Federal Deposit Insurance Corporation
Office of Inspector General
Federal Deposit Insurance Corporation - Office of Inspector General

The FDIC's Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities

This is the accessible text file for FDIC OIG report number AUD-15-008 entitled 'The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities' .

This text file was formatted by the FDIC OIG to be accessible to users with visual impairments.

We have maintained the structural and data integrity of the original printed product in this text file to the extent possbile. Accessibility features, such as descriptions of tables, footnotes, and the text of the Corporation’s comments, are provided but may not exactly duplicate the presentation or format of the printed version.

The portable document format (PDF) file also posted on our Web site is an exact electronic replica of the printed version.

Office of Audits and Evaluations Report No. AUD-15-008

The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities

September 2015

Executiive Summary

The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities

Report No. AUD-15-008 September 2015

Why We Did The Audit

In a letter dated October 23, 2014, thirty-five Members of Congress (referred to hereinafter as Members) requested that the FDIC Office of Inspector General (OIG) investigate the involvement of the FDIC and its staff in the creation and/or execution of the United States Department of Justice (DOJ or Department) initiative known as Operation Choke Point. In the letter, Members expressed concern that the FDIC was working with DOJ in connection with Operation Choke Point to pressure financial institutions to decline banking services to certain categories of lawfully operating merchants that had been associated with highrisk activities. The letter also indicated that it was the Members’ belief that FDIC officials had abused their authority by advancing a political or moral agenda to force certain lawful businesses out of the financial services space.

On December 17, 2014, the FDIC Chairman requested that, as part of our planned and ongoing work in this area, we conduct a fact-finding review of the actions of one former and four current senior FDIC officials. The Chairman’s request was prompted by concerns raised by a Congressman in a letter dated December 10, 2014 that stated the five officials had allowed their personal and political views to interfere with the important work of the FDIC and that the officials had misled the American people through their emails and in meetings with, and testimony before, the Congress.

The objectives of the audit were to (1) describe the FDIC’s role in the DOJ initiative known as Operation Choke Point and (2) assess the FDIC’s supervisory approach to financial institutions that conducted business with merchants associated with high-risk activities for consistency with relevant statutes and regulations. As part of the audit, we reviewed a non-statistical sample of 23 FDIC-supervised financial institutions to assess the FDIC’s supervisory approach for addressing identified concerns. We also determined the extent to which the five referenced officials were involved with Operation Choke Point and whether their actions involving the institutions we reviewed were based on personal, political, or moral agendas aimed at forcing lawfully operating businesses out of the banking sector. Work on a separate inquiry by the OIG’s Office of Investigations into whether one of these five individuals had misled the American people in testimony before the Congress was completed at the close of this audit.

Background

In November 2012, attorneys within DOJ’s Civil Division proposed an internal initiative intended to protect consumers from fraud perpetrated by fraudulent merchants, financial institutions, and financial intermediaries known as third-party payment processors (TPPP). The initiative, which DOJ named Operation Choke Point, focused on the relationship between TPPPs and financial institutions because these relationships were the means by which fraudulent merchants were able to access the banking system to commit consumer fraud. In carrying out its work in connection with Operation Choke Point, DOJ issued 60 administrative subpoenas from February 2013 through August 2013 to entities for which the Department determined it had evidence of potential consumer fraud. According to DOJ employees that we spoke with during the audit, 20 of the subpoenas were issued to FDIC-supervised financial institutions.

In August 2013, Members became concerned that the FDIC and DOJ were pressuring financial institutions and TPPPs to terminate business relationships with lawful lenders that provided short-term credit options to underserved consumers. Since that time, Members have also expressed concern that financial institutions were declining basic banking services, such as deposit accounts and loans, to entire categories of merchants that had been associated with high-risk activities. Members asserted that the FDIC and DOJ were using a “high-risk list” of merchant categories that was published in an informational article contained in the FDIC’s summer 2011 edition of the Supervisory Insights Journal, together with certain FDIC supervisory guidance, to target institutions for increased scrutiny.

The FDIC has defined higher-risk activities as those that have been understood by industry and financial regulators as being subject to complex or varying legal and regulatory environments (such as activities that may be legal only in certain states); being prohibited for certain consumers (such as minors); being subject to varying state and federal licensing and reporting regimes; or tending to display a higher incidence of consumer complaints, returns, or chargebacks. In the context of this audit, merchants associated with high-risk or higher-risk activities include (among others) payday lenders, pawnbrokers, firearms and ammunition manufacturers and retailers, and tobacco retailers.

The FDIC has broad authority under the Federal Deposit Insurance Act (FDI Act), as amended, and other statutes and regulations to supervise the activities of state-chartered financial institutions that are not members of the Federal Reserve System. The FDIC’s Risk Management Manual of Examination Policies, Compliance Examination Manual, and Formal and Informal Actions Procedures Manual describe the FDIC’s approach for determining an appropriate supervisory corrective action to address an identified concern. In general, these manuals outline a risk-based, graduated approach for addressing concerns identified through the supervisory process. According to two of the manuals, it is sufficient in many cases for examiners to use moral suasion or make written recommendations in reports of examination to address identified problems or concerns. If such actions would not be sufficient, or if serious concerns exist, stronger actions may be taken in the form of informal or formal corrective actions against an institution or responsible individuals.

Audit Results

The FDIC’s involvement in Operation Choke Point has been limited to a few FDIC staff communicating with DOJ employees regarding aspects of the initiative’s implementation. These communications with DOJ generally related to the Corporation’s responsibility to understand and consider the implications of potential illegal activity involving FDIC-supervised financial institutions. Overall, we consider the FDIC’s involvement in Operation Choke Point to have been inconsequential to the overall direction and outcome of the initiative.

We determined that the FDIC’s supervisory approach to financial institutions that conducted business with merchants on the high-risk list was within the Corporation’s broad authorities granted under the FDI Act and other relevant statutes and regulations. However, the manner in which the supervisory approach was carried-out was not always consistent with the FDIC’s written policy and guidance.

We found no evidence that the FDIC used the high-risk list to target financial institutions. However, references to specific merchant types in the summer 2011 edition of the FDIC’s Supervisory Insights Journal and in supervisory guidance created a perception among some bank executives that we spoke with that the FDIC discouraged institutions from conducting business with those merchants. This perception was most prevalent with respect to payday lenders.

With the exception of payday lenders, we found no instances among the financial institutions we reviewed where the FDIC pressured an institution to decline banking services to a merchant on the highrisk list. Further, bank executives that we spoke with indicated that, except for payday lenders, they had not experienced regulatory pressure to terminate an existing customer relationship with a merchant on the high-risk list, including a firearms, ammunition, or tobacco retailer. As described below, the FDIC has had concerns regarding payday lending by financial institutions that precede Operation Choke Point by many years. These concerns led to supervisory guidance and actions that caused FDIC-supervised institutions to stop offering payday loans. More recently, FDIC officials became concerned about other types of banking activities that facilitate payday lending.

Payday Lending and Related Activities

The FDIC’s payday lending guidance, which was established in 2003 and updated in 2005, increased expectations and placed heightened scrutiny on institutions that were engaged in payday lending. As a result of the guidance and related supervisory actions, the relatively few FDIC-supervised institutions that were making payday loans stopped doing so in 2006. In the years that followed, the FDIC took steps to encourage institutions to offer affordable, small-dollar loans and researched and communicated concerns about emerging credit products that can have characteristics similar to payday loans, such as deposit advance products.

We found that a number of FDIC officials also had concerns about Automated Clearing House (ACH) payment processing by financial institutions for payday lenders. These concerns were based on the premise that such services facilitate payday lending. The heightened level of concern for payday lending by financial institutions and related ACH processing was reflected in the negative tenor of internal email communications among senior FDIC staff and others that we reviewed. In some cases, these communications involved instances in which FDIC personnel contacted institutions and used moral suasion to discourage them from adopting payday lending products or providing ACH processing for payday lenders. The FDIC does not have a formal definition of moral suasion in its policies. However, examiners commonly use moral suasion in an attempt to influence risk management practices at financial institutions before perceived problems rise to a level that necessitates an informal or formal enforcement action.

We noted two instances in which the FDIC discouraged institutions from providing ACH processing to payday lenders in written communications to the institutions. In both instances, the FDIC’s principal stated concern was the reputation risk to the institutions due to their potential or existing relationship with a payday lender. The FDIC does not centrally track its written communications to financial institutions that involve ACH processing concerns. Accordingly, we were unable to determine how often such communications occur. However, our discussions with FDIC executives and our review of regional office status reports identified only three institutions where FDIC officials raised concerns regarding ACH processing practices for payday lenders.

The FDIC’s Actions to Address Concerns Regarding its Supervisory Approach

FDIC officials determined that there were misperceptions regarding the Corporation’s supervisory approach to institutions that conduct business with merchants on the high-risk list and, therefore, the FDIC took several actions beginning in September 2013. Specifically, the FDIC withdrew references to high-risk merchants from the Supervisory Insights article and its guidance, clarified its supervisory policy and guidance, and established an internal policy for documenting and reporting instances in which staff recommend or require institutions to terminate deposit account relationships. Among other things, the internal policy does not allow for the termination of deposit account relationships based solely on reputation risk to an institution. These actions were intended to make clear the FDIC’s policy that financial institutions that properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing financial services to customers, regardless of the customers’ business category, provided that the institutions operate in compliance with applicable laws.

We noted that the policy and guidance described above focuses on deposit accounts and does not explicitly address various other types of banking products, such as credit products. In addition, it is too soon, in our view, to determine whether the actions taken by the FDIC will ensure a common understanding and sustained application of the FDIC’s supervisory approach to the issues and risks discussed in this report, both within the FDIC and at FDIC-supervised institutions.

Role of Certain FDIC Officials

We concluded that the five officials referenced above did not play a role in the development or implementation of Operation Choke Point. We also concluded that the individuals did not pursue their own personal, political, or moral agendas aimed at forcing lawfully operating businesses on the high-risk list out of the banking sector. As it pertains to payday lending and related activities, we concluded that the officials acted consistent with a widely-held understanding that the highest levels of the FDIC disfavored these types of banking services. We did, however, identify certain internal email communications and one written communication to an institution involving three of the five individuals that were not consistent with the FDIC’s written policy and guidance pertaining to payday lending and related activities.

