Feb. 25, 2021). These examination procedures reflect currently effective provisions.

Answer 178

“Advertisement” means any material advertising the commercial availability or quality of any property, goods, or services.

Answer 179

“Automatic Telephone Dialing System” and “Autodialer” mean equipment which has the capacity to store or produce telephone numbers to be called, using a random or sequential number generator; and to dial such numbers.6 6 This is the statutory definition in 47 U.S.C § 227. The text of the definition in the regulation does not contain certain punctuation found in the statutory definition, like the comma. The United States Supreme Court cited to the statutory definition in Facebook v. Duguid 592 U.S. (2021); (141 S.Ct. 1163). To qualify as an “ automatic telephone dialing system,” a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator. Also see 2020 Declaratory Ruling and Order (FCC 20- 670, June 25, 2020) under References section in these procedures for additional FCC guidance on automatic telephone dialing system.

Answer 180

“Clear and Conspicuous” means a notice that would be apparent to the reasonable consumer, separate and distinguishable from the advertising copy or other disclosures. With respect to facsimiles and for purposes of notices contained in an unsolicited advertisement 7, the notice must be placed at either the top or bottom of the facsimile. 7 47 C.F.R. § 64.1200(a)(4)(iii)(A)

Answer 181

“Emergency Purposes” means calls made necessary in any situation affecting the health and safety of consumers.

Answer 182

“Established Business Relationship” for the purposes of telephone solicitations means a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a residential subscriber, with or without an exchange of consideration, on the basis of the subscriber’s purchase or transaction with the entity within the 18 months immediately preceding the date of the telephone call, or on the basis of the subscriber’s inquiry or application regarding products or services offered by the entity within the three months immediately preceding the date of the call, which relationship has not been previously terminated by either party. * The subscriber’s seller-specific do-not-call request, as discussed under the Company-Specific Do-Not Call Lists section below, 8 terminates an established business relationship for purposes of telemarketing and telephone solicitation even if the subscriber continues to do business with the seller. * The subscriber’s established business relationship with a particular business entity does not extend to affiliated entities unless the subscriber would reasonably expect them to be included given the nature and type of goods or services offered by the affiliate and the identity of the affiliate.

Answer 183

“Established Business Relationship” for purposes of the use of telephone facsimile machine, computer, or other device to send unsolicited advertisements to a telephone facsimile machine on the sending of facsimile advertisements means a prior or existing relationship formed by a voluntary two-way communication between a person or entity and a business or residential subscriber, with or without an exchange of consideration, on the basis of an inquiry, application, purchase, or transaction by the business or residential subscriber regarding products or services offered by such person or entity, which relationship has not been previously terminated by either party.

Answer 184

“Facsimile Broadcaster”means a person or entity that transmits messages to telephone facsimile machines on behalf of another person or entity for a fee.

Answer 185

“Personal Relationship” means any family member, friend, or acquaintance of the telemarketer making the call.

Answer 186

“Prior Express Written Consent” means an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial or prerecorded voice, and the telephone number to which the signatory authorizes such advertisements or telemarketing messages to be delivered. * The written agreement shall include a clear and conspicuous disclosure informing the person signing that: o By executing the agreement, such person authorizes the seller to deliver or cause to be delivered to the signatory telemarketing calls using an automatic telephone dialing system or an artificial or prerecorded voice; and o The person is not required to sign the agreement (directly or indirectly), or agree to enter into such an agreement as a condition of purchasing any property, goods, or services. * The term “signature” shall include an electronic or digital form of signature, to the extent that such form of signature is recognized as a valid signature under applicable federal law or state contract law.

Answer 187

“Seller” means the person or entity on whose behalf a telephone call or message is initiated for the purpose of encouraging purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

Answer 188

“Sender” for purposes of the prohibitions discussed under Prohibitions on Use of Telephone Fax Machine, Computer, or Other Device to Send Unsolicited Advertisement to a Telephone Fax Machine section below9 , means the person or entity on whose behalf a facsimile unsolicited advertisement is sent or whose goods or services are advertised or promoted in the unsolicited advertisement. 9 47 C.F.R. § 64.1200 (a)(4)

Answer 189

“Telemarketer” means the person or entity that initiates a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

Answer 190

“Telemarketing” means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person.

Answer 191

“Telephone Facsimile Machine” means equipment which has the capacity to transcribe text or images, or both, from paper into an electronic signal and to transmit that signal over a regular telephone line, or to transcribe text or images (or both) from an electronic signal received over a regular telephone line onto paper.

Answer 192

*** “Telephone Solicitation” means the initiation of a telephone call or message for the purpose of encouraging the purchase or rental of, or investment in, property, goods, or services, which is transmitted to any person, but such term does not include a call or message: * To any person with that person’s prior express permission; * To any person with whom the caller has an established business relationship; or * By or on behalf of a tax-exempt nonprofit organization.

Answer 193

“Unsolicited Advertisement” means any material advertising the commercial availability or quality of any property, goods, or services, which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.

Answer 194

Restrictions on Telemarketing, Telephone Solicitation, and Facsimile Advertising - Delivery Restrictions (47 C.F.R. § 64.1200) Prohibitions on Autodialed or Prerecorded Calls to Cell Phones and Other Sensitive Numbers(47 C.F.R. § 64.1200(a)(1)-(2)) General Prohibitions 10 No person or entity may initiate any telephone call (other than a call that is made for emergency purposes 11 or with the prior express consent of the called party) using an automatic telephone dialing system or an artificial or prerecorded voice, except as provided in the Exceptions to the General Prohibitions section below, 12 to: * Any emergency telephone line, including any 911 line and any emergency line of a hospital, medical physician or service office, health care facility, poison control center, or fire protection or law enforcement agency; * The telephone line of any guest room or patient room of a hospital, health care facility, elderly home, or similar establishment; or * Any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call. o Note: A person will not be liable for violating this prohibition13 when the call is placed to a wireless number that has been ported from wireline service and such call is a voice call; not knowingly made to a wireless number; and made within 15 days of the porting of the number from wireline to wireless service, provided the number is not already on the national do-not-call registry or caller’s company-specific do-not-call list. 10 47 C.F.R. § 64.1200(a)(1) 11 See 2015 Declaratory Ruling and Order (FCC 15-72, July 10, 2015) under References section in these procedures for additional FCC guidance on emergency communications by financial institutions. 13 47 C.F.R. § 64.1200(a)(1)(iii)

Answer 195

Exceptions to the General Prohibitions 14 No person or entity may initiate, or cause to be initiated, any telephone call that includes or introduces an advertisement or constitutes telemarketing, using an automatic telephone dialing system or an artificial or prerecorded voice, to any of the lines or telephone numbers described above, other than: * A call made with the prior express written consent of the called party or the prior express consent of the called party when the call is made by or on behalf of a tax-exempt nonprofit organization; or * A call that delivers a “health care” message made by, or on behalf of, a “covered entity” or its “business associate,” as those terms are defined in the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. 15 14 47 C.F.R. § 64.1200(a)(2) 15 45 C.F.R. § 160.103

Answer 196

Prohibitions on Prerecorded Calls to Residential Lines (47 C.F.R. § 64.1200(a)(3)) No person or entity may initiate any telephone call to any residential line using an artificial or prerecorded voice to deliver a message without the prior express written consent of the called party, unless the call: * Is made for emergency purposes; * Is not made for a commercial purpose; * Is made for a commercial purpose but does not include or introduce an advertisement or constitute telemarketing; * Is made by or on behalf of a tax-exempt nonprofit organization; or * Delivers a “health care” message made by, or on behalf of, a “covered entity” or its “business associate,” as those terms are defined in the HIPAA Privacy Rule. 16 16 45 C.F.R. § 160.103

