1: FinCEN’s beneficial ownership rule

The Financial Crimes Enforcement Network’s beneficial ownership rule for reporting companies became effective at the beginning of the year. The rule aims to “make it harder for bad actors to hide or benefit from their ill-gotten gains through shell companies or other opaque ownership structures,” according to FinCEN.

At the time of writing, FinCEN has yet to align the rule’s requirements with those for banks under FinCEN’s 2018 customer due diligence (CDD) rule—an alignment Congress has mandated, says Rhonda R. Whitley, ICBA senior vice president and senior regulatory counsel.

FinCEN’s new beneficial ownership rule implements Corporate Transparency Act requirements that businesses report basic information to the federal government about the real people who ultimately own or control them; it includes changes to several definitions of terms, with fewer items required than under the CDD rules. 

“ICBA is still against financial institutions having to collect beneficial ownership information, especially now that FinCEN is collecting that information directly from reporting companies,” Whitley says. “Nevertheless, we want the CDD rule to be congruent with the new rule.”

Separately, if a reporting company submits incomplete information to FinCEN’s registry, banks should not be compelled to then provide the complete information on behalf of FinCEN, she says. “Now, a bank may choose to obtain beneficial ownership  information from FinCEN’s registry to fulfill its own collection requirements for due diligence purposes, but that shouldn’t mean they must also make sure FinCEN gets the right information from the reporting company,” Whitley says. “Under no circumstances should FinCEN expect banks to help facilitate, train or execute any of the requirements between the reporting company and FinCEN.”

David Long
“[Customer care is] always our focus, as well as making sure the bank is doing things in an appropriate fashion.”
—David Long, Bryant Bank

2: CFPB’s guidance on ‘phantom’ opt-in overdraft agreements

The Consumer Financial Protection Bureau in September published a circular to help federal and state consumer protection enforcers stop banks from charging overdraft fees based on “phantom” opt-in agreements, which is when banks claim they have customers’ consent to charge overdraft fees but have no proof they obtained that consent.

However, nowhere in the underlying rule does it say that banks are required to get that affirmative consent in writing. “If a bank is asked to produce proof of affirmative consent and they’re not able to, according to the circular, this would be a violation of the Electronic Fund Transfer Act and Regulation E,” Whitley says.

Moreover, the underlying rule has a two-year record retention requirement and does not specify which types of records must be retained, so regulators should amend their rules if they wish to impose expectations that exceed current regulations, Whitley says. ICBA and other groups have called on the CFPB to withdraw the circular.

3: FDIC’s proposed rule for FBO accounts in bank-fintech partnerships

The FDIC in September said that it was seeking public comments for a proposed rule to strengthen banks’ recordkeeping of custodial deposit accounts with transactional features, also known as “for benefit of” (FBO) accounts, particularly within bank-fintech partnerships.

Regulators became increasingly concerned with this issue after the bankruptcy of Synapse Financial Technologies Inc., a company that provided middleware software connecting fintech solutions and banks. The downfall of Synapse subsequently affected consumers’ ability to access funds placed at participating banks for a number of months, according to the FDIC.

“Following the bankruptcy, Synapse’s banking partners encountered significant difficulties in obtaining, reviewing and reconciling Synapse’s records and have raised concerns about the accuracy of the records,” the FDIC wrote. “These events also created risks for consumers, including confusion regarding the applicability and availability of deposit insurance to protect their money from loss.”

In a June Synapse bankruptcy filing, trustee and former FDIC chair Jelena McWilliams wrote that while the banks involved had roughly $265 million in these consumer accounts, the fintechs’ records showed they only had about $180 million on hand.

Under the FDIC’s proposed rule, banks in partnerships with fintechs and other third parties would be required to maintain account records using a specific file format provided by the rule. Banks would also be required to implement internal controls to ensure that account balances are accurate, including reconciliations no less frequently than as of the close of business daily.

The rule would permit records to be maintained through a third party if certain specific requirements are satisfied, including, among other things, that the bank would have direct, continuous and unrestricted access to the records of the beneficial owners, including in the event of the business interruption, insolvency or bankruptcy of the third party.