Refund Anticipation Loans

Our report includes an observation on the FDIC’s supervisory approach to financial institutions that offered a credit product known as a refund anticipation loan (RAL). The FDIC considers RALs to carry a significant degree of risk to financial institutions, including third-party, reputation, compliance, and legal risks. Of particular concern to the FDIC is whether an institution can ensure proper underwriting and compliance with consumer protection requirements, particularly when RALs are brokered by large numbers of third-party tax return preparers (sometimes called electronic refund originators—EROs) in conjunction with the filing of a taxpayer’s income tax return. Although RALs were not on the high-risk list, we observed that the FDIC’s supervisory approach to institutions that offered this type of credit product involved circumstances that were similar to those that prompted the Congressional request to our office.

We identified three FDIC-supervised institutions that offered RALs. These institutions began offering RALs in 1987, 1988, and 2007, respectively. At various times from 2004 through 2009, FDIC examiners criticized the risk management practices pertaining to RALs at two of these institutions during compliance and risk management examinations. In late 2009 and early 2010, the FDIC sent letters to all three institutions expressing concerns about RALs and requesting that the institutions submit plans for discontinuing this type of lending. In early 2011, after efforts to convince these institutions to discontinue offering RALs were unsuccessful and supervisory concerns remained, the tenor of the FDIC’s supervisory approach became aggressive. In one case, the FDIC took the highly unusual step of conducting a simultaneous, unannounced review of 250 EROs in 36 states involving hundreds of FDIC examiners in order to develop the evidence needed to compel the institution to stop offering RALs. In another case, a former FDIC supervisory attorney used a confrontational approach to pressure an institution’s Board to terminate its RAL offerings. By April 2012, all three institutions had stopped offering RALs.

The FDIC drafted a policy statement in 2010 that defined the FDIC’s supervisory concerns and expectations for institutions offering RALs. However, the policy statement was never finalized. In our view, establishing such a policy would have been prudent to ensure institutions understood the risks associated with RALs and provide transparent supervisory guidance and expectations for institutions already (or contemplating) offering RALs.

We concluded that the supervisory actions taken with respect to the three institutions that offered RALs fell within the Corporation’s broad statutory authorities because the Corporation is permitted to require a financial institution to discontinue a practice if safety and soundness or consumer protection concerns warrant doing so. However, we believe that the execution of these actions by FDIC management and staff warrants further review and the OIG is conducting additional work in this area. Further, in light of the concerns described in this report regarding the use of moral suasion with financial institutions, the FDIC should determine whether moral suasion is adequately defined in FDIC policy and guidance in terms of the types and circumstances under which it is used to address supervisory concerns, whether it is subject to sufficient scrutiny and oversight, and whether meaningful remedies exist should moral suasion be misused.

Recommendations and Corporation Comments

The report contains three recommendations addressed to the Directors, RMS and DCP, to (1) review and clarify, as appropriate, existing policy and guidance pertaining to the provision and termination of banking services; (2) assess the effectiveness of the FDIC’s supervisory policy and approach after a reasonable period of time is allowed for implementation; and (3) coordinate the FDIC’s Legal Division to review and clarify, as appropriate, supervisory policy and guidance to ensure that moral suasion is adequately addressed. The Director, RMS, provided a written response on behalf of the FDIC, dated September 10, 2015, to a draft of the report. In the response, the Director concurred with all three of the report’s recommendations and described planned and completed corrective actions that were responsive. The FDIC expects to complete all actions to address the recommendations by September 30, 2016.

As noted above, the FDIC has taken and planned corrective actions that are responsive to our recommendations. However, in reiterating our findings and providing perspective surrounding them, management did not discuss the potential impact that statements and actions by FDIC executives can have on those responsible for carrying out the FDIC’s supervisory policies and approach. As described in our report, our interviews and review of documents showed that perceptions regarding the views of senior FDIC executives about institutions involved in payday lending and RALs influenced the supervisory approach to handling risks at those institutions. In several instances, the approach was not consistent with written FDIC policy and guidance. Consequently, as it has committed to do, we believe it is prudent for FDIC senior leadership to reiterate its revised policies on a sustained basis to ensure they become engrained in the organization’s supervisory culture. Given the significance of these issues, we will, at an appropriate time, follow up on the FDIC’s actions to ensure they address the underlying concerns that support our recommendations.

[End of Executive Summary]

Table of Contents

Background Congressional Concerns Pertaining to Operation Choke Point The FDIC’s Supervisory Authorities TPPPs and Merchants Associated with High-Risk Activities Payday Lending

Audit Results The FDIC’s Role in Operation Choke Point The FDIC’s Supervisory Approach to Institutions that Conducted Business with Merchants on the High-Risk List Role of Certain Former and Current FDIC Officials The FDIC’s Actions to Address Concerns Regarding Its Supervisory Approach Banker Perspectives Observation: Refund Anticipation Loans

Recommendations

Corporation Comments and OIG Evaluation

Appendices 1. Objectives, Scope, and Methodology 2. Glossary of Terms 3. Acronyms and Abbreviations 4. Corporation Comments 5. Summary of the Corporation’s Corrective Actions

Table: Merchants Associated with High-Risk Activities

Figure: What are Payday Loans?

[End of Table of Contents]

[FDIC Letterhead, Federal Deposit Insurance Corporation, Office of Inspector General, Office of Audits and Evaluations, 3501 Fairfax Drive, Arlington, VA 22226]

DATE: September 16, 2015

MEMORANDUM TO: Doreen R. Eberley, Director, Division of Risk Management Supervision Mark E. Pearce, Director, Division of Depositor and Consumer Protection Charles Yi, General Counsel

FROM: Mark F. Mulholland /Signed/, Assistant Inspector General for Audits

SUBJECT: The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities (Report No. AUD-15-008)

This report presents the results of our audit of the FDIC’s role in the United States Department of Justice (DOJ or Department) initiative known as Operation Choke Point and the FDIC’s supervisory approach to institutions that conducted business with merchants associated with high-risk activities.1 DOJ has described Operation Choke Point as an effort intended to protect consumers from fraud perpetrated by fraudulent merchants, financial institutions, and financial intermediaries known as third-party payment processors (TPPP).2 Some Members of Congress, however, have asserted that Operation Choke Point targets certain types of businesses, many of which are licensed and legally-operating, and forces them out of the financial services space and, therefore, out of business.

Footnote 1: The FDIC has defined higher-risk activities as those that have been understood by industry and financial regulators as being subject to complex or varying legal and regulatory environments (such as activities that may be legal only in certain states); being prohibited for certain consumers (such as minors); being subject to varying state and federal licensing and reporting regimes; or tending to display a higher incidence of consumer complaints, returns, or chargebacks. In the context of this audit, merchants associated with high-risk or higher-risk activities include (among others) payday lenders, pawnbrokers, firearms and ammunition manufacturers and retailers, and tobacco retailers. A more detailed discussion of such merchants appears later in this report.

Footnote 2: Certain terms that are underlined when first used in this report are defined in Appendix 2, Glossary of Terms.

In a letter dated October 23, 2014, thirty-five Members of Congress (referred to hereinafter as Members) requested that we investigate the involvement of the FDIC and its staff in the creation and/or execution of Operation Choke Point. In the letter, Members expressed concern that the FDIC was working with DOJ in connection with Operation Choke Point to pressure financial institutions to decline banking services to certain categories of lawfully operating merchants that had been associated with high-risk activities. The letter also suggested that a senior FDIC official had provided false testimony regarding this concern during a July 2014 Congressional hearing. Further, the letter indicated that it was the Members’ belief that FDIC officials had abused their authority by advancing a political or moral agenda to force certain lawful businesses out of the financial services space.

Consistent with our established protocols for working within the Congressional committee structure, we sent letters, dated November 7, 2014, to the Chairmen of the Committee on Financial Services and the Committee on Oversight and Government Reform of the United States House of Representatives, stating that we would perform work responsive to the Members’ concerns. The letters stated that we would conduct our work in two parts. First, we would investigate the serious allegation that a senior FDIC official had provided false testimony to the Congress. At the close of our audit, the Office of Inspector General’s (OIG) Office of Investigations had completed work on a separate inquiry on this matter. Secondly, we would review the FDIC’s supervisory activities related to Operation Choke Point and determine if the actions and policies of the FDIC were consistent with applicable law, regulations, and policy, and within the mission of the FDIC.

On December 17, 2014, the FDIC Chairman requested that as part of our planned and ongoing work in this area, we conduct a fact-finding review of the actions of one former and four current senior FDIC officials. The Chairman’s request was prompted by concerns raised by a Congressman in a letter dated December 10, 2014 stating the five individuals had allowed their personal and political views to interfere with the important work of the FDIC and that the individuals had misled the American people through their emails and in meetings with, and testimony before, the Congress. The Congressman’s concerns were based on information contained in a December 8, 2014 staff report of the House Oversight and Government Reform Committee, entitled Federal Deposit Insurance Corporation’s Involvement in “Operation Choke Point.” On January 20, 2015, we notified the FDIC Chairman that we would address the concerns raised in the Congressman’s letter as part of this audit.

The objectives of the audit were to (1) describe the FDIC’s role in the DOJ initiative known as Operation Choke Point and (2) assess the FDIC’s supervisory approach to financial institutions that conducted business with merchants associated with high-risk activities for consistency with relevant statutes and regulations. To address the objectives, we:

- determined the extent to which the FDIC participated in developing and implementing Operation Choke Point;

- evaluated the FDIC’s rationale for identifying certain types of merchants as being associated with high-risk activities;

- analyzed relevant statutes, regulations, policies, procedures, guidance, and training;

- reviewed a non-statistical sample3 of 23 FDIC-supervised financial institutions to assess the FDIC’s supervisory approach for addressing identified concerns; and

- conducted interviews of 106 current and former FDIC staff, executives at 19 FDICsupervised financial institutions, officials in DOJ’s Consumer Protection Branch, and officials with selected state banking agencies.

Footnote 3: A non-statistical sample is judgmental and cannot be projected to the population. See Appendix 1 for details regarding our sampling methodology.

With respect to the five individuals, we determined the extent to which they were involved with Operation Choke Point and whether their actions involving the institutions we reviewed were based on personal, political, or moral agendas aimed at forcing lawful businesses associated with high-risk activities out of the banking sector.

We conducted this performance audit in accordance with generally accepted government auditing standards. Appendix 1 of this report includes additional details on our objectives, scope, and methodology; Appendix 2 contains a glossary of key terms; Appendix 3 contains a list of acronyms and abbreviations; Appendix 4 contains the Corporation’s comments on this report; and Appendix 5 contains a summary of the Corporation’s corrective actions.

