August 4, 2014 | dan OCC BULLETIN 2014-37 Subject: Consumer Debt Sales Date: August 4, 2014 To: Chief Executive Officers of All National Banks and Federal Savings Associations, Federal Branches and Agencies, Department and Division Heads, All Examining Personnel, and Other Interested Parties Description: Risk Management Guidance Summary This bulletin provides guidance from the Office of the Comptroller of the Currency (OCC) to national banks and federal savings associations (collectively, banks) on the application of consumer protection requirements and safe and sound banking practices to consumer debt-sale arrangements with third parties (e.g., debt buyers) that intend to pursue collection of the underlying obligations. This bulletin is a statement of policy intended to advise banks about the OCC’s supervisory expectations for structuring debt-sale arrangements in a manner that is consistent with safety and soundness and promotes fair treatment of customers. Highlights The guidance describes the OCC’s expectations for banks that engage in debt-sale arrangements, including ensuring that appropriate internal policies and procedures have been developed and implemented to govern debt-sale arrangements consistently across the bank. performing appropriate due diligence when selecting debt buyers. ensuring that debt-sale arrangements with debt buyers cover all important considerations. providing accurate and comprehensive information regarding each debt sold, at the time of sale. ensuring compliance by the bank with applicable consumer protection laws and regulations. implementing appropriate oversight of debt-sale arrangements. Note for Community Banks This guidance is applicable to all OCC-supervised banks. Background Lending is the primary method by which banks meet the credit needs of their customers. A risk inherent in lending is that some debt will not be repaid. Pursuant to the Uniform Retail Classification and Account Management Policy guidelines, banks are generally required to charge off certain consumer debt when the debt is 180 days past due, and in some instances, earlier than 180 days past due.1 The majority of debt that banks charge off and sell to debt buyers is credit card debt, but banks also sell to debt buyers other delinquent debts, such as auto, home-equity, mortgage, and student loans. Although banks charge off severely delinquent accounts, the underlying debt obligations may remain legally valid and consumers can remain obligated to repay the debts. Banks may pursue collection of delinquent accounts by (1) handling the collections internally, (2) using third parties as agents in collecting the debt, or (3) selling the debt to debt buyers for a fee. This guidance focuses on the third category of bank practice for fully charged-off debt.2 Most debt-sale arrangements involve banks selling debt outright to debt buyers. Banks may price debt based on a small percentage of the outstanding contractual account balances. Typically, debt buyers obtain the right to collect the full amount of the debts. Debt buyers may collect the debts or employ a network of agents to do so. Notably, some banks and debt buyers agree to contractual “forward-flow” arrangements, in which the banks continue to sell accounts to the debt buyers on an ongoing basis. The OCC recognizes that banks can benefit from debt-sale arrangements by turning nonperforming assets into immediate cash proceeds and reducing the use of internal resources to collect delinquent accounts. In connection with charged-off loans, banks have a responsibility to their shareholders to recover losses.3 Still, banks must be cognizant of the significant risks associated with debt-sale arrangements, including operational, compliance, reputation, and strategic risks. Accordingly, banks that engage in debt sales should do so in a safe and sound manner and in compliance with applicable laws—including consumer protection laws—taking into consideration relevant guidance. The OCC has focused on issues related to debt sales for several years and has highlighted the risks associated with this type of activity on a number of occasions. Beginning in 2011, the OCC conducted a review of debt collection and sales activities across the large banks it regulates. Through this work, the OCC identified a number of best practices that OCC large bank examiners have incorporated into their supervision of debt sales activities. In July 2013, the OCC provided a copy of this best practices document to the Senate Subcommittee on Financial Institutions and Consumer Protection. In an accompanying statement, the OCC announced that the agency was using these best practices and insights gained from its on-site supervisory activities to inform the development of policy guidance applicable to a broader range of financial institutions. Since that time, the OCC has received comments and input from a wide variety of interested parties, including financial institutions, debt buyers and collectors, consumer and community advocates, and other governmental entities. The OCC has considered carefully all of this input in formulating the following guidance, which is applicable to all OCC-supervised institutions.4 Risks Associated With Sale of Debt to Debt Buyers Selling debt to a debt buyer can significantly increase a bank’s risk profile, particularly