Top Legal Risks Facing Community Banks

Banks today are facing litigation risks on multiple fronts. This makes it critical to be aware of how plaintiffs’ attorneys are using these legal theories to bring lawsuits against banks and what community bankers can do to protect their financial institutions from legal liability.

Overdraft and NSF fee cases

Abigail Lyle, partner with Hunton Andrews Kurth LLP, says there are a handful of very aggressive plaintiffs’ attorneys who are focusing on overdraft and non-sufficient funds (NSF) fee cases. 

“They are getting plaintiffs to sign a financial records authorization, which is sent to the bank requesting bank records on the client’s behalf,” she explains. “Then they mine this data to see if there’s anything they can use to bring a lawsuit.”

One common legal theory is what’s referred to as “authorize positive, settle negative.” In this scenario, funds are available when the transaction is authorized but insufficient by the time it settles due to intervening account activity. Plaintiffs claim that this is an unfair and deceptive practice if not adequately disclosed by banks.

Some core providers have created settings that allow banks to trace transactions to identify there were sufficient funds upon authorization even if there weren’t at settlement and adjust the fee setting for those scenarios. 

“So now, some attorneys are looking for banks that haven’t implemented these settings or whose disclosures around such fees [could be viewed as] inadequate,” says Lyle.

In a similar type of lawsuit, some plaintiffs challenge the use of the available balance without adequate disclosures around this practice.  For example, some plaintiffs allege that the use of the available balance (which, unlike the ledger balance, often includes pending or hold items) results in the assessment of overdraft fees, even though the customer may have had a sufficient ledger balance to cover transactions when they posted. Plaintiffs have attempted to challenge this practice if there are not adequate disclosures as to the bank’s balance methodology, including how and when such fees are assessed.

Lyle also points to lawsuits where plaintiffs allege that banks have assessed multiple NSF fees on the same returned item without adequate disclosure around the practice. 

“For example, a merchant might re-present an item for payment that is rejected again if funds are still insufficient, and the customer is charged another NSF fee,” she says. “It’s critical to make sure there are adequate disclosures around how your bank will handle this practice.”

Regulation E: Customer opt-in and consent

Another lawsuit community banks need to guard against involves customers consenting to being assessed overdraft fees under Regulation E. This regulation requires banks to provide a reasonable opportunity for customers to affirmatively consent and opt into covered overdraft services, along with a written or electronic notice describing the bank’s overdraft services prior to opting in.

According to Lyle, some plaintiffs are claiming that the Regulation E opt-in form used by banks fails to provide a clear description of how and when overdraft fees will be assessed. 

“For example, they claim that the form doesn’t explain which balance method is used for determining if an account is overdrawn, or whether the fee is assessed at authorization or settlement,” she says. “Therefore, they allege that any fees assessed using the form should be refunded to the customer.”

Instead of immediately filing lawsuits, Lyle says many plaintiffs’ attorneys are sending demand letters to try to get banks to settle confidentially, so the bank can avoid a public lawsuit. The best defense is a comprehensive review of all the bank’s overdraft and NSF practices. 

“It’s not that you can’t charge these fees,” says Lyle. “You just need to make sure adequate disclosures are in place to clearly explain them to customers.”

Cybercrime and data security

Cyber threats and data breaches are two other areas where community banks face rising litigation risks. 

“These [cyber] lawsuits revolve around how banks handle sensitive information and protect against data intrusion by threat actors such as nation-states, organized cybercrime rings and hacktivists,” says John Delionado, managing partner with Hunton Andrews Kurth LLP.

Threat actors are targeting customers’ personal information (PI), banks’ intellectual property (IP) and confidential business information, source code repositories and cloud environments. Recent data breach trends include ransomware, cyber extortion, business email compromise, doxxing and distributed denial-of-service attacks.

According to Delionado, every state has data breach notification laws that require banks to notify affected individuals if unencrypted PI is reasonably believed to have been accessed without authorization. In the event of a data breach, banks should determine if the compromised data is legally considered to be PI, when and how notification is required and whether an exemption applies.

Community banks’ use of technology to track and record customers’ interactions with their websites and online ads is another potential legal liability. 

“There’s a whole cottage industry of lawsuits and demand letters around this,” says Delionado. These lawsuits claim that “cookies,” the use of AI technology, such as chatbots, and other tracking technology like “pixels” are being used to send customer data to third parties without adequate disclosures and consent.

Last June, a federal court dismissed without prejudice a complaint alleging that a bank used pixels to collect and transmit website visitors’ information to Facebook without proper notice of consent. However, many complaints have survived motions to dismiss. 

“The best way to guard against claims like this is to find out if [the website or] anyone at your bank, including your marketing department, is using this kind of tracking technology,” says Delionado. “If they are, carefully review your disclosures to make sure this use is covered.”

---