Background

In November 2012, attorneys within the Consumer Protection Branch of DOJ’s Civil Division proposed an internal initiative to investigate financial institutions and TPPPs that were suspected of processing payment transactions on behalf of merchants that engaged in fraudulent activities. At that time, DOJ had reason to believe that some TPPPs were processing payment transactions for their client merchants knowing that the merchants were engaged in fraudulent activities. In addition, DOJ believed that some financial institutions involved with those transactions were either aware of the fraud they were facilitating or ignored warning signs of the fraud. This initiative, which DOJ named Operation Choke Point, focused on the relationship between TPPPs and financial institutions because these relationships were the means by which fraudulent merchants were able to access the banking system to commit consumer fraud.

Using various public and nonpublic sources, DOJ compiled evidence of suspected fraudulent activity involving certain merchants, TPPPs, and financial institutions. Based on this information, DOJ issued 60 administrative subpoenas from February 2013 through August 2013 to entities for which the Department determined it had evidence of potential consumer fraud. According to DOJ employees that we spoke with during the audit, 20 of the subpoenas were issued to FDIC-supervised financial institutions.

According to the results of an inquiry performed by DOJ’s Office of Professional Responsibility (OPR), DOJ had filed civil actions against three financial institutions in connection with reviewed a non-statistical sample3 of 23 FDIC-supervised financial institutions to assess the FDIC’s supervisory approach for addressing identified concerns; and Operation Choke Point as of July 7, 2015.4 The OPR inquiry also found that DOJ had notified the majority of the institutions that received subpoenas that the Department’s reviews of their matters had been concluded. However, at the conclusion of OPR’s inquiry, some civil and criminal investigations were still viable and open based on information received in response to some of the subpoenas. Further, some United States Attorneys’ Offices had open investigations based, at least in part, on evidence obtained from the subpoenas. OPR’s inquiry found that although DOJ was focused on completing its investigations, the Department would open and pursue new investigations if it obtained information that institutions, TPPPs, and fraudulent merchants might be continuing to break the law.

Footnote 4: On July 7, 2015, OPR issued the results of an inquiry into whether DOJ’s Civil Division, acting in concert with federal banking regulators under Operation Choke Point, had abused its authority to conduct civil investigations under the Financial Institutions Reform, Recovery, and Enforcement Act of 1989. The inquiry was conducted in response to a request, dated October 16, 2014, from 32 Members of Congress.

In carrying out its work in connection with Operation Choke Point, DOJ employees communicated with regulatory agencies, including the FDIC, the Board of Governors of the Federal Reserve System (FRB), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). According to DOJ, such communications were intended to ensure that DOJ understood the industry at issue; that DOJ’s investigative activities would not unnecessarily or improperly frustrate regulatory efforts; and that DOJ had all relevant information needed to evaluate its available enforcement options to address violations that the Department’s investigations might uncover.

Congressional Concerns Pertaining to Operation Choke Point

Congressional review of any role that the FDIC may have played in Operation Choke Point began in August 2013. After an article was published in The Wall Street Journal on this subject,5 31 Members sent a letter, dated August 22, 2013, to the FDIC Chairman and the United States Attorney General expressing concern that the FDIC and DOJ were pressuring financial institutions and TPPPs to terminate business relationships with lawful lenders that provided short-term credit options to underserved consumers. Since that time, Members have also expressed concern that financial institutions were declining basic banking services, such as deposit accounts and loans, to entire categories of merchants as a result of regulatory pressure stemming from Operation Choke Point. Such merchants included (among others) payday lenders, firearms manufacturers and retailers, pawnbrokers, coin dealers, and tobacco retailers. Further, Members have expressed concern that certain senior FDIC staff had allowed their personal views of these merchants to influence their supervisory decision-making.

Footnote 5: August 8, 2013 article, entitled Probe Turns Up Heat on Banks---Prosecutors Target Firms That Process Payments for Online Payday Lenders, Others.

The concerns described above were based on the results of investigative efforts by the Committee on Financial Services and the Committee on Oversight and Government Reform of the United States House of Representatives. As part of these efforts, Members have made numerous requests for information to the FDIC and other agencies; exchanged letters and met with agency officials; and held several hearings. In addition, the Committee on Oversight and Government Reform has issued two written reports.6 At the close of our audit fieldwork, various Members were continuing to investigate Operation Choke Point.

Footnote 6: Reports entitled, The Department of Justice’s “Operation Choke Point”: Illegally Choking Off Legitimate Businesses?, dated May 29, 2014, and Federal Deposit Insurance Corporation’s Involvement in “Operation Choke Point,” dated December 8, 2014.

The FDIC’s Supervisory Authorities

The FDIC has broad statutory and regulatory authority to supervise the activities of statechartered financial institutions that are not members of the Federal Reserve System.7 Specifically, Sections 9 and 10(b) of the Federal Deposit Insurance Act (FDI Act), as amended, authorize the FDIC to examine the financial institutions it supervises. The FDIC conducts examinations pertaining to safety and soundness, consumer compliance, Community Reinvestment Act (CRA), and specialty areas to assess each institution’s operating condition, management practices and policies, and compliance with applicable laws and regulations.8 Section 8 of the FDI Act authorizes the FDIC to bring enforcement proceedings against any FDIC-supervised institution that, in the opinion of the FDIC, has engaged, is engaging, or is about to engage in an unsafe or unsound practice or has violated, is violating, or is about to violate, a law, rule, or regulation, including consumer protection laws. The FDIC Chairman, in coordination with the Corporation’s Board of Directors (Board), is responsible for setting agency priorities and strategies aimed at addressing risks and concerns at FDIC-supervised financial institutions.

Footnote 7: As of December 31, 2014, the FDIC was the primary federal regulator for 4,138 financial institutions. The majority of these institutions were small community banks with assets totaling $1 billion or less.

Footnote 8: Such laws and regulations include the Fair Debt Collection Practices Act (FDCPA) and its implementing Regulation F, the Equal Credit Opportunity Act (ECOA) and its implementing Regulation B, the Truth in Lending Act (TILA) and its implementing Regulation Z, and the Federal Trade Commission Act (FTC Act). The FDIC coordinates with other regulatory agencies, such as the CFPB, on relevant consumer protection matters.

Within the FDIC, the Division of Risk Management Supervision (RMS) has primary responsibility for promoting safe and sound banking practices at FDIC-supervised institutions. In fulfilling its responsibilities, RMS plans and conducts regular onsite risk management (i.e., safety and soundness) examinations of financial institutions; issues policy and guidance; communicates with industry officials; reviews applications submitted by financial institutions to expand their activities or locations; and monitors institutions to identify emerging safety-andsoundness issues. RMS also conducts specialty examinations that cover such areas as trust department operations, information technology (IT) controls, and compliance with the Currency and Foreign Transactions Reporting Act—commonly referred to as the Bank Secrecy Act (BSA).

The FDIC’s Division of Depositor and Consumer Protection (DCP) has primary responsibility for promoting compliance by FDIC-supervised financial institutions with consumer protection, fair lending, and community reinvestment laws. DCP fulfills its responsibilities through a variety of activities, including regular onsite compliance and CRA examinations of financial institutions; communications with industry officials; dissemination of information to consumers about their rights and required disclosures; and investigations and resolution of consumer complaints regarding FDIC-supervised institutions.

The FDIC’s Legal Division is responsible for (among other things) providing legal counsel to RMS and DCP on the full range of laws and regulations governing bank supervision and consumer protection. This includes reviewing the legal sufficiency of proposed enforcement proceedings, such as Cease and Desist Orders, Consent Orders, and Civil Money Penalties (CMP), against institutions or responsible individuals, when appropriate.

The FDIC coordinates its supervisory activities with other federal and state banking agencies that have supervisory responsibility for the institutions within their jurisdictions. In addition, the FDIC coordinates with other federal and state organizations, such as the Federal Financial Institutions Examination Council (FFIEC) and Conference of State Bank Supervisors, when developing supervisory policy and guidance to promote a consistent approach to bank supervision.

Supervisory Corrective Actions

The FDIC’s Risk Management Manual of Examination Policies, Compliance Examination Manual, and Formal and Informal Actions Procedures Manual describe the FDIC’s approach for determining an appropriate supervisory corrective action to address an identified safety and soundness or consumer protection concern. In general, these manuals outline a risk-based, graduated approach for addressing concerns identified through the supervisory process. According to two of the manuals, it is sufficient in many cases for examiners to use moral suasion or make written recommendations in reports of examination to address identified problems or concerns.9 The FDIC does not have a formal definition of moral suasion in its policies. However, examiners commonly use moral suasion in an attempt to influence risk management practices at financial institutions before perceived problems rise to a level that necessitates informal or formal action. If moral suasion or recommendations would not be sufficient, or if serious concerns exist, stronger actions may be taken in the form of informal or formal corrective actions against an institution or responsible individuals.

Footnote 9: Moral suasion is not discussed in the Compliance Examination Manual.

The FDIC generally initiates an informal or formal corrective action when an institution has a safety and soundness or compliance rating of “3,” “4,” or “5,” unless specific circumstances warrant otherwise. Informal actions typically involve the FDIC either recommending that the institution’s Board of Directors (Board) adopt a Bank Board Resolution or entering into a Memorandum of Understanding (MOU) with the institution’s Board to address specific concerns. Formal actions may involve, for example, a Cease-and-Desist Order or Consent Order; removal, prohibition, or suspension action; or CMP.

TPPPs and Merchants Associated with High-Risk Activities

In the summer of 2011, prior to DOJ’s initiation of Operation Choke Point, the FDIC published an informational article entitled, Managing Risks in Third Party Payment Processor Relationships, in its Supervisory Insights Journal. The Journal, which is intended to promote sound principles and practices in bank supervision, does not represent supervisory policy or official guidance. According to its terms, the views expressed in the Journal are those of its authors and do not necessarily reflect official positions of the FDIC.

The article discussed the role of TPPPs and the risks presented to financial institutions that have deposit account relationships with TPPPs. According to the article, deposit relationships with payment processors can expose financial institutions to risks not present in typical commercial customer relationships, including greater strategic, credit, compliance, transaction, legal, and reputation risk. The article also discussed the warning signs that may indicate heightened risk in a TPPP banking relationship, the mitigation controls that institutions should have in place when providing deposit account services to TPPPs, and the supervisory actions that may be taken when risks are not adequately managed.

The article explained that although many TPPPs process legitimate payment transactions for a variety of reputable merchants, an increasing number of TPPPs were initiating payments for abusive telemarketers, deceptive on-line merchants, and organizations engaged in high-risk or illegal activities. Without adequate monitoring systems and controls, a financial institution in a TPPP relationship could facilitate unauthorized transactions or unfair or deceptive practices, resulting in financial harm to consumers. The article identified 30 types of TPPP client merchants that were associated with high-risk activities. The Table below identifies these merchants. We sometimes refer to these merchants collectively as the “high-risk list.”

