April 2024 OBA Legal Briefs

• Update on the new CRA regulations
• FDIC rule affects ATMs, websites, apps and more
• Personal liability

Update on the new CRA regulations

By John S. Burnett

You know that the Federal Reserve Board, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation announced final revisions to their Community Reinvestment Act regulations in October 2023, and those rules were finally published on February 1, 2024, at 89 FR 6574 [https://www.federalregister.gov/d/2023-25797] in the Federal Register. You also probably heard that, although the new regulations will be effective April 1, 2024, most of the changes in the regulations are not applicable until January 1, 2026, and one provision on reporting data under the new rules won’t be applicable until January 1, 2027. There are also some amendments in the rule that will not have an effective date unless and until the CFPB’s “1071” Small Business Lending Reporting rule is given a “green light” by the courts.

Three provisions delayed at the 11^th hour

If your bank has been racing to add its CRA Public File to its website, you can relax a bit. The agencies have issued, just a few days before April 1, a supplemental interim final rule that postpones the applicability of revised section ___.43 until January 1, 2026. That postponement includes the requirements in revised section __.43 requiring that the written comments from the public, the list of bank branches, and those opened or closed be updated quarterly, as well as the quarterly progress update required in new section __.43(b)(5) for banks with less than “Satisfactory” CRA evaluation ratings.

Also postponed to January 1, 2026, is the applicability date of the facility-based assessment area provision in section __.16.

The third change clears up confusion on which CRA Notice version banks need to post. It will allow banks to continue to use the CRA Notice in the agencies’ “legacy” regulations — the notice they posted before April 1, 2024 — until January 1, 2026.

These three changes were made because they all include requirements based in part on other sections of the updated CRA regulations that will not be applicable until January 1, 2026.

Where your Public File must be available

Because the applicability date for the changes to the Public File requirement has been postponed to January 1, 2026, banks should continue to have their full Public File available at their main office and, if they have offices in more than one state, at one office in each state. The reduced-content Public File can continue to be maintained at other offices.

Banks with public websites can also post their Public Files on their public websites before January 1, 2026, but they will have to continue to make the information in their Public File available to the public, upon request and at no cost from either the website or a physical file, from now until January 1, 2026, and from their public websites on and after that date.

Other developments relating to the new CRA rules

You may also have heard that a number of banking and business trade groups filed a civil suit in the U.S. District Court for the Northern District of Texas challenging the final CRA rules and will request a preliminary injunction to enjoin the agencies from implementing and enforcing the final rules while the suit is pending. In the meantime, the agencies have shown no sign of relenting in their support for the rules, and there has been no news (as of this writing) that an injunction has been issued.

The court issued a preliminary injunction just before the April 1, 2024, effective date, enjoining the Fed, OCC, and FDIC from enforcing the revised CRA regulations, and pushing back the April 1 effective day and each applicability date (such as the January 1, 2026, and January 1, 2027, dates mentioned above) one day for each day the injunction remains in place.

FDIC rule affects ATMs, websites, apps and more

By John S. Burnett

There is another regulatory change with an effective day of April 1, 2024, with compliance required by January 1, 2025, that all FDIC banks should be working on. The FDIC re-wrote subpart A of its regulation on “Advertisement of Membership, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo (12 C.F.R. Part 328), and it affects every FDIC-insured bank in the nation.

While all of subpart A was re-issued, not everything is changing. Parts of the current rule were simply reorganized and shifted around to group similar topics. For example, current section 328.3 (“Official advertising statement requirements”) has been reissued as section 328.6 and otherwise largely untouched.

Paragraph 328.6(b)(1) in the new version adds “FDIC-insured” as a new optional short title that can be used in place of the official advertising statement “Member of the Federal Deposit Insurance Corporation,” joining the old standbys “Member FDIC” and “Member of FDIC” that have been approved for decades.

The current section 328.3(d) list of ten types of advertisements that do not require use of the official advertising statement or its alternate short form statements has not been changed in new section 328.6(d), except for the dollar amount in item 10 that was mistakenly not changed from $100,000 to $250,000 when the standard maximum deposit insurance amount (SMDIA) was officially changed in 2010. The new version of that paragraph, in section 328.6(d)(10) reads:

“(10) Advertisements which contain a statement to the effect that the depository institution is a member of the Federal Deposit Insurance Corporation, or that the depository institution is insured by the Federal Deposit Insurance Corporation, or that its deposits or depositors are insured by the Federal Deposit Insurance Corporation to at least the standard maximum deposit insurance amount (as defined in § 330.1(o)) for each depositor.”