“All five FDIC board members—Democrats and Republicans—agreed that this rule should be proposed, which is fairly uncommon,” says Michael Emancipator, ICBA’s senior vice president and senior regulatory counsel. “The idea is if you reconcile it at the end of the day and the records between a bank and a fintech don’t match up, that will at least trigger an effort to figure out where the discrepancy is arising. Hopefully that gets reconciled before some external event triggers an outflow of deposits.”

The September proposal is the latest regulatory announcement regarding bank-fintech partnerships. In July, the three federal bank regulatory agencies issued a joint statement reminding banks of potential risks associated with third-party arrangements to deliver bank deposit products and services.

Separately, the agencies requested additional information on a broad range of bank-fintech arrangements, including with respect to deposit, payments, and lending products and services. The agencies are seeking input on the nature and implications of bank-fintech arrangements and effective risk management practices.

“I anticipate that there [will be] more proposed rules specific to managing bank-fintech partnerships—not just those providing banking-as-a-service solutions but any way a bank works with fintechs,” says Emancipator.

Lance Noggle
“[Check fraud has] been an issue before this past year, but it’s really become much more of a problem impacting a lot of our members’ bottom lines.”
—Lance Noggle, ICBA

4: CISA’s additional cyber incident reporting rules

In April, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA) proposed new reporting requirements per the enactment of the Cyber Incident Reporting for Critical Infrastructure Act of 2022.

ICBA supported that legislation, but this proposed rule would require banks to meet additional reporting requirements that they currently are not subject to, says Lance Noggle, ICBA’s senior vice president of operations and senior regulatory counsel. “Mainly, it’s about timing,” he says. “There’s different timing for how banks report a cyber incident to the FDIC than for DHS. We’re hoping that DHS will work with our banking regulators to come up with one set of reporting requirements for banks.”

5: Increased check fraud scrutiny for megabanks

Check fraud has become a major issue, Noggle says. ICBA member banks have complained to regulators that large banks are unwittingly processing fraudulent checks by thieves stealing or altering checks made by customers of other banks, including community banks.

“It’s been an issue before this past year, but it’s really become much more of a problem impacting a lot of our members’ bottom lines,” he says.

In response, in their exams with larger banks, regulators are placing extra emphasis on those banks’ procedures for accepting and processing checks, particularly on the megabanks’ fraud-detection efforts. “We’ve also entered into a partnership with the U.S. Postal Service to try to message some additional ways people can protect themselves when mailing checks,” Noggle adds.

While many banks have improved their check fraud prevention efforts, thieves have found even more ways to perpetrate this type of fraud, says David Long, executive vice president of correspondent banking and capital markets at $2.5 billion-asset Bryant Bank in Tuscaloosa, Ala.

“[Banks have invested in] customer education efforts, letting people know not to mail checks in a very evident way,” says Long, “and [have] put in tools and processes that can help business customers protect themselves, as well as the bank.”

Bryant Bank also reminds customers that the bank won’t ask for their personal information in emails or text messages, he says. Rather, fraudsters routinely pose as bank representatives through these channels in an effort to dupe customers into providing personal information, so that fraudsters can either impersonate them or create counterfeit checks.

6: CRA and Section 1071 final rules

ICBA intervened in a suit against the CFPB for “exceeding its statutory authority and acting arbitrarily and capriciously” in finalizing the Dodd-Frank Section 1071 small business data collection rule.

As a result of ICBA’s efforts, the court expanded its temporary injunctive relief to all covered financial institutions, resulting in a 290-day extension of the compliance date. Although the U.S. District Court denied the plaintiffs’ and intervenors’ motion for summary judgment on the Administrative Procedures Act challenges to the rule, ICBA is seeking to appeal the decision in the United States Court of Appeals for the 5th Circuit.

Further, ICBA and other groups continue a legal challenge to federal banking regulators’ Community Reinvestment Act final rule, arguing that regulators exceeded their statutory authority and that the rule will limit future bank lending. A federal judge earlier this year granted an injunction against the CRA rule, as requested by ICBA, and the effective dates will be extended for each day the injunction remains in place, pending the resolution of the lawsuit. 

Still, some community banks, including Bryant Bank, are “spending time, effort and money to have infrastructure” in place to be prepared for implementation, Long says.

“There’s a lot of procedures, policies and systems that have to be put in place for those new regulations, and we’re working on all of the above to make sure we take care of our customers,” he says. “That’s always our focus, as well as making sure the bank is doing things in an appropriate fashion.”