in the areas of operational, reputation, compliance, and strategic risks. Increased risk most often arises from poor planning and oversight by the bank, and from inferior performance or service on the part of the debt buyer, and may result in legal costs or loss of business. Operational risk. Operational risk is the risk of loss to earnings or capital from inadequate or failed internal processes, people, and systems or from external events. Banks face increased operational risk when they sell debt to debt buyers. Inadequate systems and controls can place the bank at risk for providing inaccurate information regarding the characteristics of accounts, including balances and length of time that the balance has been overdue. In addition, banks should be cognizant of the potential for fraud, human error, and system failures when selling debt to debt buyers. Reputation risk. Reputation risk is the risk to a bank’s earnings or capital arising from negative public opinion. Banks should be keenly aware that debt buyers pursue collection from former or current bank customers. Even though a bank may have sold consumers’ debt to a debt buyer, the debt buyer’s behavior can affect the bank’s reputation if consumers continue to view themselves as bank customers. Moreover, abusive practices by debt purchasers, and other inappropriate debt-buyer tactics (including those that cause violations of law), are receiving significant levels of negative news media coverage and public scrutiny.5 When banks sell debt to debt buyers that engage in practices perceived to be unfair or detrimental to customers, banks can lose community support and business. Compliance risk. Compliance risk is the risk to earnings or capital arising from violations of laws, rules, or regulations, or from nonconformance with internal policies and procedures or ethical standards. This risk exists when banks do not appropriately assess a debt buyer’s collection practices for compliance, or when the debt buyer’s operations are inconsistent with law, ethical standards, or the bank’s policies and procedures. The potential for serious or frequent violations or noncompliance exists when the bank’s oversight program does not include appropriate audit and control features, particularly when the debt buyer implements new collection strategies or expands existing ones. Compliance risk increases when privacy of consumer and customer records is not adequately protected, such as when confidential consumer data are released before a sale of the data, or when conflicts of interest between a bank and debt buyers are not appropriately managed, such as when the debt buyers pursue questionable collection tactics. Strategic risk. Strategic risk is the risk to earnings or capital arising from adverse business decisions or improper implementation of those decisions. Strategic risk arises when a bank makes business decisions that are incompatible with the bank’s strategic goals or that do not provide an adequate return on investment. Strategic risk increases when bank management introduces new business decisions without performing adequate due diligence reviews or without implementing an appropriate risk management infrastructure to oversee the activity. Strategic risk also increases when management does not have adequate expertise and experience to properly carry out decisions. Decisions to sell debt to debt buyers must be carefully analyzed to ensure consistency with the bank’s strategic goals. Selling debt to debt buyers without first performing appropriate due diligence, or without taking steps to implement an appropriate risk management structure, including having capable management and staff in place to carry out debt sales, increases the bank’s strategic risks. Supervisory Concerns With Debt-Sale Arrangements Debt-sale arrangements can pose considerable risk to banks that do not conduct appropriate due diligence to assess and manage those risks. Through its supervisory process, the OCC has identified instances in which banks agreed to sell debt to debt buyers without full understanding of the debt buyers’ collection practices. Banks should know what resources debt buyers use to manage and pursue collections and consider the debt buyers’ past performance with consumer protection laws and regulations. The OCC has identified situations in which banks inappropriately transferred customer information to debt buyers. In these instances, banks gave debt buyers access to customer files so they could assess credit quality before the debt sale, without the banks first making proper customer disclosures, which was inconsistent with the banks’ internal privacy policies and applicable laws and regulations. The OCC also has identified instances in which banks, debt buyers, or both had inadequate controls in place to protect the transfer of customer information. In addition, the OCC has identified debt-sale arrangements between banks and debt buyers that lacked confidentiality and information security provisions. Debt-sale arrangements between banks and debt buyers should clearly specify each party’s duties and obligations regarding confidential customer information, and should include provisions requiring debt buyers to comply with applicable laws and consumer protections. Through its supervisory process, the OCC also has