Table: Merchants Associated with High-Risk Activities

Merchant Category

Ammunition Sales Life-Time Memberships Cable Box De-scramblers Lottery Sales Coin Dealers Mailing Lists/Personal Information Credit Card Schemes Money Transfer Networks Credit Repair Services On-line Gambling Dating Services PayDay Loans Debt Consolidation Scams Pharmaceutical Sales Drug Paraphernalia Ponzi Schemes Escort Services Pornography Firearms Sales Pyramid-Type Sales Fireworks Sales Racist Materials Get Rich Products Surveillance Equipment Government Grants Telemarketing Home-Based Charities Tobacco Sales Life-Time Guarantees Travel Clubs

Source: The FDIC’s Supervisory Insights Journal, Summer 2011 [original] publication.

[End of table]

Financial institutions that process transactions through a TPPP can be exposed to risks not present in other commercial customer relationships because the institutions typically do not have a direct relationship with the TPPP’s client merchants. Section 326 of the USA PATRIOT Act, which amended the BSA, requires financial institutions to establish and maintain a Customer Identification Program that enables the institution to form a reasonable belief that it knows the true identity of its customers. Knowing one’s customer serves to protect institutions from the potential liability and risk of providing financial services to a customer engaged in fraudulent and unlawful activity. In addition, the FFIEC’s Bank Secrecy Act Anti-Money Laundering Examination Manual states that financial institutions should have a Customer Due Diligence (CDD) program that enables the institution to predict with relative certainty the types of transactions in which a customer is likely to engage. The CDD program assists the institution in determining when transactions are potentially suspicious so that the institution may meet its statutory obligations of filing Suspicious Activity Reports (SARs), when appropriate.

Proper monitoring of transactions processed through TPPP bank accounts can be particularly challenging because TPPPs can have hundreds or even thousands of client merchants. In addition, TPPPs are generally not subject to BSA or anti-money laundering (AML) requirements. As a result, some TPPPs may be vulnerable to money laundering, identity theft, fraud schemes, and other illegal transactions.

TPPP Guidance

The FDIC’s supervisory approach and expectations for financial institutions that establish relationships with TPPPs are defined in various FDIC and interagency guidance.10 In general, this guidance states that institutions should establish risk management controls that are appropriate for the risks posed by TPPPs and their client merchants. Such controls include careful due diligence for TPPPs and their client merchants and monitoring of account transactions for indications of suspicious activity, such as elevated levels of unauthorized returns, chargebacks, and/or consumer complaints. These risk management controls are intended to mitigate the increased operational, strategic, credit, compliance, transaction, and other risks associated with TPPP relationships.

Footnote 10: Appendix 1 contains a summary of FDIC and interagency TPPP guidance.

According to the guidance, when an institution identifies potentially fraudulent or improper activities involving a TPPP or its client merchants, the institution should take prompt action to minimize possible consumer harm. Such action may include filing a SAR, requiring the payment processor to cease processing for a specific merchant, and/or terminating the institution’s relationship with the TPPP. Institutions are also expected to develop processor approval programs that include a background check of payment processors and their merchant clients.

When assessing TPPP-related risks, FDIC examiners focus on whether the institution is adequately overseeing the activities and transactions it is processing and appropriately managing and mitigating the associated risks. According to the FDIC’s TPPP guidance, institutions that fail to adequately manage TPPP relationships may be viewed as facilitating the processor’s or its client merchant’s fraudulent or unlawful activity and, thus, may be liable for such acts or practices. In such cases, financial institutions and responsible individuals have been subject to enforcement, supervisory, and other actions.

Direct Banking Relationships

While the high-risk list was introduced in the context of a financial institution having a deposit account relationship with a TPPP, institutions may also provide banking services directly to a merchant on the high-risk list. Such services include, for example, checking accounts, loans, and the processing of Automated Clearing House (ACH) payment transactions. The FDIC’s supervisory approach for assessing banking services offered directly to these (and any other) merchants is reflected in the Risk Management Manual of Examination Policies, Compliance Examination Manual, Formal and Informal Actions Procedures Manual, and Retail Payment Systems IT Examination Handbook. In addition, the FDIC has issued specific guidance to institutions that offer payday loans—either to their customers using the institution’s own employees or through third-party arrangements with a payday lender. A description of the FDIC’s payday lending guidance follows.

Payday Lending

The FDIC initially issued supervisory guidance to address safety and soundness and consumer protection concerns associated with payday lending by FDIC-supervised financial institutions in July 2003.11 The guidance applied to institutions that were making payday loans both directly to their customers and through third-party payday lenders.12

Footnote 11: PR-70-2003: FDIC Issues Examination Guidance for Payday Lending, dated July 2, 2003. This guidance supplemented previously issued FDIC and interagency guidance on subprime lending.

Footnote 12: The guidance did not apply to financial institutions that (1) made loans to payday lenders; (2) made occasional low-denomination, short-term loans to customers; (3) entered into relationships with TPPPs that processed ACH transactions for payday lenders; or (4) processed ACH transactions directly for payday lenders that had deposit accounts with the institution.

Figure: What Are Payday Loans?

Payday loans are small-dollar, short-term, unsecured loans that borrowers promise to repay out of their next paycheck or regular income payment (such as a social security check).

Payday loans are usually priced at a fixed-dollar fee, which represents the finance charge to the borrower. Because the loans have short terms to maturity, the cost of borrowing, expressed as an annual percentage rate, can be very high relative to traditional loans.

[End of figure]

When the guidance was issued, a number of institutions had entered into arrangements whereby third-party payday lenders were making loans on behalf of the institutions. The institutions funded the loans and, therefore, remained responsible for ensuring that the loans were made in a safe and sound manner and in compliance with applicable laws. A key benefit to the payday lenders in these arrangements was that they were permitted to export favorable interest rates in the state where the institution was chartered to borrowers in other states that had more restrictive usury laws. This in effect allowed the payday lenders to avoid state usury laws, prompting many consumer groups, federal and state regulators (including bank regulatory agencies), and Members, to criticize these arrangements as “rent-acharters” (implying that the institutions were essentially renting their bank charters out to payday lenders).

The July 2003 guidance stated that payday loans are a high-risk, specialized type of subprime lending not typically found in state nonmember institutions. According to the guidance, such loans are most frequently originated by specialized nonbank firms subject to state regulation. The guidance stated that payday loans have well-defined weaknesses that jeopardize the liquidation of the debt, such as limited or no analysis of borrower repayment capacity, the unsecured nature of the credit, and a marked proportion of obligors whose repayment capacity is questionable. Payday lending also raises many consumer protection issues and attracts a great deal of attention from consumer advocates and other regulatory organizations, increasing the potential for litigation.

The July 2003 guidance stated that when institutions facilitate payday lending through third parties, the transaction, legal, and reputation risks to the institutions increase significantly if the third parties are not properly managed. Based on these risks, the FDIC’s payday lending guidance imposed significant expectations on institutions engaged in that type of lending. For example, the guidance stated that institutions should hold greater levels of capital against payday loans than for non-subprime assets of a similar nature. In addition, the guidance stated that an institution’s CRA rating could be adversely affected if an institution engaged in illegal credit practices.

Due to the heightened safety and soundness and consumer compliance risks posed by payday lending by institutions, the guidance stated that the FDIC would generally perform concurrent risk management and compliance examinations of institutions that engage in payday lending to verify and monitor the institutions’ performance relative to the guidance. The guidance also stated that examiners could conduct targeted examinations of the third parties that originated payday loans on behalf of financial institutions under certain circumstances.13 Further, supervisory corrective actions, including enforcement actions and requirements for institutions to discontinue payday lending, may be pursued when institutions fail to comply with the guidance.

Footnote 13: Authority to conduct examinations of third parties may be established under several circumstances, including through a bank’s written agreement with a third party, section 7 of the Bank Service Company Act, or through powers granted under section 10 of the FDI Act.

In March 2005, the FDIC revised its July 2003 payday lending guidance due to concerns that FDIC-supervised institutions were offering payday loans in a manner that was inconsistent with the prior guidance, the payday lenders’ marketing materials, and industry best practices.14 The revised guidance reiterated many of the same standards that were contained in the 2003 guidance, but established a new expectation for institutions to ensure that payday loans are not provided to customers who have had such loans outstanding from any lender for a total of 3 months in the previous 12-month period. Additionally, the March 2005 guidance states that providing high-cost, short-term credit on a recurring basis to consumers with long-term credit needs is not responsible lending; increases institutions’ credit, legal, reputation, and compliance risks; and can create a serious financial hardship for customers.

Footnote 14: Financial Institution Letter (FIL)—FIL-14-2005, Payday Lending Programs, Revised Examination Guidance, dated March 1, 2005.

Concerns Regarding Payday Lending

As described below, the FDIC, OCC, Congress, and CFPB have raised concerns regarding the risks associated with payday lending by financial institutions. In June 2000, a former FDIC Chairman expressed concern in public remarks that institutions were partnering with payday lenders through so called rent-a-charter arrangements.15 Subsequent FDIC Chairmen and certain FDIC Board members also raised concerns about payday lending by FDIC-supervised financial institutions. In addition, on November 27, 2000, the OCC issued Advisory Letter on Payday Lending, (AL 2000-10), which applies to national banks and federal savings associations the agency regulates. The guidance states that the OCC will closely review the activities of banks engaged or proposing to engage in payday lending by examining the banks and any relevant third parties. According to the guidance, examinations will focus on safety and soundness risks and compliance with consumer protection and fair lending laws.

Footnote 15: Remarks made by the former FDIC Chairman at the Seventh Annual Greenlining Economic Development Summit, June 13, 2000.

In 2007, the Congress enacted legislation aimed at curbing predatory lending practices. Specifically, the Military Lending Act (MLA)—a component of the 2007 National Defense Authorization Act—placed restrictions on credit products offered to active-duty service members and their families by limiting the annual interest rate on such products to 36 percent, including all fees, charges, and premiums. The associated regulations issued by the Department of Defense that became effective for loans written on or after October 1, 2007, state that payday loans, refund anticipation loans (RAL), and vehicle title loans are subject to the protections of the MLA. Further, in March 2015, the CFPB announced that it was considering proposed rules pertaining to payday lending. Such rules would apply to all insured depository institutions and non-depository entities involved in payday lending. The CFPB raised concerns about practices associated with payday lending and similar products, which can trap consumers in debt and force them to choose between re-borrowing, defaulting, or falling behind on other obligations. At the time of our audit, the CFPB was contemplating requirements on lenders aimed at ensuring borrowers are not trapped in cycles of debt.