Comment: One of the “frequent flyer questions” we get from bankers is a variation on “Do we have to include ‘Member FDIC’ on a [banner/business card/deposit receipt/signature card …]. The FDIC has not updated this list of “non-advertisements” in decades, and did not do so this time, either.

And, just to wrap up this discussion of new section 328.6, paragraph (f) reads the same as the version in current section 328.3—You can use a non-English equivalent of the official advertising statement in any advertisement, provided that the translations has been given prior written approval by the FDIC. To my knowledge, there is no list of accepted translations that can be accessed by banks. Instead, if your bank wants to use a translation, submit it in writing to the FDIC to obtain approval.

What is changing?

So, what in the rule IS changing? Here’s the short list. Explanations will follow:

1. Banks have new flexibility in placement of the FDIC official sign
2. New rules on signage in areas of bank offices in which non-deposit products are offered have been added
3. There are new areas where the official sign must be placed, such as on ATMs and similar machines
4. There are new requirements when deposit products are offered or accessible by consumers affecting a bank’s website, online banking portal, and mobile banking apps
5. New requirements for written policies and procedures

Flexibility in placement of the FDIC official sign. If insured deposits are usually and normally received at teller windows or statements, the insured depository institution (IDI) must display at each such teller window or station in its standard 7” by 3” size or larger, with black lettering on a gold background. Other color combinations are acceptable as long as the logo and text are in the same color and the background in a contrasting color. No change from the prescribed wording is allowed. So far, no change.

Here’s the first flexible requirement: If the IDI does not offer non-deposit products on the premises, one or more official signs can be placed at one or more locations visible from the teller windows or stations in a manner that ensures a copy of the official sign is large enough to be legible from anywhere in that area, in lieu of placing a sign at each station or window. Stretching this to the ridiculous, I suppose you could replace all the FDIC signs at your teller windows/stations with a single much larger version hung or painted high on the wall behind the tellers.

Another placement option is available for non-traditional deposit reception. If insured deposits are usually and normally received in areas of the premises other than teller windows or stations (customer service desks or other arrangements, such as café style banking like what you may have seen on some Capital One TV ads), the official FDIC sign must be displayed in one or more locations such that a copy of the official sign is large enough to be legible from anywhere in those areas.

An IDI may also display the official sign in other areas, except where non-deposit products are offered.

Non-deposit products offered on an IDI’s premises

In general, non-deposit products must be offered only in areas physically segregated from areas where deposit products are usually and normally accepted. The IDI must identify areas where activities related to the sale of non-deposit products occur and clearly delineate and distinguish those areas from the areas where insured deposit-taking activities occur.

At each non-deposit offering area, the IDI must continuously, clearly, and conspicuously display signage indicating that the non-deposit products:

• Are not insured by the FDIC
• Are not deposits
• May lose value

Such signs may not be in close proximity to the FDIC’s official sign. The FDIC did not specify design or size requirements for the non-deposit sign (other than it be clear and conspicuous).

In limited situations where physical considerations present challenges to offering non-deposit products in a distinct area, an IDI must take prudent and reasonable steps to minimize customer confusion.

Signage on ATMs and similar machines

In the current rule, the phrase “automated teller machine” appears only once, as an example of a “Remote Service Facility,” on which an IDI may, but is not required to, place the official FDIC sign, with certain restrictions. The abbreviation “ATM” does not appear at all. These rules have been around for a long time, after all.

The new rule includes a new section 328.4 that “governs signage for insured depository institutions’ automated teller machines or other remote electronic facilities that receive deposits.” There are separate requirements (1) for these facilities that are placed in service before January 1, 2025, and receive insured deposits but do not offer access to non-deposit products; (2) for ATMs and similar facilities that receive insured deposits and offer access to non-deposit products; and (3) for ATMs placed in service on or after January 1, 2025.

Deposit products only, in service before 1/1/2025: An IDI may comply with the official sign requirement by doing either of the following:

1. Placing a physical official sign (the version placed at teller windows/stations) on the machine. Such signs are placed on the face of the machine or its enclosure, conspicuously visible to a user, and must be replaced if removed, degraded, or defaced to remain displayed “clearly, continuously, and conspicuously.” This option continues to be available for these machines after 1/1/2025 as long as they do not offer access to non-deposit products.
2. Displaying the “FDIC official digital sign” [see below] on appropriate screens of the ATM or similar facility as described below for machines placed in service after 1/1/2025.

