Compliance Update with Amy K

The CFPB issues a circular discussing Regulation B adverse action notification requirements and proper use of forms; and a $15MM FinCEN enforcement action. 

CFPB Circular 2023-03
The Consumer Financial Protection Bureau (CFPB) recently issued Circular 2023-03 which discusses Regulation B adverse action notification requirements and the proper use of the CFPB’s sample forms. The discussion begins with the question, “When using artificial intelligence or complex credit models, may creditors rely on the checklist of reasons provided in CFPB sample forms for adverse action notices even when those sample reasons do not accurately or specifically identify the reasons for the adverse action?”

The short answer from the CFPB is: NO; creditors may not rely on the checklist of reasons provided in the sample forms (currently codified in Regulation B) to satisfy their obligations under ECOA if those reasons do not specifically and accurately indicate the principal reason(s) for the adverse action. Nor, as a general matter, may creditors rely on overly broad or vague reasons to the extent that they obscure the specific and accurate reasons relied upon.

The Circular then goes into an analysis of Regulation B requirements. The primary issue/point of the Circular is that some creditors have implemented complex algorithms involving “artificial intelligence” and other predictive decision-making technologies in their underwriting models. These complex algorithms sometimes rely on data harvested from consumer surveillance or data not typically found in a consumer’s credit file or credit application. A creditor may not rely solely on the unmodified checklist of reasons in the sample forms provided by the CFPB if the reasons provided on the sample forms do not reflect the principal reason(s) for the adverse action.

As explained in Regulation B, “[i]f the reasons listed on the forms are not the factors actually used, a creditor will not satisfy the notice requirement by simply checking the closest identifiable factor listed.”  Creditors that simply select the closest, but nevertheless inaccurate, identifiable factors from the checklist of sample reasons are not in compliance with the law. Creditors may not evade this requirement, even if the factors actually considered or scored by the creditor may be surprising to consumers, as may be the case when a creditor relies on complex algorithms that, for instance, consider data that are not typically found in a consumer’s credit file or credit application.

The analysis includes a potential scenario - if a complex algorithm results in a denial of a credit application due to an applicant’s chosen profession, a statement that the applicant had “insufficient projected income” or “income insufficient for amount of credit requested” would likely fail to meet the creditor’s legal obligations. Even if the creditor believed that the reason for the adverse action was broadly related to future income or earning potential, providing such a reason likely would not satisfy its duty to provide the specific reason(s) for adverse action. 
 
FinCEN Enforcement Action
The Financial Crimes Enforcement Network (FinCEN) recently announced an enforcement action resulting in a $15 million civil money penalty against a Puerto Rican International Banking Entity (IBE). The Bank that is the subject of this enforcement action is one of the oldest and was, at times, one of the largest IBEs in Puerto Rico. The Bank drew customers from around Latin America and the Caribbean, particularly customers in the high-risk jurisdiction of Venezuela who regularly engaged in large international U.S. dollar-denominated transfers. Relevant to this enforcement action, the U.S. government repeatedly issued warnings indicating that Venezuela was a high-risk country for money laundering and other financial crimes. Also, FinCEN issued two advisories to financial institutions highlighting AML risks associated with Venezuela during the relevant time period.

An important detail to this enforcement action is the involvement and actions of one of the individuals within the bank. “Executive A” was a citizen of Venezuela and Italy, and a resident of the United Kingdom. Executive A founded the bank in or around August 2008. Executive A was the indirect beneficial owner of the Bank through his ownership in its parent companies. Executive A also served as the Bank’s Chairman of the Board of Directors until August 4, 2022. Executive A held multiple accounts at the bank, including an account in the name of a Hong Kong based personal investment company owned by Executive A (the PIC Account) and an account in the name of a Cayman Islands securities broker-dealer, also indirectly owned by Executive A. During the Relevant Time Period, Executive A exercised control over the day-to-day operations of the Bank.

Throughout the Relevant Time Period, Executive A engaged in a number of suspicious transactions through the Bank, between Executive A or entities under his control, between his personal and business accounts, or with his associates. Many of Executive A’s transactions generated internal alerts for possible suspicious activity. Some of these alerts were initially cleared while others were left unexamined for significant periods of time. Consequently, a number of these transactions would result in untimely SAR filings.

Prior to 2016, the Bank did not file a single SAR on any transaction, despite moving large amounts of money internationally on behalf of high-risk customers, including those located in Venezuela. The Bank failed to file SARs during this time despite numerous related examination findings and the 2015 Consent Order, which explicitly reinforced the Bank’s obligation to monitor all its transactions for suspicious activity and to file SARs with FinCEN.

In 2017 and 2019, the bank was examined and again cited for BSA violations, including failures to file SARs, failures to document decisions not to file SARs, and failures related to due diligence on correspondent accounts for foreign financial institutions, among other AML program deficiencies.

In its 2019 examination, examiners identified dozens of transactions between October 2016 and March 2019 where the Bank should have filed a SAR, including several where Executive A was a party to the transactions. Following that examination, examiners instructed the Bank to backfile SARs on over 300 transactions. The Bank only agreed to backfile SARs on 182 transactions. Further, a significant number of these 182 SARs included language in the narrative disputing whether the examiner properly identified the activity as suspicious. FinCEN determined that the misleading language the Bank included in these SARs undermines the value and integrity of suspicious activity reporting, and creates potential confusion for law enforcement.

The enforcement action includes a number of examples of suspicious activity observed in the bank – which makes for an interesting read (also would make a great character in Ozarks if the series was still going on). FinCEN discusses “Customer A” actions that occurred at the Bank. To highlight a few and to illustrate what was happening at this bank, at the time Customer A opened his account, Customer A was publicly named in a civil lawsuit stemming from a connection to a criminal Venezuelan Ponzi and bribery scheme. Throughout the Relevant Time Period, Executive A and Customer A engaged in a series of transactions that were inconsistent with the personal nature of Customer A’s account, were outside of the range of anticipated transactions as reflected in Customer A’s customer due diligence documents, and had other suspicious indicia. The Bank did not timely file SARs on these suspicious transactions.

Another account the Bank held was AllBank Corporation, which was a Panamanian bank with operations in Panama, a jurisdiction that had a high risk for money laundering during part of the Relevant Time Period. AllBank held a correspondent account at the Bank from 2014 to 2019, during which time it transferred over $100 million through the Bank. During this time, the Bank permitted AllBank to conduct cross-border transactions through its correspondent accounts, at times without conducting any analysis on the underlying transactions at issue.

As discussed in the enforcement order, the Bank violated every pillar of the BSA requirements – internal controls, BSA officer, training, independent testing, as well as the requirement to conduct ongoing monitoring to identify and report suspicious activity.

As always, DakCU members may contact Amy Kleinschmit with any compliance related questions.