Answer 197

Safe Harbor (47 C.F.R. § 64.1200(m)) A person will not be liable for violating the prohibitions under the Prohibition on Autodialed or Prerecorded Calls to Cell Phones, Other Sensitive Numbers section and the Prohibition on Prerecorded Calls to Residential Lines section above17 by making a call to a number for which the person previously had obtained prior express consent of the called party as required in those same sections 18 but at the time of the call, the number is not assigned to the subscriber to whom it was assigned at the time such prior express consent was obtained if the person, bearing the burden of proof and persuasion, demonstrates that: * The person, based upon the most recent numbering information reported by telecommunications carriers to the North American Numbering Plan Administrator, by querying the database operated by the North American Number Plan Administrator and receiving a response of “no”, has verified that the number has not been permanently disconnected since the date prior express consent was obtained as required in the Prohibition on Autodialed or Prerecorded Calls to Cell Phones, Other Sensitive Numbers section and the Prohibition on Prerecorded Calls to Residential Lines section above;19 and * The person's call to the number was the result of the database erroneously returning a response of “no” to the person's query consisting of the number for which prior express consent was obtained as required in the Prohibition on Autodialed or Prerecorded Calls to Cell Phones, Other Sensitive Numbers section and the Prohibition on Prerecorded Calls to Residential Lines section above20 and the date on which such prior express consent was obtained. 17 47 C.F.R. § 64.1200(a)(1), (2), or (3) 18 47 C.F.R. § 64.1200(a)(1), (2), or (3) 19 47 C.F.R. § 64.1200(a)(1), (2), or (3) 20 47 C.F.R. § 64.1200(a)(1), (2), or (3)

Answer 198

Disclosures and Notices for Artificial or Prerecorded Voice Telephone Messages(47 C.F.R. § 64.1200(b)) All artificial or prerecorded voice telephone messages shall: * At the beginning of the message, state clearly the identity of the business, individual, or other entity that is responsible for initiating the call. If a business is responsible for initiating the call, the name under which the entity is registered to conduct business with the State Corporation Commission (or comparable regulatory authority) must be stated; * During or after the message, state clearly the telephone number (other than that of the autodialer or prerecorded message player that placed the call) of such business, other entity, or individual. The telephone number provided may not be a 900 number or any other number for which charges exceed local or long distance transmission charges. For telemarketing messages to residential telephone subscribers, such telephone number must permit any individual to make a do-not-call request during regular business hours for the duration of the telemarketing campaign; and * In every case where the artificial or prerecorded voice telephone message includes or introduces an advertisement or constitutes telemarketing and is delivered to a residential telephone line or any of the lines or telephone numbers described in the first paragraph under the Prohibition on Autodialed or Prerecorded Calls to Sensitive Numbers and Cell Phones section above (General Prohibition21), provide an automated, interactive voice- and/or key press-activated opt-out mechanism for the called person to make a do-not-call request, including brief explanatory instructions on how to use such mechanism, within two (2) seconds of providing the identification information required in the first bullet above in this section. 22 When the called person elects to opt out using such mechanism, the mechanism must automatically record the called person’s number to the seller’s do-not-call list and immediately terminate the call. When the artificial or prerecorded voice telephone message is left on an answering machine or a voice mail service, such message must also provide a toll free number that enables the called person to call back at a later time and connect directly to the automated, interactive voice- and/or key press-activated opt-out mechanism and automatically record the called person’s number to the seller’s do-not-call list. 21 47 C.F.R. § 64.1200(a)(1)(i) through (iii) 22 47 C.F.R. § 64.1200(b)(1)

Answer 199

Do-Not-Call Lists Nationwide Do-Not-Call List (47 C.F.R. § 64.1200(c)(2)) No person or entity shall initiate any telephone solicitation to a residential telephone subscriber or wireless telephone subscriber 23 who has registered his or her telephone number on the national do-not-call registry of persons who do not wish to receive telephone solicitations that is maintained by the Federal Government.24 Such do-not-call registrations must be honored indefinitely, or until the registration is cancelled by the consumer or the telephone number is removed by the database administrator. Any person or entity making telephone solicitations (or on whose behalf telephone solicitations are made) will not be liable for violating this requirement if: * It can demonstrate that the violation is the result of error and that as part of its routine business practice, it meets the following standards: o It has established and implemented written procedures to comply with the national do-not-call rules; o It has trained its personnel, and any entity assisting in its compliance, in procedures established pursuant to the national do-not-call rules; o It has maintained and recorded a list of telephone numbers that the seller may not contact; o It uses a process to prevent telephone solicitations to any telephone number on any list established pursuant to the do-not-call rules, employing a version of the national do-not-call registry obtained from the administrator of the registry no more than 31 days prior to the date any call is made, and maintains records documenting this process; o It uses a process to ensure that it does not sell, rent, lease, purchase or use the national do-not-call database, or any part thereof, for any purpose except compliance with this section and any such state or federal law to prevent telephone solicitations to telephone numbers registered on the national database; * It purchases access to the relevant do-not-call data from the administrator of the national database and does not participate in any arrangement to share the cost of accessing the national database, including any arrangement with telemarketers who may not divide the costs to access the national database among various client sellers; or * It has obtained the subscriber’s prior express invitation or permission. Such permission must be evidenced by a signed, written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed; or * The telemarketer making the call has a personal relationship with the recipient of the call. 23 47 C.F.R. § 64.1200(e). The Do-Not-Call Lists section of the examination procedures are also applicable to any person or entity making telephone solicitations or telemarketing calls to wireless telephone numbers. 24 47 C.F.R. § 64.1100(h). The term subscriber is any one of the following: (1) The party identified in the account records of a common carrier as responsible for payment of the telephone bill; (2) Any adult person authorized by such party to change telecommunications services or to charge services to the account; or (3) Any person contractually or otherwise lawfully authorized to represent such party