Deposit products, with access to non-deposit products: By 1/1/2025, an IDI’s ATM or similar machine must clearly, continuously, and conspicuously display disclosures indicating that non-deposit products are not insured by the FDIC, are not deposits, and may lose value, on each transaction page or screen relating to non-deposit products. This disclosure may not be displayed in close proximity to the FDIC digital sign.

ATMs and similar devices placed in service after 1/1/2025: An IDI’s ATM or similar device that receives deposits for an IDI and does not offer access to non-deposit products and is placed into service after January 1, 2025, must display the official digital sign on its home page or screen and on each transaction page or screen relating to deposits.

The FDIC official digital sign

New section 328.5 (Signs for digital deposit-taking channels) introduces a new official sign to be used only in digital deposit-taking channels such as ATMs and similar devices [see above] and IDIs’ websites and web-based or mobile applications that offer the ability to make deposits electronically and provide access to deposits at IDIs. It looks like this:

When on a contrasting light background, the letters FDIC are in navy blue and the text to the right is black.  If displayed on a dark background, the FDIC and text will both be in white. There are font and size parameters in paragraph (b) of section 328.5.

Requirements for use of the official digital sign on ATM screens were listed earlier. For other IDI deposit-taking channels as listed in the previous paragraph, the official digital sign must, after 1/1/2025, appear on

1. Initial or homepage of the website or application
2. Landing or login pages
3. Pages where the customer may transact with deposits

The official digital sign must be clearly legible across all IDI deposit-taking channels. [NOTE: This will be difficult on mobile banking apps displayed on most cell phones. It may require displaying the official digital sign with text wrapped on two (or more?) lines. I wrote to the FDIC about this problem over a month ago and have not yet had the courtesy of a response. In the prefatory text that accompanied the final rule at publication, the FDIC said it is reviewing options to provide IDIs with technical assistance or guidance to assist in implementing the FDIC official digital sign requirements.]

When placed on a web or app page, the official digital sign should be continuously displayed near the top of the relevant page or screen and in close proximity to the IDI’s name.

Displaying non-deposit signage on digital deposit channels

If a digital deposit-taking channel offers both access to deposits at an IDI and non-deposit products, the IDI must clearly and conspicuously display signage indicating that the non-deposit products: are not insured by the FDIC; are not deposits; and may lose value. This signage must be displayed continuously on each page relating to non-deposit products but may not be displayed in close proximity to the official digital sign.

One-time notice for customers related to third-party non-deposit products

If a digital deposit-taking channel offers access to non-deposit products from a non-bank third party’s online platform, and a logged-in bank customer attempts to access such non-deposit products, the insured depository institution must provide a one-time per web session notification (sometimes referred to as a “speed bump”) on the insured depository institution’s deposit-taking channel before the customer leaves the insured depository institution’s digital deposit-taking channel. The notification must be dismissed by an action of the bank customer before initially accessing the third party’s online platform and it must clearly, conspicuously indicate that the third party’s non-deposit products: are not insured by the FDIC; are not deposits; and may lose value. Nothing in this paragraph shall be read to limit an insured depository institution’s ability to include additional disclosures in the notification that may help prevent consumer confusion, including, for example, that the bank customer is leaving the insured depository institution’s website.

Written policies and procedures

Of course, your bank has a policy requiring compliance with regulations and procedures to implement the policy.

For the first time, the FDIC is now requiring that IDIs establish by January 1, 2025, and maintain written policies and procedures for compliance with this regulation. Such policies and procedures must be commensurate with the nature, size, complexity, scope, and potential risk of the deposit-taking activities of the IDI and must include, as appropriate, provisions related to monitoring and evaluating activities of third parties that provide deposit-related services to the IDI or offer the IDI’s deposit-related products or services to other parties.

Personal liability

By Andy Zavoina

Many years ago, I learned a valuable compliance lesson while making a presentation to my bank’s board. I always liked to tell them I was the conduit between the board and the examiners. Compliance information I provided management and the board flowed regularly and this allowed me to provide two-way communication with the examiners and the bank as a whole, and to insulate the board from ever getting a notice from our examiners asking them to attend a special meeting after an exam, and to bring with them their personal checkbooks as the monetary penalty that was owed had to come from them and not the bank.

In this particular meeting I was discussing Money Market Deposit Accounts. Like many banks before the Reg D amendments in early 2020, we had customers writing more than the allowed number of checks during a statement cycle. Remember the customer could make no more than six transfers or withdrawals, three of which could be by check, draft, debit card or similar order. We used to apply the “couch potato” rule that if they had to get off the couch to make the transfer and it was not convenient to do so, it likely did not count as one of the restricted transfers. If it was convenient, like writing a check, it counted. And those were days when lots and lots of payments were made by check.