identified issues related to the adequacy of customer account information transferred from banks to debt buyers, including situations in which the transferred customer files lack information as basic as account numbers or customer payment histories. In these circumstances, because the debt buyers pursue collection without complete and accurate customer information, the debt buyers may employ inappropriate collection tactics or engage in conduct that is prohibited based on the facts of a particular case (e.g., pursue collection on a debt that was previously discharged in bankruptcy or after the applicable statute of limitations). Lastly, the OCC has found that some banks may lack appropriate internal oversight of debt-sale arrangements to minimize exposure to potential risks. For example, some banks have not developed and implemented bank-wide policies and procedures to ensure that debt-sale arrangements are governed consistently across their organizations. Supervisory Expectations of Debt Sales The OCC expects banks to structure debt-sale arrangements in a prudent and safe and sound manner to promote the fair treatment of customers. OCC examinations assess management oversight of debt-sale arrangements and focus on compliance with applicable consumer protection statutes and potential safety and soundness issues. The OCC takes appropriate supervisory action to address any unsafe or unsound banking practices associated with debt sales, to prevent harm to consumers, and to ensure compliance with applicable laws. OCC-supervised banks are expected to adopt appropriate practices in connection with debt sales. The OCC considers the following practices to be consistent with safety and soundness. Ensure appropriate internal policies and procedures are developed and implemented to govern debt-sale arrangements consistently across the bank. Policies and procedures should identify the persons or offices within the bank responsible for all debt sales across the bank. The establishment of an oversight committee by the bank should also be considered. require that a financial analysis be completed detailing why selling debt is more beneficial than other options that might be available to the bank, such as managing the debt collection internally or employing debt collectors. assess how debt sales align with the bank’s business strategy and risk profile. include ongoing monitoring and analysis of repurchase requests from debt buyers to improve the bank’s account review process before each debt sale. require involvement of appropriate bank personnel in the debt-sale approval process to ensure all risks are fully considered (e.g., compliance, risk management, information technology, credit, legal, collections, audit, and information security). identify types of accounts that should not be sold and specify quality control standards for debt that is sold, with an emphasis on ensuring the accuracy of account balance information. ensure that debt-sale arrangements with debt buyers clearly delineate the responsibilities of the parties involved. require the provision of detailed and accurate information to debt buyers at the time of sale (to enable them to pursue collections in compliance with applicable laws and consumer protection requirements). ensure that customers receive timely notification from the bank that the debt has been sold, the dollar amount of the debt transferred, and the name and address of the debt buyer. ensure that credit bureau reporting is up-to-date and accurately reflects the sale or transfer of the debt to the debt buyer. specify internal bank documentation retention and quality control standards. ensure that the bank’s management information systems can generate timely, accurate, and comprehensive reports for bank management that detail debt sales across lines of business, sales prices, repurchase volumes, losses incurred, and customer complaints. address internal review standards to ensure debt sales comply with the bank’s own policies and procedures. Perform appropriate due diligence when selecting a debt buyer. 6 Debt buyers pursue collection from former or current bank customers, so banks should fully understand the debt buyers’ collection practices, including the resources that debt buyers or their agents use to manage and pursue collection. Banks should perform appropriate due diligence before entering into debt-sale arrangements with debt buyers. For example, banks should assess the potential debt buyers’ background, experience, and past performance, including consumer complaints about the debt buyers, and assess steps taken by debt buyers to investigate and resolve the complaints. Before entering into any arrangements with debt buyers, banks should review all pertinent information (including audited financial statements) to confirm that debt buyers are financially sound and appropriately licensed and insured. In addition, before entering into debt-sale arrangements, banks should determine what repurchase and litigation reserves should be established given the size and type of debt sales contemplated. Before a bank enters into a contract with a debt buyer, the debt buyer should be able to demonstrate that it maintains tight control over its network of debt buyers and that it conducts activities in a manner that will not harm the bank’s reputation. In