Answer 200

Company-Specific Do-Not-Call Lists, Mandatory Procedures, and Opt-Out Requests (47 C.F.R. § 64.1200(d)) No person or entity shall initiate any call for telemarketing purposes to a residential telephone subscriber or wireless telephone subscriber25 unless such person or entity has instituted procedures for maintaining a list of persons who request not to receive telemarketing calls made by or on behalf of that person or entity. 26 The procedures instituted must meet the following minimum standards: * Persons or entities making calls for telemarketing purposes must have a written policy, available upon demand, for maintaining a do-not-call list; * Personnel engaged in any aspect of telemarketing must be informed and trained in the existence and use of the do-not-call list; * If a person or entity making a call for telemarketing purposes (or on whose behalf such a call is made) receives a request from a residential telephone subscriber or wireless telephone subscriber not to receive calls from that person or entity, the person or entity must record the request and place the subscriber’s name, if provided, and telephone number on the do-not-call list at the time the request is made.27 Persons or entities making calls for telemarketing purposes (or on whose behalf such calls are made) must honor a residential subscriber’s or wireless telephone subscriber’s do-not-call request within a reasonable time from the date such request is made. This period may not exceed 30 days from the date of such request. If such requests are recorded or maintained by a party other than the person or entity on whose behalf the telemarketing call is made, the person or entity on whose behalf the telemarketing call is made will be liable for any failures to honor the do-not-call request. A person or entity making a call for telemarketing purposes must obtain a consumer’s prior express permission to share or forward the consumer’s request not to be called to a party other than the person or entity on whose behalf a telemarketing call is made or an affiliated entity; * A person or entity making a call for telemarketing purposes must provide the called party with the name of the individual caller, the name of the person or entity on whose behalf the call is being made, and a telephone number or address at which the person or entity may be contacted. The telephone number provided may not be a 900 number or any other number for which charges exceed local or long distance transmission charges; * In the absence of a specific request by the subscriber to the contrary, a residential subscriber’s or wireless telephone subscriber’s do-not-call request shall apply to the particular business entity making the call (or on whose behalf a call is made), and will not apply to affiliated entities unless the consumer reasonably would expect them to be included given the identification of the caller and the product being advertised; and * A person or entity making calls for telemarketing purposes must maintain a record of a consumer’s request not to receive further telemarketing calls. A do-not-call request must be honored for 5 years from the time the request is made. Tax-exempt nonprofit organizations are not required to comply with provisions contained within this Mandatory Procedures, Company-Specific Do-Not-Call Lists, and Opt-Out Requests section. ____________________ 25 47 C.F.R. § 64.1200(e). The Do-Not-Call Lists section of the examination procedures are also applicable to any person or entity making telephone solicitations or telemarketing calls to wireless telephone numbers. 26 47 C.F.R. § 64.1100(h). The term subscriber is any one of the following: (1) The party identified in the account records of a common carrier as responsible for payment of the telephone bill; (2) Any adult person authorized by such party to change telecommunications services or to charge services to the account; or (3) Any person contractually or otherwise lawfully authorized to represent such party. 27 See 2015 Declaratory Ruling and Order (FCC 15-72, July 10, 2015) under References section in these procedures for additional FCC guidance.

Answer 201

Simultaneous Engagement of Multi-line Businesses(47 C.F.R. § 64.1200(a)(5)) No person or entity may use an automatic telephone dialing system in such a way that two or more telephone lines of a multi-line business are engaged simultaneously.

Answer 202

Disconnected Calls (47 C.F.R. § 64.1200(a)(6)) No person or entity may disconnect an unanswered telemarketing call prior to at least 15 seconds or four (4) rings.

Answer 203

Abandoned Calls (47 C.F.R. § 64.1200(a)(7)) No person or entity may abandon more than three percent of all telemarketing calls that are answered live by a person, as measured over a 30–day period for a single calling campaign. If a single calling campaign exceeds a 30–day period, the abandonment rate shall be calculated separately for each successive 30–day period or portion thereof that such calling campaign continues. A call is “abandoned” if it is not connected to a live sales representative within two (2) seconds of the called person’s completed greeting. Whenever a live sales representative is not available to speak with the person answering the call, within two (2) seconds after the called person’s completed greeting, the telemarketer or the seller must provide: * A prerecorded identification and opt-out message that is limited to disclosing that the call was for “telemarketing purposes” and states the name of the business, entity, or individual on whose behalf the call was placed, and a telephone number for such business, entity, or individual that permits the called person to make a do-not-call request during regular business hours for the duration of the telemarketing campaign; provided, that, such telephone number may not be a 900 number or any other number for which charges exceed local or long distance transmission charges; and * An automated, interactive voice- and/or key press-activated opt-out mechanism that enables the called person to make a do-not-call request prior to terminating the call, including brief explanatory instructions on how to use such mechanism. When the called person elects to opt-out using such mechanism, the mechanism must automatically record the called person’s number to the seller’s do-not-call list and immediately terminate the call. A call for telemarketing purposes that delivers an artificial or prerecorded voice message to a residential telephone line or to any of the lines or telephone numbers described in the Prohibition on Autodialed or Prerecorded Calls to Sensitive Numbers and Cell Phones section above (General Prohibition28) after the subscriber to such line has granted prior express written consent for the call to be made shall not be considered an abandoned call if the message begins within two (2) seconds of the called person’s completed greeting. The seller or telemarketer must maintain records establishing compliance with this Abandoned Calls section. Calls made by or on behalf of tax-exempt nonprofit organizations are not covered by the provisions in this Abandoned Calls section. 28 47 C.F.R. § 64.1200(a)(1)(i) through (iii)

Answer 204

Determining Type of Telephone Line (47 C.F.R. § 64.1200(a)(8)) No person or entity may use any technology to dial any telephone number for the purpose of determining whether the line is a facsimile or voice line.

Answer 205

Calls Made by Financial Institutions 29 (47 C.F.R. § 64.1200(a)(9)(iii)) A person or entity will not be liable for making any telephone call30 using an automatic telephone dialing system or an artificial or prerecorded voice; to any telephone number assigned to a paging service, cellular telephone service, specialized mobile radio service, or other radio common carrier service, or any service for which the called party is charged for the call; provided that the call is not charged to the called person or counted against the called person’s plan limits on minutes or texts and all of the following conditions are met: Voice calls and text messages: * Must be sent only to the wireless telephone number provided by the customer of the financial institution; * Must state the name and contact information of the financial institution (for voice calls, these disclosures must be made at the beginning of the call); * Are strictly limited to those for the following purposes: transactions and events that suggest a risk of fraud or identity theft; possible breaches of the security of customers’ personal information; steps consumers can take to prevent or remedy harm caused by data security breaches; and actions needed to arrange for receipt of pending money transfers; * Must not include any telemarketing, crossmarketing, solicitation, debt collection, or advertising content; and * Must be concise, generally one minute or less in length for voice calls (unless more time is needed to obtain customer responses or answer customer questions) or 160 characters or less in length for text messages. A financial institution: * May initiate no more than three messages (whether by voice call or text message) per event over a three-day period for an affected account; * Must offer recipients within each message an easy means to opt out of future such messages; voice calls that could be answered by a live person must include an automated, interactive voice- and/or key press-activated opt-out mechanism that enables the call recipient to make an opt-out request prior to terminating the call; voice calls that could be answered by an answering machine or voice mail service must include a toll-free number that the consumer can call to opt out of future calls; text messages must inform recipients of the ability to opt out by replying “STOP,” which will be the exclusive means by which consumers may opt out of such messages; and, * Must honor opt-out requests immediately. 29 As defined in section 4(k) of the Bank Holding Company Act of 1956, 15 U.S.C. 6809(3)(A). 30 The term “ call” includes a text message, including a short message service (SMS) call.

Answer 206

Calling Times (47 C.F.R. § 64.1200(c)(1)) No person or entity shall initiate any telephone solicitation to any residential telephone subscriber before the hour of 8 a.m. or after 9 p.m. (local time at the called party’s location).