Very often the New Accounts folks wanted an exception to the number of transfers rule because this was a good customer with large deposits. But Reg D defined this rule in the definition of a savings account and the money market deposits were savings accounts. There were no exceptions built in and while guidance was that they could have three inadvertent errors in a rolling twelve-month period, that wasn’t set in stone and a habitual violator had little room for exception. I regularly audited the accounts with excessive transfers and Operations had controls to always review them. We also had customers that business development and lenders had persuaded to move to our bank and these deposit accounts and the large balances were factored into the profitability of the relationship. According to most of those exception requests, the customers’ old banks never enforced that rule, so why should we? For the historical record, the requirement was that the following was allowed:

Up to 6 transfers and withdrawals per calendar month or statement period of at least four weeks:

1. to another account of the depositor at the same financial institution, or to a third party
2. by automatic or preauthorized transfer
3. by telephonic agreement (including FAX and data transmission) order or instruction

No more than 3 of these 6 can be by the following and payable to third parties

1. check
2. draft
3. debit card (Point of Sale)
4. similar orders

Most ACH debits are included in the 6/month limit.

Now you can understand what the requirement was and that these were “good” customers because “good” meant more digits in the average balance. The directors of the bank liked to consider themselves “good customers,” as well, and because of the close relationship and their position, they were better than the average “good customer.” Well, I had one director, as he explained it, several times, whose wife just picked up the wrong checkbook when she went shopping and I will tell you that any time that was the case, six was a very lonely number.

Back to my presentation. I had this problem with some accounts and officers wanting to grant exceptions in addition to the directors’ accounts. I’d recently read an article that I shared with the board. It was about a bank that chose to openly ignore the transfer limitation rule and it was going to accept the risk. The examiners in this article, at this point, were discussing the potential penalties. One of the examiners followed the train of thought that the board sets the direction of the bank. In this case the examiners considered going back to when the problems started and calculate the interest paid on all the money market accounts. The entire category was up to being reclassified as demand deposits. That means interest should not have been paid on those balances for that entire period [this predated the Dodd-Frank Act, which has since made interest on demand deposits legal] and the directors personally could be held responsible to repay the bank the interest that was paid on these accounts. That possibility raised every eyebrow in our board room, and I was assured of complete support and cooperation as I managed the money market accounts audits and my compliance program. My problem director also found a way to color code the checkbooks and there were no problems from his account after that.

The key issue that resonated with the board was individual liability. So often we bankers do not realize that we can often be held accountable for our own actions. That can include monetary penalties and some violations can warrant incarceration – jail time. That is a big step away from the status quo, cushy and prestigious positions some aspire to because they see less responsibility than there actually is. So, I like to provide reminders from time to time to directors, management, officers, and even lower-level employees that they must be aware that if their actions are poorly chosen, regardless of the reason, they are responsible for what they do. This helps with buy-in for the compliance program overall and in getting the resources necessary to do your job. It is not intended to be a scare tactic, but instead a reason to listen, to learn and to perform.

It never helps the bank or the employees, officers or directors to ignore the rules. Good compliance is good for the customers, the bank, and those who carry out those compliance rules with every disclosure they provide, and every Reg E claim they process and every account they service. People need to understand that they may think they are helping the bank by denying a valid Reg E claim, as an example, but they are not, and if they are truly violating the Electronic Fund Transfer Act, they may be putting themselves at risk.

Succinctly, violations, especially “willful” ones, are first the responsibility of the bank as it is the provider of services and the other party in the agreement with the depositor. But if an employee is acting outside the scope of their duties, they may have individual liability. You must ask, what training and education on the topic did the employee have? What was their motivation to do what they are accused of doing? This may be one reason Wells Fargo employees other than management were not held personally responsible for much of the “8 is great” new accounts production requirements and falsely opening new accounts under customers’ names without permission.