[End of Background]

Audit Results

The FDIC’s involvement in Operation Choke Point has been limited to a few FDIC staff communicating with DOJ employees regarding aspects of the initiative’s implementation. These communications with DOJ generally related to the Corporation’s responsibility to understand and consider the implications of potential illegal activity involving FDIC-supervised financial institutions. Overall, we consider the FDIC’s involvement in Operation Choke Point to have been inconsequential to the overall direction and outcome of the initiative.

We determined that the FDIC’s supervisory approach to financial institutions that conducted business with merchants on the high-risk list was within the Corporation’s broad authorities granted under the FDI Act and other relevant statutes and regulations. However, the manner in which the supervisory approach was carried out was not always consistent with the FDIC’s written policy and guidance.

We found no evidence that the FDIC used the high-risk list to target financial institutions. However, references to specific merchant types in the summer 2011 Supervisory Insights Journal article and in supervisory guidance created a perception among some bank executives that we spoke with that the FDIC discouraged institutions from conducting business with those merchants. This perception was most prevalent with respect to payday lenders.

The FDIC’s payday lending guidance, which was established in 2003 and updated in 2005, increased expectations and placed heightened scrutiny on institutions that were engaged in payday lending. As a result of the guidance and related supervisory actions, the relatively few FDIC-supervised institutions that were making payday loans stopped doing so in 2006. In the years that followed, the FDIC took steps to encourage institutions to offer affordable, smalldollar loans and researched and communicated concerns about emerging credit products that can have characteristics similar to payday loans, such as deposit advance products.

We found that a number of FDIC officials also had concerns about ACH payment processing for payday lenders. These concerns were based on the premise that such services facilitate payday lending. A heightened level of concern for payday lending by financial institutions and related ACH processing was reflected in the negative tenor of internal email communications among senior FDIC staff and others that we reviewed. In some cases, these communications involved instances in which FDIC personnel contacted institutions and used moral suasion to discourage them from adopting payday lending products or providing ACH processing for payday lenders. The FDIC does not have a formal definition of moral suasion in its policies. However, examiners commonly use moral suasion in an attempt to influence risk management practices at financial institutions before perceived problems rise to a level that necessitates an informal or formal enforcement action.

We noted two instances in which the FDIC discouraged institutions from providing ACH processing to payday lenders in written communications to the institutions. In both instances, the FDIC’s principal stated concern was the reputation risk to the institutions due to their potential or existing relationship with a payday lender. The FDIC does not centrally track its written communications to financial institutions that involve ACH processing concerns. Accordingly, we were unable to determine how often such communications occur. However, our discussions with FDIC executives and review of regional office status reports identified only three institutions where FDIC officials raised concerns regarding ACH processing practices for payday lenders.

FDIC officials determined that there were misperceptions regarding the Corporation’s supervisory approach to institutions that conduct business with merchants on the high-risk list and, therefore, the FDIC took several actions beginning in September 2013. Specifically, the FDIC withdrew references to high-risk merchants from the Supervisory Insights article and its guidance, clarified its supervisory policy and guidance, and established an internal policy for documenting and reporting instances in which staff recommend or require institutions to terminate deposit account relationships. Among other things, the internal policy does not allow for the termination of deposit account relationships based solely on reputation risk to an institution. These actions were intended to make clear the FDIC’s policy that financial institutions that properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing financial services to customers, regardless of the customers’ business category, provided that the institutions operate in compliance with applicable laws. However, the policy and guidance focus on deposit accounts and may warrant clarification to address other types of banking products, such as credit products.

With respect to our review of the actions of the five FDIC officials, we concluded that they did not play a role in the development or implementation of Operation Choke Point. We also concluded that the individuals did not pursue their own personal, political, or moral agendas aimed at forcing lawfully operating businesses on the high-risk list out of the banking sector. As it pertains to payday lending and related activities, we concluded that the officials acted consistent with a widely-held understanding that the highest levels of the FDIC disfavored these types of banking services. We did, however, identify certain internal email communications and one written communication to an institution involving three of the five individuals that were not consistent with the FDIC’s written guidance pertaining to payday lending and related activities.

Finally, our report includes an observation on the FDIC’s supervisory approach to financial institutions that offered a credit product known as a RAL. The FDIC considers RALs to carry a significant degree of risk to financial institutions, including third-party, reputation, compliance, and legal risks. Of particular concern to the FDIC is whether an institution can ensure proper underwriting and compliance with consumer protection requirements, particularly when RALs are brokered by large numbers of third-party tax return preparers (sometimes called electronic refund originators—EROs) in conjunction with the filing of a taxpayer’s income tax return. Although RALs were not on the high-risk list, we observed that the FDIC’s supervisory approach to institutions that offered this type of credit product involved circumstances that were similar to those that prompted the Congressional request to our office.

We identified three FDIC-supervised institutions that offered RALs. These institutions began offering RALs in 1987, 1988, and 2007, respectively. At various times from 2004 through 2009, FDIC examiners criticized the risk management practices pertaining to RALs at two of these institutions during compliance and risk management examinations. In late 2009 and early 2010, the FDIC sent letters to all three institutions expressing concerns about RALs and requesting that the institutions submit plans for discontinuing this type of lending. In early 2011, after efforts to convince these institutions to discontinue offering RALs were unsuccessful and supervisory concerns remained, the tenor of the FDIC’s supervisory approach became aggressive. In one case, the FDIC took the highly unusual step of conducting a simultaneous, unannounced review of 250 EROs in 36 states involving hundreds of FDIC examiners in order to develop the evidence needed to compel the institution to stop offering RALs. In another case, a former FDIC supervisory attorney used a confrontational approach to pressure an institution’s Board to terminate its RAL offerings. By April 2012, all three institutions had stopped offering RALs.

The FDIC drafted a policy statement in 2010 that defined the FDIC’s supervisory concerns and expectations for institutions offering RALs. However, the policy statement was never finalized. In our view, establishing such a policy would have been prudent to ensure institutions understood the risks associated with RALs and provide transparent supervisory guidance and expectations for institutions already (or contemplating) offering RALs.

We concluded that the supervisory actions taken with respect to the three institutions that offered RALs fell within the Corporation’s broad statutory authorities because the Corporation is permitted to require a financial institution to discontinue a practice if safety and soundness or consumer protection concerns warrant doing so. However, we found that the FDIC took an aggressive, and at times, confrontational approach to convince the institutions to discontinue their RAL programs. We believe that the execution of these actions by FDIC management and staff warrants further review, and the OIG is conducting additional work in this area.

The FDIC’s Role in Operation Choke Point

The FDIC did not participate in the development of DOJ’s internal proposal in November 2012 to investigate financial institutions and TPPPs that were suspected of processing payment transactions on behalf of merchants engaged in fraudulent activities. In addition, the FDIC did not coordinate with DOJ in its efforts to assemble evidence of potential fraudulent activity involving these entities or to identify the financial institutions and other entities that subsequently received subpoenas in connection with Operation Choke Point. Further, DOJ did not notify the FDIC of the financial institutions that received subpoenas. DOJ employees informed us that the Department typically does not notify the primary federal bank regulator when a subpoena is issued to an insured institution. Except as discussed below, RMS and DCP officials that we spoke with were not aware of the specific FDIC-supervised institutions that received a DOJ subpoena. These officials indicated that they may learn of a DOJ subpoena if the institution informs the FDIC, or through standard information requests to an institution prior to a compliance examination.16

Footnote 16: Prior to the start of a compliance examination, DCP submits a document request to the institution that, among other things, requests information about any investigations by other federal agencies.

DOJ employees informed us that many of the subpoenas issued pursuant to Operation Choke Point contained copies of publicly available guidance on payment processors that was issued by the FDIC, the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), and the OCC.17 The FDIC guidance contained a footnote listing examples of telemarketing, online businesses, and other merchants that may have a higher incidence of consumer fraud or potentially illegal activities or that may otherwise pose elevated risk.18 Members have raised concern that including the FDIC guidance in the DOJ subpoenas was an attempt by the Corporation and the Department to pressure financial institutions to terminate business relationships with those merchants, regardless of the risks the merchants posed to the institutions.

Footnote 17: The guidance consisted of FDIC FIL 3-2012, Payment Processor Relationships (Revised Guidance), dated January 31, 2012; FinCEN’s Advisory, Risk Associated with Third Party Payment Processors, dated October 22, 2012; and OCC Bulletin 2008-12, Payment Processors, dated April 24, 2008.

Footnote 18: Such entities consisted of credit repair services, debt consolidation and forgiveness programs, on-line gamblingrelated operations, government grant or will-writing kits, payday or subprime loans, pornography, on-line tobacco or firearms sales, pharmaceutical sales, sweepstakes, and magazine subscriptions. According to the footnote in the guidance, these entities were not all-inclusive.

DOJ employees informed us that the intent of including the regulatory guidance in the subpoenas was to provide the subpoena recipients with information about the risks posed by TPPPs and the responsibilities of financial institutions in managing those risks. Further, DOJ believed that the guidance could help institutions to better identify and provide documents that were responsive to DOJ’s subpoenas. DOJ employees stated that they did not have discussions with anyone at the FDIC about whether to include the guidance in the subpoenas, and FDIC officials informed us that they had no knowledge that the guidance would be included in the subpoenas. Further, OPR’s review of contemporaneous documents and discussions with DOJ attorneys during its inquiry into Operation Choke Point found that DOJ attorneys did not intend to discourage institutions from conducting business with specific categories of lawful merchants when they included the regulatory guidance in the subpoenas.

We identified a limited number of FDIC staff in the Washington, D.C. office who began communicating with DOJ employees in early 2013 regarding the Department’s efforts to investigate certain financial institutions, TPPPs, and merchants. The majority of these communications involved two staff attorneys in the FDIC’s Legal Division.19 In addition, during the period covering March 2013 through April 2015, DOJ formally requested from the FDIC information pertaining to 3 of the 20 FDIC-supervised institutions that DOJ subpoenaed pursuant to Operation Choke Point.20 The information requested by DOJ included such things as reports of examination, correspondence, memoranda, and examiner working papers related to the institutions’ ACH processing activities, remotely-created check businesses, TPPP relationships, and BSA/AML compliance. As of July 15, 2015, the FDIC had provided or was working to provide information responsive to these requests.