Answer 207

Caller ID Information and Blocking (47 C.F.R. § 64.1601(e)) Any person or entity that engages in telemarketing, as defined31 in the TCPA regulations and reiterated in the Key Definitions section above, must transmit caller identification information. Caller identification information must include either the calling party number or the automatic numbering information, and, when available by the telemarketer’s carrier, the name of the telemarketer. It shall not be a violation of this paragraph to substitute (for the name and phone number used in, or billed for, making the call) the name of the seller on behalf of which the telemarketing call is placed and the seller’s customer service telephone number. The telephone number so provided must permit any individual to make a do-not-call request during regular business hours. The person or entity engaging in telemarketing is also prohibited from blocking the transmission of caller identification information. Tax-exempt nonprofit organizations are not required to comply with this Caller ID Information and Blocking section. 31 47 C.F.R. § 64.1200(f)(10)

Answer 208

Prohibitions on Use of Telephone Fax Machine, Computer, or Other Device to Send Unsolicited Advertisement to a Telephone Fax Machine (47 C.F.R. § 64.1200(a)(4)) General Prohibitions and Notification Requirements (47 C.F.R. § 64.1200(a)(4)((i) through (iii)) No person or entity may use a telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine, unless: * The unsolicited advertisement is from a sender with an established business relationship, as defined in the Key Definitions section above, 32 with the recipient; and * The sender obtained the number of the telephone facsimile machine through: o The voluntary communication of such number by the recipient directly to the sender, within the context of such established business relationship; or o A directory, advertisement, or site on the Internet to which the recipient voluntarily agreed to make available its facsimile number for public distribution. If a sender obtains the facsimile number from the recipient’s own directory, advertisement, or Internet site, it will be presumed that the number was voluntarily made available for public distribution, unless such materials explicitly note that unsolicited advertisements are not accepted at the specified facsimile number. If a sender obtains the facsimile number from other sources, the sender must take reasonable steps to verify that the recipient agreed to make the number available for public distribution, 33 and * The advertisement contains a notice that informs the recipient of the ability and means to avoid future unsolicited advertisements. A notice contained in an advertisement complies with the requirements only if: o The notice is clear and conspicuous and on the first page of the advertisement; o The notice states that the recipient may make a request to the sender of the advertisement not to send any future advertisements to a telephone facsimile machine or machines and that failure to comply, within 30 days, with such a request meeting the requirements set out in the Telephone Facsimile Machine Opt-Out Requests section is unlawful; o The notice sets forth the requirements for an opt-out request under the Telephone Facsimile Machine Opt-Out Requests section below in this section; o The notice includes:  A domestic contact telephone number and facsimile machine number for the recipient to transmit such a request to the sender; and  If neither the required telephone number nor facsimile machine number is a toll-free number, a separate cost-free mechanism including a Web site address or email address, for a recipient to transmit a request pursuant to such notice to the sender of the advertisement. A local telephone number also shall constitute a cost-free mechanism so long as recipients are local and will not incur any long distance or other separate charges for calls made to such number; and o The telephone and facsimile numbers and cost-free mechanism identified in the notice must permit an individual or business to make an opt-out request 24 hours a day, 7 days a week. 32 47 C.F.R. § 64.1200(f)(6) 33 This provision shall not apply in the case of an unsolicited advertisement that is sent based on an established business relationship with the recipient that was in existence before July 9, 2005, if the sender also possessed the facsimile machine number of the recipient before July 9, 2005. There shall be a rebuttable presumption that if a valid established business relationship was formed prior to July 9, 2005, the sender possessed the facsimile number prior to such date as well.

Answer 209

Telephone Facsimile Machine Opt-Out Requests (47 C.F.R. § 64.1200(a)(4)(iv-vi)) A request not to send future unsolicited advertisements to a telephone facsimile machine complies with the requirements under this subparagraph only if: * The request identifies the telephone number or numbers of the telephone facsimile machine or machines to which the request relates; * The request is made to the telephone number, facsimile number, Web site address or email address identified in the sender’s facsimile advertisement; and * The person making the request has not, subsequent to such request, provided express invitation or permission to the sender, in writing or otherwise, to send such advertisements to such person at such telephone facsimile machine. A sender that receives a request not to send future unsolicited advertisements that complies with the requirements in the bulleted list above must honor that request within the shortest reasonable time from the date of such request, not to exceed 30 days, and is prohibited from sending unsolicited advertisements to the recipient unless the recipient subsequently provides prior express invitation or permission to the sender. The recipient’s optout request terminates the established business relationship exemption for purposes of sending future unsolicited advertisements. If such requests are recorded or maintained by a party other than the sender on whose behalf the unsolicited advertisement is sent, the sender will be liable for any failures to honor the opt-out request.34 A facsimile broadcaster will be liable for violations of the provisions in this Prohibition on Use of Telephone Fax Machine, Computer, or Other Device to Send Unsolicited Advertisement to a Telephone Fax Machine section, 35 including the inclusion of opt-out notices on unsolicited advertisements, if it demonstrates a high degree of involvement in, or actual notice of, the unlawful activity and fails to take steps to prevent such facsimile transmissions. 34 47 C.F.R. § 64.1200(a)(4)(v) 35 47 C.F.R. § 64.1200(a)(4)

Answer 210

Retail Investment Sales Introduction These compliance examination procedures and guidance apply to retail recommendations or sales of securities by, on behalf of, or on the premises of FDIC supervised institutions. “Retail” in this context means securities recommendations or sales activities which are conducted separately from a bank’s trust or fiduciary activities.1 While these “retail” activities are primarily conducted with consumers, they can be conducted with commercial customers under certain circumstances. Generally, securities are financial instruments that grant an ownership position or the right to purchase one. They are not insured by the FDIC. Moreover, one of their most significant features is investment risk, i.e., the risk that purchasers may lose part or all of their invested principal. Securities include individual stocks and bonds, mutual funds, self-directed individual retirement accounts (IRA) that invest in securities, 2 and annuities.3 Securities sales activities have the potential to bolster bank earnings, increase bank competitiveness, and provide bank customers with additional services. However, these types of activities also have the potential to confuse customers, expose banks to contingent liabilities, and damage the reputation of these institutions. Therefore, examiners must evaluate an institution’s retail securities activities with care. A list of key terms is available under the Job Aids section of this chapter. 1 Bank trust and fiduciary activities are viewed as non-retail. RMS Trust Examination staff is responsible for the examination of these types of activities. Compliance examiners are responsible for reviewing retail investment sales activities regardless of where a bank conducts them, even if they occur within the same division or department where a bank conducts trust operations. In such situations, coordination with RMS Trust examiners is encouraged to ensure that activities receive the appropriate review. 2 This includes IRA and Keogh accounts offered outside of a bank’s Trust Department, when a bank offers self-directed custodial accounts that are established by individuals for their own benefit. When customers use such accounts to invest in securities sold by the bank or pursuant to a third party arrangement with the bank, they have engaged in a retail securities sales activity that should be reviewed by compliance examiners under these procedures. 3 The sale of annuities is supervised as both an insurance and an investment activity. Consequently, banks that offer these products should be examined under both these procedures and the Compliance Examination Procedures and Supervisory Guidance for Retail Insurance Sales.

Answer 211

Supervisory Responsibility Generally, parties that recommend or sell securities must register with the Securities and Exchange Commission (SEC) as broker-dealers. Once registered, broker dealers are subject to regulation by the SEC and National Association of Securities Dealers (NASD). However, until the Gramm-Leach-Bliley Act (GLBA) was enacted in 1999, banks were exempt from these requirements. Once Title II of GLBA becomes effective, banks that offer securities will have a choice. They may either register with the SEC as broker dealers or confine their programs to a list of activities exempt from registration. Due to the capital requirements imposed on broker dealers by the SEC, most banks prefer to limit their securities sales activities to those that do not require SEC registration. Pursuant to §1001 of GLBA, a bank is exempt from registration as a broker4 when it sells securities as part of: * third party arrangements conducted pursuant to written agreements; * certain stock purchase plans; * sweep accounts; * affiliate transactions; * private securities offerings; * safekeeping and custody activities; * transactions defined as permissible under GLBA; * banking products specifically identified by GLBA; * municipal securities; * a de minimis number of transactions, i.e., less than 500 per year; or * trust and fiduciary activities. Under GLBA, federal bank regulators will eventually become responsible for verifying that banks accurately document compliance with exemptions from registration. The FDIC and other banking agencies will issue the regulations necessary to do so once the SEC defines the scope of the registration exemptions.5 Until then, compliance examiners are not required to assess bank compliance with exemptions to registration. However, banks involved in securities sales should be made aware of the GLBA provisions that relate to this area. NOTE: It is important to understand that a bank, an affiliate of a bank, or a third party vendor which is registered with the SEC as a broker-dealer is subject to regulation by the SEC and securities self-regulatory organizations such as the NASD. As a result, these examination procedures do not attempt to evaluate compliance with SEC or NASD rules or regulations. However, compliance examiners should confirm that registered broker dealers employ properly licensed sales representatives. 4 GLBA also contains a list of activities that banks may conduct without registering with the SEC as securities dealers. These activities are reviewed as part of risk management examinations. They are beyond the scope of these procedures. 5 The SEC has made two proposals intended to define the bank brokerage exceptions. Neither has been finalized.