Examiners have focused more in the last few years on direct responsibility. When an entity like a bank keeps getting penalized, it has less personal meaning and the entity never went to jail and the people working there never pay out of pocket. So, let’s start a discussion based on a hot item, the Bank Secrecy Act. The law says, “willful violations of the statute or its implementing regulations by an institution and any of its partners, directors, officers, or employees are punishable by a civil penalty of $25,000 (or the amount of the transaction at issue, up to $100,000) per day for each day the violation continues and at each office or location where it occurs or continues.” The BSA is not new and has been a requirement since 1970. But it has been just the last few years that regulators have begun using the personal liability portion of the regulation. While this personal responsibility mindset is happening in other countries as well, in 2015 “the Yates Memo” from Deputy Attorney General Sally Yates announced a call to action for the Department of Justice (DOJ) to increase its efforts to hold executives personally accountable for corporate misdeeds. The Yates Memo stated it was “seeking accountability from the individuals who perpetrated the wrongdoing” as “it deters future illegal activity, it incentivizes changes in corporate behavior, it ensures that the proper parties are held responsible for their actions, and it promotes the public’s confidence in our justice system.” Has this been the case? Just a few months ago, on January 31, FinCEN assessed a $100,000 penalty against Gyanendra Kumar Asre. According to the press release, “Asre allowed millions of dollars in high-risk transactions to be processed without required anti-money laundering controls or reporting to FinCEN,” said FinCEN Director Andrea Gacki. “Today’s action serves as a reminder that FinCEN will not hesitate to take action against individuals when their conduct jeopardizes the integrity of our financial system.” In addition to the fine, Asre has a five-year ban on working at any institution subject to the BSA rules. There is more to this than just a bad BSA officer.  As the BSA Officer at a credit union, Asre was responsible for detecting and preventing money laundering activities. But it gets more personal, and the credit union should have increased oversight because of this relationship. Asre had his own money services business and failed to register it with FinCEN. That violation was compounded by inadequate AML program management that allowed millions of dollars in high-risk transactions to be conducted through the system.

And I did mention incarceration as a penalty available to the DOJ and regulators. Two of the earlier actions go back to 2015 when a then former BSA officer was sentenced to two years in prison and forfeited almost $1 million and another was fined $1 million and threatened with a permanent ban from working in our industry. FinCEN assessed a civil money penalty against Thomas E. Haider. It was alleged that over a five-year period at MoneyGram, he failed to implement and maintain an effective AML program and neglected to comply with BSA requirements to report suspicious activity despite complaints about scams being operated through the MoneyGram system. In the second case, again it was not a banker, but Charlie Shrem, who was both Founder and BSA Officer for BitInstant. This was a Bitcoin exchange and Shrem did correctly register his company as a MSB, but he was allegedly helping another unregistered company in its operations. While Shrem had implemented an AML compliance program, he allegedly failed to file SARs on the illegal activity being conducted by the company he was aiding and abetting. And not related to these, but to personal liability, at the end of March 2024 Sam Bankman-Fried, the former CEO of cryptocurrency exchange FTX, was sentenced to 25 years in prison for crimes of fraud and conspiracy.

Now let’s look at nine separate actions involving personal liability actions against employees of the Bank of England – in England, Arkansas, just for clarity. These were FDIC actions in January 2024. The nine employees actually worked for the Bank of England loan production office in a Detroit suburb. They were accused of using bait and switch tactics among other methods to deceive mortgage applicants. The violations were charged for actions going back to 2018 until 2020. Examples of the deceptive techniques used included misrepresenting actually available loan pricing for mortgage loans, misrepresenting to consumers that they could skip two months of their mortgage payments, and further misrepresenting the loan production office’s affiliation with the Department of Veterans Affairs. These were considered unsafe and unsound practices and were done in part for personal gain. One might assume this was based on loan production but that was not specified in the orders.

The (now former) branch manager was penalized for failing to ensure those working for him were not violating Section 5 of the FTC Act and were not committing the misrepresentations expressed above. He was fined $100,000 and banned from banking. The former sales manager was also banned for the same misrepresentations and fined $12,000. Five other employees were fined a total of $163,500 in amounts ranging from $1,000 to $110,000. The actions they were accused of included luring consumers to apply for mortgage loans with low, unavailable loan prices that would not be honored and subsequently increasing the price before closing the loan, and misrepresenting to consumers that they could skip two months of mortgage payments and by misrepresenting to consumers the bank’s affiliation with the Department of Veteran’s Affairs. Two others were not fined but were recognized for their roles and required remedial training. The fines totaling $275,500 cannot be paid or reimbursed by the bank. These are personal fines.

While employees have personal liability for their own actions, the bank has the responsibility, the obligation, to ensure they understand the requirements of what they do and why. “This is the way we’ve always done it” is not good enough. If you are interested in reading more on these last enforcement actions, links may be found in the BankersOnline Top Stories pages, on February 26, 2024, under the heading of the FDIC January enforcement actions.