Footnote 19: We identified three other FDIC employees who communicated with DOJ employees regarding their investigative activities pertaining to Operation Choke Point. These individuals consisted of (1) a supervisory attorney in the Legal Division who oversaw the activities of the two staff attorneys referenced above; (2) an RMS employee in the Washington, D.C. office who had informal conversations with DOJ staff during inter-agency meetings and training conferences; and (3) an FDIC OIG criminal investigator assigned to investigate activities at one of the FDICsupervised institutions that received a subpoena from DOJ. The FDIC OIG notified Members about the communications between the OIG investigator and DOJ and provided relevant documentation to the Members in June and July 2014.

Footnote 20: Such requests were processed based on procedures defined in 12 C.F.R. Part 309—Disclosure of Information. On June 30, 2015, we provided FDIC officials with the names of the 20 FDIC-supervised institutions that received DOJ subpoenas so that the officials could determine whether the Corporation had received any formal requests for information from the Department. Prior to our providing this information, FDIC officials were not aware of all of the FDIC-supervised institutions that DOJ had subpoenaed in connection with Operation Choke Point.

FDIC staff informed us that they learned of DOJ’s investigative work involving TPPPs, financial institutions, and merchants through informal discussions with a DOJ employee following an inter-agency training conference held in February 2013. In addition, a DOJ employee discussed aspects of the Department’s work in this area during a meeting of the Interagency Bank Fraud Enforcement Working Group in early 2013.21 At that time, DCP, RMS, and the Legal Division were—separate from DOJ— researching illegal payday lending activity based on concerns raised by a state regulator to the FDIC in December 2012. That research, which was internal to the FDIC, continued through August 2013.

Footnote 21: The working group, which has been in existence for about 30 years, is comprised of individuals from banking, law enforcement, and other federal agencies, including the FDIC.

The FDIC’s communications with DOJ consisted of responding to requests from DOJ employees for information about FDIC-supervised institutions that the Department was investigating; responding to DOJ inquiries about remedies that federal regulators could potentially pursue in the event that illegal payday lending was associated with insured-depository institutions; and reviewing documents obtained by DOJ in the course of its investigative activities. We concluded that the FDIC’s communications with DOJ employees were based on the FDIC’s responsibility to understand and consider potentially illegal activity involving FDIC-supervised institutions, as well as the risks such activities could pose for the institutions.

In April 2013, one of the two FDIC staff attorneys referenced above informed a DOJ employee that both FDIC attorneys were interested in working at the Department on a temporary detail to focus on DOJ’s efforts to investigate TPPPs, financial institutions, and merchants. Although the FDIC attorneys had subsequent discussions about a potential detail with DOJ employees, neither FDIC attorney discussed a detail assignment with their supervisor and the FDIC never detailed any of its employees to DOJ to work on matters related to Operation Choke Point.

In June 2013, a DOJ employee assigned to work on Operation Choke Point provided the two FDIC staff attorneys with a hardcopy listing of 15 institutions that had received subpoenas from the Department and that DOJ believed were supervised by the FDIC.22 At that time, one of the FDIC staff attorneys provided the listing to a DCP employee in the Washington, D.C., office who was working on matters pertaining to fraudulent activities perpetuated by TPPPs. We found no evidence that the listing was provided to RMS or DCP Regional Offices or to field examiners who had direct supervisory responsibility for these institutions.

Footnote 22: Fourteen of the 15 institutions were supervised by the FDIC at the time of our audit.

According to the FDIC’s time and attendance records, the two FDIC staff attorneys charged approximately 50 hours (combined) to matters pertaining to Operation Choke Point from February through August 2013. According to these attorneys, a significant portion of the time charges involved gaining remote access to a DOJ system that contained information obtained from the subpoenas that DOJ had issued to FDIC-supervised institutions. Although the attorneys obtained remote access to the system in late August 2013, they informed us that they did not access the information in the system because they were instructed not to do so by an executive in the Legal Division following public reports alleging that the FDIC was working with DOJ to pressure institutions to decline banking services to certain types of merchants.

Senior FDIC executives, including the Chairman, RMS Director, DCP Director, former Acting General Counsel, and all six Regional Directors, informed us that they had never had any discussions with DOJ regarding Operation Choke Point. These statements were consistent with the results of our interviews of officials in the DOJ’s Consumer Protection Branch, which had responsibility for planning and executing Operation Choke Point.

The FDIC Chairman informed us that he became aware of Operation Choke Point after receiving the August 22, 2013, letter from Members expressing concern that the FDIC and DOJ were pressuring financial institutions and TPPPs to terminate business relationships with lawful lenders. At that time, the FDIC Chairman requested a briefing from his staff on the matter and asked that he be kept fully informed of any communications between the FDIC and DOJ. The Chairman also requested that any communications between FDIC staff and DOJ be limited to official requests for information from the Department.

The FDIC’s Supervisory Approach to Institutions that Conducted Business with Merchants on the High-Risk List

We determined that the FDIC’s supervisory approach to financial institutions that conducted business with merchants on the high-risk list was within the Corporation’s broad authorities granted under the FDI Act and other relevant statutes and regulations. In addition, we found no evidence that the FDIC used the high-risk list to target financial institutions. Further, both the high-risk list and supervisory guidance containing references to specific merchant categories were developed before the inception of Operation Choke Point and were not a driving factor in the initiative’s implementation. However, as described later, references to specific merchant types in the summer 2011 Supervisory Insights Journal article and in supervisory guidance created a perception among some bank executives that we spoke with that the FDIC discouraged institutions from conducting business with those merchants. This perception was most prevalent with respect to payday lenders.

With the exception of payday lenders, we found no instances among the 23 financial institutions we reviewed where the FDIC pressured an institution to decline banking services to a merchant on the high-risk list. In addition, bank executives that we spoke with indicated that, except for payday lenders, they had not experienced regulatory pressure to terminate an existing customer relationship with a merchant on the high-risk list, including a firearms, ammunition, or tobacco retailer. Although pawnbrokers were not on the high-risk list, executives from five institutions informed us that they provided banking services to these merchants and had never experienced regulatory pressure to terminate the business relationships.

The FDIC’s concerns regarding payday lending by financial institutions precede Operation Choke Point by many years. The FDIC’s payday lending guidance, which was established in 2003 and updated in 2005, increased expectations and placed heightened scrutiny on institutions that engage in that type of lending. As a result of this supervisory posture, FDIC-supervised institutions stopped making payday loans in 2006. In the years that followed, the FDIC took steps to encourage financial institutions to offer affordable, small-dollar loans and proactively researched and communicated concerns about emerging credit products that can have characteristics similar to payday loans, such as deposit advance products.

Based on our review of internal FDIC email communications and discussions with FDIC staff, we found that a number of FDIC officials also had concerns regarding financial institutions that provided ACH payment processing for payday lenders. These concerns were based on the premise that the institution was, in effect, facilitating payday lending by processing ACH payments, even though the institution was not engaging in direct payday lending. ACH payment processing activities are covered in the FFIEC’s Bank Secrecy Act Anti-Money Laundering Examination Manual and Retail Payment Systems IT Examination Handbook. We were unable to determine the approximate number of financial institutions that facilitate ACH payment processing activities because that information is not tracked by the FDIC. Based on our review of regional office monthly status reports for the 4-year period ended December 31, 2014, we identified concerns specifically focused on ACH processing for payday lenders at three FDICsupervised financial institutions.

The heightened level of concern for payday lending by financial institutions and related activities was reflected in the negative tenor of internal email communications among senior FDIC staff and others that we reviewed. We also noted two instances in which the FDIC used moral suasion in its written communications to institutions to discourage them from providing ACH processing to payday lenders. In both instances, the FDIC’s principal stated concerns were based primarily on reputation risk to the institutions due to their potential or existing relationship with a payday lender.

The FDIC has taken a number of actions to address concerns raised by Members that the Corporation was pressuring financial institutions to decline banking services to merchants on the high-risk list. These actions were intended to make clear the FDIC’s policy that financial institutions that properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing financial services to customers, regardless of the customers’ business category, provided that the institutions operate in compliance with applicable laws.

The High-Risk List

The FDIC’s summer 2011 Supervisory Insights Journal and original supervisory guidance on financial institution relationships with TPPPs included examples of merchants associated with high-risk activities.23 Both the article and guidance were developed prior to the inception of Operation Choke Point and were not a principal factor in the initiative’s implementation. RMS, DCP, and Legal Division staff informed us that the references to these merchants were not the primary purpose of the article or guidance. Rather, the references were intended to illustrate the types of merchants that the payments industry had identified as being associated with higherlevels of fraudulent activity. The focus of the article and guidance, according to these FDIC officials, was to describe the risks associated with financial institution relationships with TPPPs and to provide guidance on appropriate risk management controls and practices for these relationships.

Footnote 23: The supervisory guidance consisted of: FIL-127-2008, Guidance on Payment Processor Relationships; FIL-3-2012: Payment Processor Relationships, Revised Guidance; and FIL-43-2013: FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities.

We reviewed the policies of six non-statistically sampled companies in the payments industry and confirmed that the policies of one or more of those companies (1) categorized all but two of the merchants on the high-risk list as high-risk and/or (2) prohibited the processing of transactions by those merchants.24 We also noted that from June 2005 until November 2014, the FFIEC Bank Secrecy Act Anti-Money Laundering Examination Manual identified the following types of merchants as being associated with high-risk activities in the context of third-party payment transactions: on-line payday lenders, on-line gambling-related operations, offshore companies, mail order and telephone order companies, telemarketing companies, and adult entertainment businesses.25 Several of these merchant categories appear on the high-risk list. In November 2014, the FFIEC updated the Bank Secrecy Act Anti-Money Laundering Examination Manual to (among other things) remove references to specific types of merchants associated with high-risk activities in the context of TPPP transactions.

Footnote 24: The exceptions were government grants and coin dealers. The FDIC included government grants on the high-risk list because the Federal Trade Commission had received complaints in connection with disreputable merchants that sold government grant writing kits with public information that consumers could have readily obtained through the Internet. Coin dealers were included because related transactions can be cash-intensive and pose risks associated with money laundering. The policies we reviewed were issued by the following companies: Visa, Inc.; MasterCard, Inc.; PayPal; Amazon, Inc; Ebay, Inc.; and Google, Inc.

Footnote 25: The November 2014 version continues to include references to certain types of merchants, such as on-line payment processors, credit repair services, on-line gambling, and adult entertainment, in the context of electronic banking products offered by financial institutions to customers.