Answer 212

Overview of Examination Approach During the compliance examination of a bank that offers investment products, examiners must consider the bank’s retail securities activities when assessing the quality of the bank’s compliance management system (CMS). Examiners must determine whether the CMS appropriately manages the risks involved in retail securities sales activities, including adherence to the Interagency Statement on Retail Sales of Nondeposit Investment Products (Interagency Statement), 6 FDIC Part 344 – Recordkeeping and Confirmation Requirements for Securities Transactions, 7 Treasury Regulations Part 403.5(d) – Custody of Securities Held by Financial Institutions that are Government Securities Brokers and Dealers, 8 and Treasury Regulations Part 450 – Custodial Holdings of Government Securities by Depository Institutions9. In doing so, examiners should consider all documentation related to retail securities sales, including, but not limited to, agreements with third parties, sales activity volume and financial reports, standard disclosures and acknowledgment forms, records which document the qualifications of sales personnel, and proprietary product management reports. Based on the examiner’s conclusions about the bank’s CMS as it relates to retail investment sales, a determination should be made about the extent of transaction sampling and testing necessary to complete the compliance examination.10 At the end of the examination, examiners should document their conclusions about the bank’s retail securities activities in the examination work papers and Report of Examination, as appropriate. Banks that fail to comply with applicable laws and regulations, or fail to establish and observe appropriate policies and procedures consistent with the Interagency Statement in connection with retail securities sales activities, should be subject to criticism in the Report of Examination and appropriate corrective action. 6 FDIC Laws, Regulations, Related Acts, and Statements of Policy. 7 See 12 CFR 344. 8 See 17 CFR 403.5(d). 9 See 17 CFR 450. 10 Examiners should refer to the general compliance examination procedures for guidance on transaction sampling and testing.

Answer 213

Policy and Regulatory Requirements The Interagency Statement on Retail Sales of Nondeposit Investment Products * Applies to all retail securities activities transacted with consumer customers11 of an insured depository institution, regardless of whether the institution offers securities directly or through an arrangement with a third party. Moreover, the Interagency Statement applies to a dual employee of the bank and a third party when the employee effects retail securities transactions. * Provides for specific actions banks should take with regard to program management, disclosures, sales setting, personnel qualifications, suitability, and compensation to effectively manage its securities sales programs and protect securities customers.

Answer 214

FDIC Part 344, Recordkeeping and Confirmation Requirements for Securities Transactions * Applies to any retail securities transactions effected by banks for consumer or commercial customers, with the following exceptions: ° Transactions Effected by Registered Broker/Dealers: This regulation in its entirety does not apply to transactions in which: (1) the broker/dealer is fully disclosed to the bank customer, and (2) the bank customer has a direct contractual agreement with the broker/dealer. This broad exemption extends to arrangements which involve a dual employee of the bank and broker/dealer, when the employee is acting as an employee of, and subject to the supervision of, the registered broker dealer. ° Municipal Securities: This regulation in its entirety does not apply to municipal securities transactions effected at a bank registered with the SEC as a municipal securities dealer. ° Foreign Branches: This regulation in its entirety does not apply to transactions at foreign branches of a bank. ° Small Number of Transactions: Certain recordkeeping and securities trading policies and procedures of the regulation do not apply to a bank effecting an average of fewer than 500 transactions (excluding government securities transactions) per year.12 ° Government Securities: The settlement and personal securities trading requirements of the regulation do not apply to banks conducting transactions in government securities; and the recordkeeping requirements do not apply to banks effecting fewer than 500 government securities transactions per year. * Requires banks to provide customers with written confirmation notices and to maintain appropriate records and controls with respect to retail securities transactions they effect. 12 The average is to be determined using the prior three calendar year period.

Answer 215

Treasury Regulations Part 403.5(d), Custody of Securities Held by Financial Institutions that are Government Securities Brokers and Dealers * Applies to any bank that retains custody of government securities that are part of a retail repurchase agreement between the bank and its consumer or commercial customers. * Requires banks to provide customer disclosures, customer transaction confirmation notices, and maintain procedures pertaining to possession and control of government securities.

Answer 216

Treasury Regulations Part 450, Custodial Holdings of Government Securities by Depository Institutions * Applies to any bank that retains possession of government securities sold under a repurchase agreement with consumer or commercial customers, or banks that hold customer government securities as custodian or in safekeeping. * Requires banks to issue confirmation or safekeeping receipts for government securities held for customers, properly segregate the securities, and maintain appropriate controls and records for those securities.

Answer 217

“Annuities” are contracts that guarantee income (typically for an individual’s lifetime) in exchange for a lump sum or periodic payment. The terms are usually based upon the individual’s expected lifetime and anticipated market conditions. A variable annuity guarantees payments, but does not guarantee the payment amounts. Variable annuities are securities, contain investment risk, and investors select level of investment risk.

Answer 218

“Bank Securities Representatives” are bank employees who solicit, recommend, and effect investment transactions for retail customers within an insured depository institution’s direct investment sales program. Dual and third-party employees are not bank securities representatives.

Answer 219

“Brokers” charge a fee or commission for executing customer transactions, or for providing services (for example, investment advice).

Answer 220

“Discount Brokers” simply execute transactions and maintain customer accounts in exchange for fees or commissions, but do not provide investment advice. All discount brokerage transactions are unsolicited.

Answer 221

“Dual Employees” are employed by both the bank and a third-party.

Answer 222

“Full-service Brokers” provide complete investment services, including investment advice, in exchange for fees or commissions.

Answer 223

Hybrid Accounts” which include sweep accounts, combine elements of insured deposits and investments.

Answer 224

“Investments” are transactions in which money is contributed for the purpose of obtaining income or profit, but which carries the risk of loss of all or part of the principal contributed and income accumulated.

Answer 225

“Investment Advisers” include any individual who offers investment advice in exchange for compensation.

Answer 226

“Networking Arrangements” are agreements between banks and third-party vendors that enable vendors to sell or recommend investments to bank customers on bank premises or through customer referrals.

Answer 227

“Proprietary Products” are products that the bank or bank affiliate markets principally to bank or affiliate customers.

Answer 228

“Repurchase Agreements” are contracts to sell and subsequently repurchase securities at a specified date and price.

Answer 229

“Sales Representatives” recommend or sell investments on bank premises or through customer referrals, and may be NASD licensed and registered representatives or, where the bank sells securities directly to customers pursuant to an exception from registration, sales representatives may be Bank Securities Representatives.