particular, a debt buyer’s staff should be appropriately trained to ensure that it follows applicable consumer protection laws and treats customers fairly throughout the collection process. In addition, banks contemplating entering into a relationship with debt buyers should first assess the debt buyer’s record of compliance with consumer protection laws and regulations. Banks should conduct this level of due diligence before entering into new relationships with debt buyers, and periodically when forward-flow contractual arrangements are in place. Banks should reserve the right to terminate such relationships when appropriate. This means banks should develop and implement controls and processes to ensure risks are properly measured, monitored, and controlled, and develop and implement appropriate performance review systems. Ensure debt-sale arrangements with debt buyers cover all important considerations. The structure of the arrangements between the banks and the debt buyers depends on the written contracts between the parties. The contracts should reflect clear, consistent terminology. To the extent that more than one business line at the bank sells debt, banks, if appropriate, should use standard language for all business lines’ debt-sale arrangements. Regardless of the structure of the arrangements, the duties and obligations of the parties, particularly provisions for confidentiality and information security, should be clearly delineated in the contracts, as should responsibility for compliance with applicable consumer protection laws. This includes a termination plan to ensure that customer information is returned to the bank or destroyed in accordance with the debt-sale arrangement. In addition, banks should include minimum-service-level agreements in debt-sale arrangements to promote fair and consistent treatment of customers, applicable whether debt buyers conduct the collection activities or employ other collection agents. Banks should ensure that the debt-sale arrangements address the extent to which the debt buyers can resell debt. Each time account information changes hands, risk increases that key information will be lost or corrupted, calling into question the legal validity and ownership of the underlying debt. Moreover, resales of debt increase the possibility that subsequent purchasers will pursue collection efforts against the wrong individual, seek to collect the wrong amount, or both. Therefore, in drafting debt-sale arrangements, banks should address whether subsequent resales of former bank debt would be permitted. If so, debt-sale arrangements should obligate the initial debt buyer to conduct thorough due diligence on the proposed purchaser and to pass on all account information and documentation in its possession to a subsequent buyer. Banks should ensure that contracts with debt buyers address the volume of accounts (both in terms of the total dollar amount and percentage of debt sold, as well as aggregate numbers of accounts) and the reasons why the debt buyer can litigate. Debt-sale arrangements should address the debt buyers’ obligations to engage in ongoing efforts to maintain the accuracy of the information provided by banks. Lastly, where applicable, banks should ensure that contracts do not include compensation provisions that incent debt buyers to act aggressively or improperly. Provide accurate and comprehensive information regarding each debt sold, at the time of sale. Banks should ensure that their debt buyers have accurate and complete information necessary to enable them to pursue collections in compliance with applicable laws and consumer protections. Banks that engage in debt sales should have a strong risk management culture, including a quality control function that evaluates all proposed debt sales before they occur. This may involve the use of “data scrubs” and transactional sampling to ensure that account data are complete and accurate before accounts are transferred to the buyer. For each account, the bank should provide the debt buyer with copies of underlying account documents, and the related account information, as applicable and in compliance with record retention requirements, including the following: A copy of the signed contract or other documents that provide evidence of the relevant consumer’s liability for the debt in question. Copies of all, or the last 12 (whichever is fewer), account statements. All account numbers used by the bank (and, if appropriate, its predecessors) to identify the debt at issue. An itemized account of all amounts claimed to be owed in connection with the debt to be sold, including loan principal, interest, and all fees. The name of the issuing bank and, if appropriate, the store or brand name. The date, source, and amount of the debtor’s last payment and the dates of default and amount owed. Information about all unresolved disputes and fraud claims made by the debtor. Information about collection efforts (both internal and third-party efforts, such as by law firms) made through the date of sale. o The debtor’s name, address, and Social Security number. Certain types of debt are not appropriate for sale. Debt clearly not appropriate for sale, because it likely fails to meet the basic requirements to be an ongoing legal debt, includes the following: Debt that has been