We reviewed examiner training materials pertaining to TPPPs that were prepared by the FDIC and FFIEC and found that although the materials included references to specific types of merchants associated with high-risk activities, the focus of the materials was on TPPP risks and how institutions should manage those risks.26 We found no indication in the training materials that examiners were encouraged to pressure financial institutions to decline banking services to merchants based on the category of their business. Nevertheless, references to specific merchants in the Supervisory Insights Journal article and in supervisory guidance, together with a heightened level of scrutiny of TPPPs, led to a perception among executives at some institutions in our sample that providing banking services to merchants on the high-risk list was discouraged by the FDIC.

Footnote 26: We reviewed training materials for the FDIC’s June 21, 2011 Risk Analysis Center presentation, entitled Risks Associated with Third Party Payment Processor Relationships, and the FFIEC’s September 17, 2013 IT Conference presentation, entitled Third Party Payment Processors: Relationships, Guidance, and Case Examples.

To clarify its supervisory approach, the FDIC revised its summer 2011 Supervisory Insights Journal article and supervisory guidance on financial institution relationships with TPPPs by removing the high-risk list and references to specific types of merchants. The FDIC also issued FIL-41-2014, FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors, and revised FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities, in July 2014 to state that financial institutions that properly manage relationships and effectively mitigate risks are neither prohibited nor discouraged from providing payment processing services to customers, regardless of the customers’ business, provided that the customers are operating in compliance with applicable federal and state law.

Payday Lending by Financial Institutions

As discussed in the Background section of the report, FIL-14-2005, Payday Lending Programs, Revised Examination Guidance, dated March 1, 2005, states that financial institutions that provide high-cost, short-term loans on a recurring basis to customers with long-term credit needs is not responsible lending. According to the guidance, such loans present increased credit, legal, reputation, and compliance risk to financial institutions and can create a serious financial hardship for consumers. For these reasons, FIL-14-2005 imposes additional expectations on institutions that engage in payday lending; subjects these institutions to heightened scrutiny; and states that institutions should develop procedures to ensure that payday loans are not provided to customers who had payday loans outstanding from any lender for a total of 3 months during the previous 12 months. Failure to meet the standards in the FIL can result in supervisory enforcement actions, which may include requiring institutions to discontinue payday lending.

Of the more than 5,200 financial institutions that the FDIC was supervising when FIL-14-2005 was issued, only 12 institutions had payday lending programs. At that time, all 12 institutions were instructed to submit plans detailing how the institutions would address the expectation to limit payday loans to customers. In addition, an institution’s payday lending programs were subject to heightened supervision, which included more frequent examination activities and regular contact with the institution’s management. This supervisory strategy was coordinated on a national basis within the FDIC through a payday lending review group, which was led by the former Atlanta Regional Director.

On February 17, 2006, three FDIC Regional Directors sent letters to the Boards of 11 FDICsupervised institutions that were known to still have payday lending programs at that time. The letters, which were reviewed and sent with the concurrence of the FDIC Chairman and the Legal Division, stated that the FDIC had conducted (or was conducting) onsite examinations or visitations of the institutions and third-party entities and/or had conducted offsite analyses related to the institutions’ payday lending activities. The letters referenced ongoing correspondence and discussions with the institutions regarding their payday lending programs and explained that the focus of the FDIC’s supervisory efforts in this area was on the credit quality of the institutions’ payday lending products, compliance with laws and regulations, and the effectiveness of management and the Board in the oversight of third-party performance.

The letters sent in February 2006 stated that the FDIC had observed a pattern of unsuccessful supervision and management of third-party providers by the institutions and described significant concerns regarding the institutions’ ability to administer their payday lending programs. Ten of the 11 letters noted deficiencies in the institutions’ payday lending programs, such as:27

- not properly managing the performance of third-party payday service providers that facilitate payday lending; - apparent violations of the Fair and Accurate Credit Transactions Act and Regulation B of the ECOA arising from lending activities pertaining to alternative credit products (ACP) and violations of Regulation Z of the TILA due to inadequate customer disclosures; - sensitive customer information not being adequately protected; and - inadequate internal audit procedures pertaining to payday and ACP lending activities.

Footnote 27: One letter did not identify any deficiencies with the subject institution’s payday lending program.

All 11 letters stated that the safety and soundness risks and compliance concerns associated with the institutions’ payday lending activities were unacceptable and that the institutions could not develop the necessary environment to properly administer such a high-risk activity. Eight of the letters stated that the institutions should exit the payday lending business, or notify the FDIC within 15 days of how the institutions expected to correct all identified problems and change their Board and management’s oversight to ensure that there would be no problems or issues going forward. The remaining three letters stated that the institutions should consider terminating their payday lending programs and contact the FDIC to schedule a meeting to discuss the matter further. In addition, two of the 11 letters questioned the suitability of any bank to engage in payday lending, particularly through the Internet or third-party marketers. Such statements were inconsistent with the FDIC’s written payday lending guidance, which allows institutions to engage in payday lending provided that they have adequate controls. By the end of February 2006, 10 of the 11 institutions indicated that they were planning to stop making payday loans. As of August 2006, all 11 institutions had stopped making payday loans.

Concerns regarding the lack of alternatives in the banking sector to non-bank payday loans prompted the FDIC to issue FIL-50-2007, Affordable Small-Dollar Loan Products, Final Guidelines, on June 19, 2007. The FIL encouraged financial institutions to offer and promote affordable, small-dollar credit products to their customers. According to the FIL, these products should have reasonable interest rates with no or low fees and be structured with payments that reduce the principal balance. On the same day the FIL was issued, the FDIC’s Board approved the Affordable and Responsible Consumer Credit initiative—a 2-year pilot to review affordable and responsible small-dollar loan programs in FDIC-supervised institutions. When announcing the institutions that would participate in the pilot on February 5, 2008, a former FDIC Chairman stated: “Our goal is to identify small-dollar loan programs that are profitable for lenders and affordable alternatives to payday loans and other high-cost loans that are harming consumers and communities across America.”

The pilot, which concluded in the fourth quarter of 2009, involved 28 financial institutions with assets ranging from $28 million to nearly $10 billion. The FDIC reported that as a result of the pilot, these institutions made 34,400 small dollar loans totaling approximately $40 million. According to the FDIC, the performance of the loans was in line with the performance of other unsecured consumer credit products and it was determined that it was feasible for institutions to offer such loans in a safe and sound manner. The pilot also resulted in the development of a business template intended for institutions to model safe, affordable, and feasible small-dollar loans.

The FDIC’s concerns regarding payday lending by financial institutions continued in the years that followed. For example, in a letter dated May 29, 2012, to the Executive Director of the Americans for Financial Reform, the FDIC Chairman stated that the Corporation was deeply concerned about continued reports of institutions engaging in payday lending and the expansion of payday lending activities under third-party arrangements. The letter added that the Chairman had asked DCP to make it a priority to investigate reports of institutions engaging in payday lending and recommend further steps by the FDIC. The Chairman’s letter was in response to concerns raised by the Executive Director in a letter, dated February 22, 2012, that institutions were offering a credit product known as a deposit advance that was structured like a payday loan and that a major software system provider was marketing a bank payday software product.

During 2012 and 2013, DCP’s Washington, D.C., office researched deposit advance products, including the product being marketed by the software system provider referenced above.

Because the provider serviced a significant number of financial institutions, there was concern that the provider’s product could quickly become widespread. In June 2012, DCP officials in the Washington, D.C., office contacted the Regional Offices to determine if any FDIC-supervised institutions were offering the product. The Regional Offices identified two institutions that were considering the product and discouraged both institutions from offering the product. Both institutions subsequently decided not to offer the product.

Based on the results of its research, DCP identified some deposit advance products and practices with characteristics similar to payday loans that appeared to be concentrated in a limited number of FDIC-supervised financial institutions. DCP determined that the FDIC’s payday lending guidance did not fully address the risks associated with these emerging products and practices and issued guidance, entitled Guidance on Supervisory Concerns and Expectations Regarding Deposit Advance Products, dated November 21, 2013. The OCC issued nearly identical guidance, entitled Guidance on Supervisory Concerns and Expectations Regarding Deposit Advance Products, on November 26, 2013.

Internal FDIC Efforts Related to Payday Lending

In March 2013, the Director, DCP, established an internal FDIC working group comprised of RMS, DCP, and Legal Division staff to research and assess risks associated with TPPPs, particularly those that may be involved in illegal on-line payday lending activities. As part of this effort, the working group contacted other federal agencies, including the FRB, CFPB, and DOJ, to learn about any work those agencies might have ongoing to protect consumers from illegal activities facilitated by TPPPs. DCP and Legal Division officials informed us that these internal efforts ended in August 2013, at which point the FDIC’s focus shifted to addressing concerns raised by Members. Prior to that time, the FDIC had drafted, but not finalized, the following documents:

- Four memoranda and a whitepaper describing (among other things) consumer protection laws pertaining to payday lending and legal remedies available to the FDIC in the event that illegal payday lending was facilitated through FDIC-supervised institutions.

- A FIL intended to raise awareness of the significant risks associated with institutions that processed and received ACH transactions originated by certain higher-risk merchants (including payday lenders) and TPPPs. The guidance discussed the responsibilities of institutions to identify and mitigate such risks. In lieu of finalizing the guidance, the FDIC issued FIL-43-2013, which is described later in the report.

Concerns Regarding Payday Lending and Related Banking Services

As discussed above, the FDIC’s concerns regarding payday lending by financial institutions are longstanding. According to three of the FDIC’s six Regional Directors that we spoke with, these concerns extended to ACH payment processing (either through a TPPP or through a deposit account relationship with a payday lender) because such services effectively facilitate payday lending. The heightened level of concern for payday lending by financial institutions and ACH processing for payday lenders was reflected in the negative tenor of certain internal email communications among senior FDIC staff and others that we reviewed.28 Some of these communications also reflected instances in which moral suasion was used to discourage institutions from providing these types of banking services to, or on behalf of, payday lenders. Examples of such communications follow.

Footnote 28: See Appendix 1 for a description of our methodology for selecting email communications for review.

- Apparently, because of legal considerations, the FDIC has never expressly stated publicly that our supervised institutions are not permitted to do business with payday lenders but the payday lending guidance and our public posture makes clear that we view payday loans as extremely risky. (Associate Director, DCP, to the Director, DCP, and other Senior DCP Staff, June 10, 2011).29

- Our [Field Office Supervisors—FOS] canvassed their examination staff and none reported any financial institutions offering “deposit advance products.” However, there is one financial institution in [location redacted] that is contemplating offering such a product. The name of that bank is [name redacted]. Of course, we are strongly encouraging them to reconsider the decision. (Current Atlanta Regional Director to DCP executives and staff in Atlanta and Washington, D.C., February 29, 2012).