Answer 230

“Sweep Accounts” include any accounts that employ prearranged, automatic funds transfers (above a preset dollar balance) from a deposit account to purchase securities. Sweep accounts also include accounts that use prearranged, automatic securities sales or redemptions to replenish a deposit account that falls below a preset dollar balance.

Answer 231

“Unsolicited Transactions” occur when customers direct sales representatives to initiate transactions that were not recommended or suggested by any individual connected with the investment sales operation.

Answer 232

Retail Insurance Sales Introduction The following supervisory information and examination procedures apply to retail sales, solicitation, advertising, or offers of any insurance product or annuity1 to a consumer2 by a FDIC-supervised insured depository institution3 or any person engaged in such activities at an office of the institution or on behalf of the institution. These materials do not apply to sales of insurance or annuities that occur as part of an institution’s trust or fiduciary activities. Insurance products are not FDIC-insured and may involve investment risk. Consequently, examiners must assess the quality of an institution’s compliance management system (CMS) as it pertains to the retail sale of insurance and annuities. Examiners must consider whether the CMS appropriately manages the risks involved in these activities, including whether the CMS produces compliance with Part 343 of the FDIC’s regulations (Consumer Protection in Sales of Insurance) and adherence to the Interagency Policy Statement on Retail Sales of Nondeposit Investment Products (the Interagency Policy Statement)4 when variable annuities are sold. The sale of variable annuities is supervised as both an insurance and an investment activity. Consequently, institutions that offer these products should be examined under both these procedures and the Compliance Examination Procedures and Supervisory Guidance For Retail Investment Sales Activities (Investment Sales Procedures). 2 In this context, a consumer is an individual who purchases, applies to purchase or is solicited to purchase any type of insurance product to be used primarily for personal, family, or household purposes. See 12 CFR §343.20(d). 3 FDIC-supervised insured depository institution means any State nonmember insured bank or State savings association for which the FDIC is the appropriate Federal banking agency pursuant to section 3(q) of the Federal Deposit Insurance Act (12 U.S.C. 1813(q)). 4 FDIC Statements of Policy, Law, Regulation and Related Acts.

Answer 233

Regulatory and Policy Requirements The primary risks addressed by Part 343 and the Interagency Policy Statement are that consumers will: * misunderstand the safety of insurance products sold by institutions, i.e., assume incorrectly that they are backed by the FDIC or another federal agency, or * be coerced into believing they must purchase an insurance product or annuity in order to obtain a loan.

Answer 234

FDIC Part 343 Pursuant to the Gramm-Leach-Bliley Act (GLBA), the federal banking agencies have adopted regulations concerning consumer protection in the sale of insurance by institutions and thrifts. The regulations, which include the FDIC’s Part 343, address matters that are the responsibility of the banking agencies to oversee and not the responsibility of state insurance departments.5 Part 343 applies to the institution as well as other parties that offer insurance or annuities on institution premises or on the institution’s behalf. Under Part 343, a party offers these products on behalf of the institution when: * it represents that it is doing so; or * it pays the institution commissions for receiving customer referrals; or * documents that evidence the sales transaction refer to the institution. 5 The states continue to be responsible for insurance agent and company licensing, product oversight, rates and forms, and most market conduct regulations, which complement financial solvency regulations, regardless of whether an institution is involved. Moreover, where state law provides greater consumer protection in the sale of insurance than the protection provided by the federal rules, GLBA provides that state law governs. Decisions about which law or regulation provides greater protection are made on a case-by-case basis. The Legal Division should be consulted if such questions arise.

Answer 235

Interagency Policy Statement The Interagency Policy Statement contains requirements that overlap with Part 343, particularly with respect to disclosures and the circumstances under which sales and recommendations may be made. To the extent that Part 343 addresses an area, it governs. However, because variable annuities have an investment component, institutions that offer them must also adhere to the program requirements explained in the Interagency Policy Statement. In particular, an institution that offers annuities should establish policies and procedures for its sales program and offer variable annuities only when suitable for customers. A detailed explanation of the requirements of the Interagency Policy Statement is contained in the Investment Sales Procedures.

Answer 236

Advertisement of Membership—Part 328 of FDIC Rules and Regulations Introduction These examination procedures were developed to assist examiners in the review of advertisements and signs for compliance with Part 328 of the FDIC Rules and Regulations. 1 The regulation contained in this part describes the official sign of the FDIC and prescribes its use by insured depository institutions. It also prescribes the official advertising statement insured depository institutions must include in their advertisements. For purposes of Part 328, the term “insured depository institution” includes insured branches of a foreign depository institution. The regulation does not apply to noninsured offices or branches of insured depository institutions located in foreign countries.

Answer 237

Section 42 of the Federal Deposit Insurance (FDI) Act—Branch Closings Introduction Section 42 of the Federal Deposit Insurance (FDI) Act (12 USC §1831r) sets forth guidelines for financial institutions to notify the FDIC and its customers regarding proposals to close a branch. Financial institutions are also required to adopt policies for closings of branches, with special content requirements for closing notices relating to branches in low- or moderate-income areas.

Answer 238

Statutory Overview For purposes of Section 42, a branch is considered to be a traditional brick-and-mortar branch, or any similar banking facility other than a main office, at which deposits are received or checks paid or money lent. Section 42 does not apply to the following: * An ATM, a remote service facility, a loan production office, or a temporary branch; * The relocation of a branch or consolidation of one or more branches into another branch, if the relocation or consolidation: − Occurs within the immediate neighborhood; and − Does not substantially affect the nature of the business or customers served; or * A branch that is closed in connection with an emergency acquisition.

Answer 239

The Electronic Signatures in Global and National Commerce Act (E-Sign Act) Introduction The Electronic Signatures in Global and National Commerce Act (E-Sign Act), 1 signed into law on June 30, 2000, provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce. The E-Sign Act allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent. Subject to certain exceptions, the substantive provisions of the law were effective on October 1, 2000. Record retention requirements became effective on March 1, 2001. The E-Sign Act grandfathers existing agreements between a consumer and an institution to deliver information electronically. However, agreements made on or after October 1, 2000, are subject to the requirements of the E-Sign Act.

Answer 240

Summary of Major Provisions Consumer Disclosures Prior Consent, Notice of Availability of Paper Records Prior to obtaining their consent, financial institutions must provide the consumer, a clear and conspicuous statement informing the consumer: * of any right or option to have the record provided or made available on paper or in a non electronic form, and the right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal; * whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship; * describing the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically; and * informing the consumer how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy. See Section 101(c)(1)(B).

Answer 241

Hardware and Software Requirements; Notice of Changes Prior to consenting to the use of an electronic record, a consumer must be provided with a statement of the hardware and software requirements for access to and retention of electronic records. See Section 101(c)(1)(i). Whether the consumer consents electronically, or confirms his or her consent electronically, it must be in a manner that reasonably demonstrates the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent. See Section 101(c)(1)(C)(ii). If a change in the hardware or software requirements need to access or retain electronic records creates a material risk that the consumer will not be able to access or retain subsequent electronic records subject to the consent, a financial institution must: * provide the consumer with a statement of (a) the revised hardware and software requirements for access to and retention of electronic records, and (b) the right to withdraw consent without the imposition of any condition, consequence, or fee for such withdrawal; and * again comply with the requirements of subparagraph (c) of this section. See Section 101(c)(1)(D). Oral communications or a recording of an oral communication shall not qualify as an electronic record. See Section 101(c)(6).