otherwise settled or is in process of settlement. Debt of deceased account holders. Debt of borrowers that have sought or are seeking bankruptcy protection. Debt of account holders currently in litigation with the institution. Debt incurred as a result of fraudulent activity. Accounts lacking clear evidence of ownership. In addition, banks should refrain from the sale of certain additional types of debt because the sales of these types of accounts may pose greater potential compliance and reputational risk. These include: Accounts eligible for Servicemembers Civil Relief Act protections. Accounts of minors. Accounts in disaster areas. Accounts close to the statute of limitations. If banks are required to repurchase accounts from debt buyers after sales are completed, the banks’ quality control personnel should evaluate why the accounts were returned and determine whether additional quality controls need to be implemented. If necessary, banks should complete look-back reviews to determine whether they or the debt buyers engaged in practices that hurt consumers. Comply with applicable laws and regulations. Banks should implement effective compliance risk management systems, including processes and procedures to appropriately manage risks in connection with debt-sale arrangements. Examiners review banks’ debt-sale arrangements for compliance with applicable consumer protection statutes and regulations. In particular, banks should ensure that all parties involved in the debt-sale arrangement have strong controls in place to ensure that sensitive customer information is appropriately protected. Federal laws and regulations applicable to debt sales include the following: Fair Debt Collection Practices Act (FDCPA). The FDCPA applies to debts incurred primarily for the consumer’s personal, family, or household purposes, and is designed to (1) eliminate abusive practices in the collection of consumer debts, (2) promote fair debt collection, and (3) provide consumers with an avenue for disputing and obtaining validation of debt information in order to ensure the information’s accuracy.7Under the FDCPA, “debt collector” is defined broadly to generally encompass debt buyers working on behalf of original creditors, including banks.8 Fair Credit Reporting Act (FCRA). The FCRA, which is implemented by Regulation V, regulates the collection, dissemination, and use of consumer information, including consumer credit information.9 The FCRA and Regulation V require that furnishers of information to consumer reporting agencies (e.g., creditors such as banks and debt buyers) follow reasonable policies and procedures in connection with the accuracy and integrity of consumer credit information they report to the consumer reporting system. If consumer information is furnished to credit reporting agencies, banks and debt buyers have affirmative duties to (1) provide complete and accurate information to the credit reporting agencies, (2) investigate disputed information from consumers, and (3) inform consumers about negative information that has been or will be placed in their credit reports. Gramm-Leach-Bliley Act (GLBA). Certain provisions of the GLBA and Regulation P, which implements the GLBA,10 require banks to provide consumers with privacy notices at the time the consumer relationships are established and annually thereafter. The privacy notice must disclose (1) the information collected about the consumer, (2) where that information is shared, (3) how that information is used, and (4) how that information is protected. In addition, this law imposes limitations on banks’ sharing of nonpublic personal information with debt buyers. Equal Credit Opportunity Act (ECOA). The ECOA and its implementing regulation, Regulation B,11prohibit discrimination in any aspect of a credit transaction on a “prohibited basis”; i.e., because of a customer’s (1) race, (2) color, (3) religion, (4) national origin, (5) sex, (6) marital status, (7) age (provided the customer has the capacity to contract), (8) receipt of public assistance income, or (9) exercise in good faith of any right under the Consumer Credit Protection Act or any state law under which an exemption has been granted by the Consumer Financial Protection Bureau (CFPB). The prohibition against discrimination in any aspect of a credit transaction on a prohibited basis includes collection procedures.12 Federal Trade Commission Act (FTC Act). Section 5 of the FTC Act prohibits unfair or deceptive acts or practices (UDAP) in or affecting commerce.13 Acts or practices may be found to be unfair when or if (1) they cause or are likely to cause substantial injury to consumers, (2) the injury cannot be reasonably avoided by consumers, and (3) the injury is not outweighed by countervailing benefits to consumers or to competition. Public policy may also be considered in determining whether acts or practices are unfair. Acts or practices may be found to be deceptive if (1) there is a representation, omission, act, or practice that misleads or is likely to mislead a consumer, (2) the act or practice would be deceptive from the perspective of a reasonable consumer, and (3) the misleading representation, omission, act, or practice is material. Implement appropriate oversight of the debt-sale arrangement. The bank’s oversight responsibilities will vary