Answer 242

Record Retention The E-Sign Act requires a financial institution to maintain electronic records accurately reflecting the information contained in applicable contracts, notices or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference. See Section 101(d). Agreements reached with consumers prior to October 1, 2000, to deliver information electronically are exempt from the requirements of Section 101(d). However, for any agreements made with new or existing customers on or after October 1, 2000, the requirements of Section 101(c)(1) will supersede all other consumer consent procedures relating to the use of electronic disclosures set forth in other regulations.

Answer 243

Regulatory and Other Actions The consumer consent provisions in the E-Sign Act became effective October 1, 2000, and did not require implementing regulations. Nonetheless, on March 30, 2001, the Federal Reserve Board (FRB) adopted interim final rules (Interim Final Rules) and on November 9, 2007, the FRB adopted final rules (Final Rules) establishing uniform standards for the electronic delivery of federally mandated disclosures for five consumer protection regulations: Regulation B, Equal Credit Opportunity; Regulation E, Electronic Fund Transfers; Regulation M, Consumer Leasing; Regulation Z, Truth in Lending, and Regulation DD, Truth in Savings. The Final Rules provided guidance on the timing and delivery of electronic disclosures. Pursuant to the Final Rules, electronic disclosures should be made using a method best suited to the particular type of disclosure. If the consumer uses electronic means to open an account or request a service, the disclosures must be provided before the account is opened or the service is requested. In response to a consumer request, disclosures should be made available in a reasonable amount of time and may be electronic if the consumer agrees. There are exceptions to the consumer consent requirement for electronically providing certain types of disclosures when the consumer is using electronic means such as a home computer. Disclosures should be maintained on the website for a reasonable amount of time for consumers to access, view, and retain the disclosures. The mandatory compliance date was October 1, 2008.

Answer 244

“Consumer” – The term “consumer” means an individual who obtains, through a transaction, products or services which are used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.

Answer 245

“Electronic” – The term “electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.

Answer 246

“Electronic Agent” – The term “electronic agent” means a computer program or an electronic or other automated means used independently to initiate an action to respond to electronic records or performances in whole or in part without review or action by an individual at the time or the action or response.

Answer 247

“Electronic Record” – The term “electronic record” means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.

Answer 248

“Electronic Signature” – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.

Answer 249

“Federal Regulatory Agency” – The term “Federal regulatory agency” means an agency as that term is defined in section 552(f) of Title 5, United States code.

Answer 250

“Information” – The term “information” means data, text, images, sounds, codes, computer programs, software, databases, or the like.

Answer 251

“Person” – The term “person” means an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, governmental agency, public corporation or any other legal or commercial entity.

Answer 252

“Record” – The term “record” means information, that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.

Answer 253

“Requirement” – The term “requirement” includes a prohibition.

Answer 254

“Self-Regulatory Organization” – The term “self-regulatory organization” means an organization or entity that is not a Federal regulatory agency or a State, but that is under the supervision of a Federal regulatory agency and is authorized under Federal law to adopt and administer rules applicable to its members that are enforced by such organization or entity, by a Federal regulatory agency, or by another self-regulatory organization.

Answer 255

“State” – The term “State” includes the District of Columbia and the territories and possessions of the United States.

Answer 256

“Transaction” – the term “transaction” means an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons, including any of the following types of conduct: 1. the sale, lease, exchange, licensing, or other disposition of (i) personal property, including goods and intangibles, (ii) services, and (iii) any combination thereof; and 2. the sale, lease, exchange, or other disposition of any interest in real property, or any combination thereof.

Answer 257

Prohibition Against Use of Interstate Branches Primarily for Deposit Production Introduction The Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (“the agencies”), jointly issued a final rule, effective October 10, 1997, that adopted uniform regulations1 implementing section 109 of the Riegle-Neal Interstate Banking and Branching Efficiency Act of 1994 (IBBEA). IBBEA allows banks to branch across state lines. Section 109, however, prohibits any bank from establishing or acquiring a branch or branches outside of its home State, pursuant to IBBEA, primarily for the purpose of deposit production. Congress enacted section 109 to ensure that interstate branches would not take deposits from a community without the bank reasonably helping to meet the credit needs of that community. 1 See 12 CFR 25, 12 CFR 208, and 12 CFR 369.

Answer 258

Subsequently, section 106 of the Gramm-Leach-Bliley Act of 1999 (GLBA) amended section 109 by changing the definition of an “interstate branch” to include any branch of a bank controlled by an out-of State bank holding company. Interagency regulations implementing this amendment became effective October 1, 2002. The language of section 109 and its legislative history make clear that the agencies are to administer section 109 without imposing additional regulatory burden on banks. Consequently, the agencies’ regulations do not impose additional data reporting requirements nor do they require a bank to produce, or assist in producing, relevant data.

Answer 259

Coverage Section 109 applies to any bank that has covered interstate branches. Examples of covered interstate branches can be found at the end of the Examination Procedures in this section.

Answer 260

“Covered Interstate Branch” 1. Any branch of a national bank, a State member bank, or a State nonmember bank, and any Federal branch of a foreign bank, or any uninsured or insured branch of a foreign bank licensed by a State, that: (i) is established or acquired outside the bank’s home State pursuant to the interstate branching authority granted by IBBEA or by any amendment made by IBBEA to any other provision of law; or (ii) could not have been established or acquired outside of the bank’s home State but for the establishment or acquisition of a branch described in (i) and 2. any bank or branch of a bank controlled by an out-of-State bank holding company.

Answer 261

“Home State” 1. For State banks, home State means the State that chartered the bank. 2. With respect to a national bank, home State means the State in which the main office of the bank is located. 3. With respect to a bank holding company, home State means the State in which the total deposits of all banking subsidiaries of such company are the largest on the later of: (i) July 1, 1966; or (ii) the date on which the company becomes a holding company under the Bank Holding Company Act. 4. With respect to a foreign bank, home State means: (i) for purposes of determining whether a U.S. branch of a foreign bank is a covered interstate branch, the home State of the foreign bank as determined in accordance with 12 USC 3103(c) and Section 211.22 of the Federal Reserve Board’s Regulations (12 CFR §211.22), Section 28.11(o)) of the OCC’s regulations (12 CFR §28.11(o), and Section 347.202(j) of the FDIC’s regulations (12 CFR §347.202(j)); and (ii) for purposes of determining whether a branch of a U.S. bank controlled by a foreign bank is a covered interstate branch, the State in which the total deposits of all banking subsidiaries of such foreign bank are the largest on the later of: (a) July 1, 1966; or (b) the date on which the foreign bank becomes a bank holding company under the Bank Holding Company Act.

Answer 262

“Host State” – means a State in which a covered interstate branch is established or acquired.

Answer 263

“Host State Loan-to-Deposit Ratio” – is the ratio of total loans in the host State to total deposits from the host State for all banks that have that State as their home State.

Answer 264

“Out-of-State Bank Holding Company” – means, with respect to any State, a bank holding company whose home State is another State.

Answer 265

“Statewide Loan-to-Deposit Ratio” – relates to an individual bank and is the ratio of the bank’s loans to its deposits in a particular State where it has one or more covered interstate branches.

Answer 266

The Two Step Test Beginning no earlier than one year after a covered interstate branch is acquired or established, the agency will determine whether a bank is complying with the provisions of section 109. Section 109 provides a two-step test for determining compliance with the prohibition against interstate deposit production offices: 1. Loan-to-deposit ratio. The first step involves a loan-todeposit (LTD) ratio screen, which is designed to measure the lending and deposit activities of covered interstate branches. The LTD ratio screen compares the bank’s statewide LTD ratio to the host State LTD ratio. If the bank’s statewide LTD ratio is at least one-half of the relevant host State LTD ratio, the bank passes the section 109 evaluation and no further review is required. Host State ratios are prepared, and made public, by the agencies annually. For the most recent ratios, see OCC bulletins, FDIC Financial Institution Letters, or FRB Press Releases. 2. Credit needs determination. The second step is a credit needs determination that is conducted if a bank fails the LTD ratio screen or if the LTD ratio cannot be calculated due to insufficient data or due to data that are not reasonably available. This step requires the examiner to review the activities of the bank, such as its lending activity and performance under the CRA, in order to determine whether the bank is reasonably helping to meet the credit needs of the communities served by the bank in the host State. Banks may provide the examiner with any relevant information including loan data, if a credit needs determination is performed. Although Section 109 specifically requires the examiner to consider a bank’s CRA rating when making a credit needs determination, a bank’s CRA rating should not be the only factor considered. However, since most of the other factors (see procedure for Credit Needs Determination) are taken into account as part of a bank’s performance context under CRA, it is expected that banks with a satisfactory or better CRA rating will receive a favorable credit needs determination. Banks with a less than satisfactory CRA rating may receive an adverse credit needs determination unless mitigated by the other factors enumerated in section 109. To ensure consistency, compliance with Section 109 generally should be reviewed in conjunction with the evaluation of a bank’s CRA performance. With respect to institutions designated as wholesale or limited purpose banks, a credit needs determination should consider a bank’s performance using the appropriate CRA performance test provided in the CRA regulations. For banks not subject to CRA, including certain special purpose banks and uninsured branches of foreign banks,2 the examiner should use the CRA regulations only as a guideline when making a credit needs determination for such institutions. Section 109 does not obligate the institution to have a record of performance under the CRA nor does it require the institution to pass any CRA performance tests. 2 A special purpose bank that does not perform commercial or retail banking services by granting credit to the public in the ordinary course of business is not evaluated for CRA performance by the agencies. In addition, branches of a foreign bank, unless the branches are insured or resulted from an acquisition as described in the International Banking Act, 12 USC 3101 et seq., are not evaluated for CRA performance by the agencies.

Answer 267

Enforcement and Sanctions Before a bank can be sanctioned under section 109, the appropriate agency is required to demonstrate that the bank failed to comply with the LTD ratio screen and failed to reasonably help meet the credit needs of the communities served by the bank in the host State. Since the bank must fail both the LTD ratio screen and the credit needs determination in order to be in noncompliance with Section 109, the agencies have an obligation to apply the LTD ratio screen before seeking sanctions, regardless of the regulatory burden imposed. Thus, if a bank receives an adverse credit needs determination, the LTD ratio screen must be applied even if the data necessary to calculate the appropriate ratio are not readily available. Consequently, the agencies are required to obtain the necessary data to calculate the bank’s statewide LTD ratio before sanctions are imposed. If a bank fails both steps of the section 109 evaluation, the statute outlines sanctions that the appropriate agency can impose. The sanctions are: (i) ordering the closing of the interstate branch in the host State; and (ii) prohibiting the bank from opening a new branch in the host State. Sanctions, however, may not be warranted if a bank provides reasonable assurances to the satisfaction of the appropriate agency that it has an acceptable plan that will reasonably help to meet the credit needs of the communities served, or to be served. An examiner should consult with the RO before discussing possible sanctions with any bank. Also, before sanctions are imposed, the agencies stated in the preamble to the final 1997 regulation that they intend to consult with State banking authorities.

Answer 268

Bank Subsidiaries and Affiliates These examination procedures were developed to provide examiners guidance regarding: 1. how to review bank subsidiaries and affiliates (including those that are not institution-affiliated parties (IAPs)) of an FDIC-supervised institution for compliance with consumer protection laws and regulations; 2. the information and documentation needed to determine whether an affiliate is an IAP; and 3. how to incorporate violations involving subsidiaries and affiliates in the Report of Examination (ROE). These procedures should be used when, in the course of an examination, visitation, or investigation, examiners believe an affiliate or subsidiary of a state non-member bank may have violated fair lending or other consumer protection laws and regulations.

Answer 269

Background FDIC examination authority over IAPs is derived from the Federal Deposit Insurance Act (FDI Act). The FDI Act permits examiners to examine affiliates of insured banks as needed to disclose the relationship between the bank and a given affiliate, as well as the effect of that relationship on the bank.1 The term “affiliate” encompasses any company that controls, is controlled by, or is under common control with another company. Therefore, a subsidiary controlled by a nonmember bank, whether wholly owned or not, is considered an “affiliate” of the bank2 for purposes of the FDI Act. The FDIC generally may only bring enforcement actions against insured state non-member banks and their IAPs.3 Accordingly, while affiliates of FDIC-supervised banks should be reviewed in all cases, it is necessary to determine whether the affiliate qualifies as an IAP of the bank both in order to properly document violations of the affiliate in the ROE and to determine whether such violations can be pursued directly by the FDIC or must be referred to another agency. Once a potential violation of a consumer protection law or regulation is discovered during the review of the affiliate’s activities, then IAP status of the affiliate must be determined. An affiliate may be an IAP based on any one or more of the statutory bases set forth in section (u) of the FDI Act, 12 U.S.C. § 1813(u), where the term “institution-affiliated party” is defined as: 1. any director, officer, employee, or controlling stockholder (other than a bank holding company) of, or agent for, an insured depository institution; 2. any other person who has filed or is required to file a change-in-control notice with the appropriate Federal banking agency under section 7(j); 3. any shareholder (other than a bank holding company), consultant, joint venture partner, and any other person as determined by the appropriate Federal banking agency (by regulation or case-by-case) who participates in the conduct of the affairs of an insured depository institution; 4. any independent contractor (including any attorney, appraiser, or accountant) who knowingly or recklessly participates in * any violation of any law or regulation; * any breach of fiduciary duty; or * any unsafe or unsound practice, which caused or is likely to cause more than a minimal financial loss to, or a significant adverse effect on, the insured depository institution. Most often, an affiliate or subsidiary of a bank could be an IAP: * as an agent of the institution under subsection; * as a consultant, joint venture partner, or “other person” participating in the affairs of the institution under subsection; or, * less likely, as an independent contractor whose misconduct has caused serious loss to, or an adverse effect on the institution. 1 12 U.S.C. § 1820(b)(4). 2 Hereinafter “affiliate” will include both subsidiaries (wholly owned or otherwise) and affiliates of the bank. 3 12 U.S.C. § 1813(u); 12 U.S.C. § 1818.

Answer 270

Sweep Account Disclosure Requirements—FDIC Part 360.8 Introduction These examination procedures were developed to assist examiners in the review of disclosure requirements that apply to all sweep account contracts for compliance with Part 360.8(e) of the FDIC Rules and Regulations. The regulation contained in this part describes the requirement for institutions to prominently disclose to sweep account customers whether the swept funds are deposits and the status of the swept funds if the institution were to fail. For purposes of FDIC Part 360, the term “sweep account” is an account held pursuant to a contract between an insured depository institution and its customer involving the prearranged, automated transfer of funds from a deposit account to either another account or investment vehicle located within the depository institution (internal sweep account), or an investment vehicle located outside the depository institution (external sweep account). Excluded from the requirement are sweep arrangements where funds are moved between deposit accounts and the deposit insurance available to the customer is unchanged.

Compliance - Part 2 Flashcards

(294 cards)