depending on the structure of the arrangement between the bank and the debt buyer. Regardless of the structure of the arrangement, the bank’s appropriate oversight of the debt-sale arrangement is important to minimize the bank’s exposure to potential reputation damage and supervisory action. In addition to monitoring the implementation of the sales contract, particularly when the bank is engaged in a forward-flow arrangement with a debt buyer, the bank should consider, as applicable, (1) reviewing the debt-buyer’s annual financial statements to ensure ongoing financial strength, (2) remaining alert for any relevant adverse information about the debt-buyer’s principals, and (3) monitoring the bank’s complaints for any potential adverse treatment of consumers by the debt buyer. In addition, the bank’s ongoing due diligence should be focused on the volume of, and reasons for, repurchases by the bank. The bank’s audit program should periodically evaluate its compliance with its debt-sale policies and procedures. Results of all oversight activities should be reported periodically to the bank’s board of directors or designated committee, including identified weaknesses, which should be documented and properly addressed. Examiners determine whether bank management has established controls and implemented a rigorous analytical process to identify, measure, monitor, and manage the risks associated with debt sales. If examiners find unsafe or unsound practices or practices that fail to comply with applicable laws or regulations, the OCC will take appropriate supervisory action, including enforcement actions, when warranted. When the OCC becomes aware of concerns with nonbank debt buyers, the agency refers those issues to the CFPB, which has jurisdiction over these entities. Further Information Direct questions to Kathryn Gouldie, Retail Credit Expert–Large Bank Supervision, at (202) 649-6210; Kimberly Hebb, Director for Compliance Policy, at (202) 649-5470; Kenneth Lennon, Assistant Director for Community and Consumer Law, at (202) 649-6350; or Robert Piepergerdes, Director for Retail Credit Risk, at (202) 649-6220. John C. Lyons Jr. Senior Deputy Comptroller and Chief National Bank Examiner 1 For closed-end credit, loans should be charged off when a loss is identified but generally not later than 120 days past due. Such open-end loans as credit card accounts must be charged off at 180 days past due. See OCC Bulletin 2000-20, “Uniform Retail Credit Classification and Account Management Policy: Policy Implementation” (June 20, 2000). 2 This guidance applies to all outright legal sales of charged-off debt by banks. This guidance does not apply when a bank has a residual interest in the debt that is sold (e.g., the bank continues to receive income from the debt, or the bank receives a percentage of any recovery by the debt buyer). 3 For the purposes of the Federal Financial Institutions Examination Council’s (FFIEC) Consolidated Reports of Condition and Income (also known as call reports), accounting for cash proceeds received, including timing of any revenue or recoveries recorded, and debt-sale arrangement terms such as representations and warranties, should follow generally accepted accounting principles and the FFIEC’s “Instructions for the Preparation of Consolidated Reports of Condition and Income.” 4 This guidance does not create any new legal rights against a bank that sells debt, either for a consumer whose debt is sold or for any other third party. 5 See “The Structure and Practices of the Debt Buying Industry” (Federal Trade Commission, January 2013). 6 Banks should follow the guidance for assessing and managing risk associated with third-party relationships that is detailed in OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” (October 30, 2013). 7 See 15 USC 1692. 8 An institution is not considered a debt collector under the FDCPA if the institution collects its own debts under its own name, or for debts that it originated and then sold but continues to service (e.g., a mortgage loan). 9 See FCRA at 15 USC 1681-1681x and Regulation V at 12 CFR 1022-1022.140. 10 For the general provisions of GLBA that govern disclosure of nonpublic personal information, see 15 USC 6801-6809. See also Regulation P, which implements the provisions of GLBA pertaining to privacy of consumer financial information, at 12 CFR 1016. 11 See ECOA at 15 USC 1691-1691f and Regulation B at 12 CFR 1002. 12 See 12 CFR 1002.2(m) (“Credit transaction means every aspect of an applicant’s dealing with a creditor regarding an application for credit or an existing extension of credit (including, but not limited to, information requirements; investigation procedures; standards of creditworthiness; terms of credit; furnishing of credit information; revocation, alteration, or termination of credit; and collection procedures”). 13 See 15 USC 45(a). The OCC enforces the FTC Act’s prohibition against UDAP pursuant to its authority in the Federal Deposit Insurance Act. See 12 USC 1818(b). The Office of the Comptroller of the Currency (OCC) charters and oversees a nationwide system of national banks and federal savings associations and assures that these banking institutions are safe and sound, competitive, and capable of serving the banking needs of their customers in the best possible manner.