- By the way…I think you will be pleased….bank with ach is getting out of payday ach and all ach activities…now that is something to celebrate on Thanksgiving! (Former Atlanta Regional Director to the Director, DCP, November 21, 2012).

- I have never said this to you (but I am sincerely passionate about this)…but I literally cannot stand pay day lending. They are abusive, fundamentally wrong, hurt people, and do not deserve to be in any way associated with banking. (Former Atlanta Regional Director to the Director, DCP, November 26, 2012).

- Any banks even remotely involved in payday [sic] should be promptly brought to my attention. (Former Atlanta Regional Director to members of his staff, December 5, 2012).

- Pay day lenders bring reputational risk, compliance risks, legal risk, and risk management concerns…..nothing good for our banks. (Former Atlanta Regional Director to his staff, March 22, 2013).

Footnote 29: This email communication was sent in response to an inquiry by an FDIC executive regarding whether the FDIC had a policy in place that prohibited financial institutions from allowing payday lenders to hold deposit accounts with financial institutions. In addition, we confirmed that the author of the email did not consult with an attorney in forming the opinion expressed in the email.

We also noted two instances in which the FDIC used moral suasion in written communications to institutions to discourage them from providing ACH processing services for payday lenders. In one instance, a FOS in the Atlanta Region sent an email to a bank executive on March 6, 2014, in response to a question about payday lending raised by the bank executive. The email discussed supervisory guidance and expectations pertaining to a prospective relationship with a payday lender that the institution was considering. The relationship involved providing ACH processing services for a Native-American group that was proposing to offer payday loan products on-line. The entire text of the email from the FOS read as follows:

To follow-up on our phone call conversation, the following Financial Institution Letters (FILs) should be considered:

- FIL-14-2005: Guidelines for Payday Lending - FIL-44-2008: Guidance for Managing Third-Party Risk

The FILs can be accessed from our external website www.fdic.gov by selecting the laws and regulations tabs and picking the FILs option. If I understand what is being proposed, a Native-American group is proposing to offer payday loan products online and funds will flow from the bank though [sic] ACH transactions. As I mentioned earlier, while the bank is not expected to directly offer payday loans, it will facilitate such lending and the risks discussed in FIL-14-2005 should be closely considered. I am not sure how the arrangement is expected to work, but if a third-party vendor will be involved ,or any relationship connecting the bank with the depositor group that must be supervised, the concerns raised in FIL-44-2008 must be addressed.

As I stated earlier, the arrangement will receive close regulatory scrutiny from the FDIC and State Banking Department. In-depth BSA and IT reviews of this relationship will also take place. Even under the best circumstances, if this venture is undertaken with the proper controls and strategies to try to mitigate risks, since your institution will be linked to an organization providing payday services, your reputation could suffer.

If the Board plans to go forward with this venture, please reduce your plans to writing by submitting a letter to the FDIC's Regional Director [name redacted] and [State regulator and name redacted] outlining your proposal.

The current Atlanta Regional Director became aware of the email in September 2014 after it was identified during a search of email communications in connection with a request for information from the Congress. FDIC officials informed us that the email referenced FDIC guidance that was not relevant to the proposed banking relationship and that communications of that nature should only come from the Regional Office. As a result, the Atlanta Regional Director contacted the bank executive on September 10, 2014, to clarify the FDIC’s supervisory approach and expectations for such relationships and to emphasize that the FDIC does not, in any way, prohibit payday lending.

A detailed description of the second instance follows.

Use of Moral Suasion to Discourage ACH Processing for a Payday Lender

In October 2012, an IT examiner in the Chicago Regional Office conducting an offsite review of ACH transaction data provided by the Federal Reserve identified an institution with a significant volume of ACH returns relative to other institutions in the state. The IT examiner provided the information to RMS and DCP examiners who contacted the institution to discuss the return rates. The RMS and DCP examiners learned that substantially all of the ACH returns related to a payment processing relationship the institution had with a payday lender. Although the institution provided an explanation for the large volume of ACH returns, examiners determined that an on-site visitation of the institution to assess the associated risk was appropriate. On November 13, 2012, the Chicago Regional Director sent an email to the FDIC’s Chief of Staff; the current and former Director, RMS; the Director and Deputy Director, DCP; and a Legal Division official in the Washington, D.C. Office. The email read, in part:

We have recently identified an institution in [location and institution name redacted] that is providing ACH processing for a payday lender. As indicated in the commentary immediately below, we are planning a visitation to the bank next month to review the bank’s third party activities, including its association with the payday lender. In consideration of this development, the Chicago Region withdraws its recommendation of [name of individual and institution redacted] for membership on the [FDIC Community Bank] Advisory Committee.

RMS and DCP, together with the state banking department, conducted a visitation of the institution on December 17-18, 2012.30 The examiners found that the institution had reasonable controls in place to protect against fraud in the ACH origination service and to prevent undue credit and operational risk. However, the examiners recommended that the institution review and strengthen the terms of its agreement with the payday lender; analyze the level of funds held in the payday lender’s deposit account to minimize credit risk to the institution; and develop a strategy to reduce the level of ACH returns. The visitation also identified consumer compliance concerns and recommended that the institution conduct a compliance risk assessment; establish formal monitoring procedures to ensure risks are effectively controlled; and implement a formal process for reporting to the Board.

Footnote 30: Although the visitation focused on the payment processing relationship with the payday lender, a review of the institution’s controls over the issuance of multi-purpose gift cards by another company was also performed.

After FDIC examiners provided preliminary results of the visitation to the Chicago Regional Office, the Chicago Regional Director notified the Director, DCP, that the Office would pursue a strategy to facilitate the institution’s exit from the payment processing relationship with the payday lender. The Regional Director notified the Director, DCP, of the strategy via email and during a conference call on January 16, 2013. Additionally, beginning in February 2013 and continuing through August 2013, the Chicago Regional Office’s monthly status reports to the Directors, RMS and DCP, referenced concerns related to the institution’s involvement with a third party that facilitated payday lending and the FDIC’s supervisory expectation for the institution to exit the relationship.

On February 8, 2013, FDIC and state examiners held a conference call with the Chief Executive Officer (CEO) and the Chief Financial Officer (CFO) of the institution to reinforce the findings of the visitation and obtain management’s commitment to address the recommendations. During the call, an FDIC FOS informed the institution’s CEO and the CFO that the payment processing relationship with the payday lender carried a high degree of third-party, reputation, compliance, and legal risks that may not be acceptable. The FOS indicated that the FDIC’s primary concern with the relationship was reputation risk. Specifically, the payday lender had an “F” rating with the Better Business Bureau (BBB) that was not consistent with the bank’s positive image or the services the institution provided to the community.31 The FOS informed the institution’s CEO that the Board would receive formal correspondence from the Regional Office in the coming weeks urging the Board to terminate the payment processing relationship with the payday lender.

Footnote 31: The BBB rates organizations on a scale of A+ (highest) to F (lowest). The rating represents the BBB’s opinion of how the business is likely to interact with its customers.

Immediately following the conference call, the FOS sent an email to an Assistant Regional Director in the Chicago Regional Office stating that the BBB rating was the most compelling information the FDIC had to pursue a termination of the relationship because legally the institution was entitled to maintain the relationship and the institution was administering the relationship in a reasonable fashion.32 On February 15, 2013, the Chicago Regional Office sent a letter to the institution notifying its Board that the FDIC had recently become aware of the bank’s involvement in activities related to payday lending—specifically the processing of transactions on behalf of a payday lender. The letter stated, in part:

Footnote 32: The FOS and the Chicago Regional Director informed us that they did not request or receive advice from the Legal Division regarding the legal sufficiency of persuading the institution to exit the payment processing relationship with the payday lender.

It is our view that payday loans are costly, and offer limited utility for consumers, as compared to traditional loan products. Furthermore, the [redacted] relationship carries a high degree of risk to the institution, including third-party, reputational, compliance, and legal risk, which may expose the bank to individual and class actions by borrowers and local regulatory authorities. Consequently, we have generally found that activities related to payday lending are unacceptable for an insured depository institution.

The letter added that members of the Chicago Regional Office’s management team would contact the institution’s Board to schedule a meeting to further discuss the FDIC’s concerns with the relationship. On April 30, 2013, the FOS and a state examiner met with the institution’s CEO and CFO to discuss the status of the payment processing relationship with the payday lender. The meeting took place during a state-led safety and soundness examination. The CEO and CFO informed the examiners that a decision had not yet been made regarding the future of the institution’s relationship with the payday lender. The FOS discussed ongoing concerns that the regulators had regarding payday lending programs and encouraged the CEO and CFO to formally notify the Regional Office regarding the institution’s planned actions. The CEO and CFO agreed to do so. On May 29, 2013, the state banking agency submitted its report of examination to the institution’s Board. The report did not mention the institution’s payment processing relationship with the payday lender. We spoke with representatives of the state banking department who informed us that they did not have an objection to the institution’s relationship with the payday lender.

In a letter dated June 18, 2013, the institution’s CEO notified the Chicago Regional Office that the relationship with the payday lender would be terminated. The letter noted that the institution had not been cited for noncompliance with any laws or regulations in connection with the relationship. In addition, the letter stated that the institution had engaged a consultant to conduct a risk assessment of the relationship and although the assessment identified areas warranting control improvements, it also concluded that the relationship posed no significant risk to the institution, including financial, reputation, or legal risk. The letter also expressed disappointment with the FDIC’s supervisory approach, particularly its ability to pressure an institution to terminate a business relationship when there were no safety and soundness considerations other than potential reputation risk. An email dated June 19, 2013, from the FOS to a Chicago Assistant Regional Director, stated: “In the end, we are getting them out of [ACH processing for a payday lender] through moral persuasion and as you know from a legal perspective we don’t have much of a position, if any.”

The Chicago Regional Director informed us that he pursued a strategy of persuading the institution to terminate its payment processing relationship with the payday lender because it was his perception that senior FDIC management in the Washington, D.C. office, including the current and former Chairmen, did not favor banking services that facilitated payday lending. The Regional Director recalled a meeting held in late 2010 or early 2011 during which the former Senior Deputy Director, Division of Supervision and Consumer Protection (DSC),33 informed the Regional Directors that if an institution in their region was facilitating payday lending, the Regional Director should require the institution to submit a plan for exiting the business. We contacted the former Senior Deputy Director, DSC, about this matter and he stated that he did not communicate such an expectation to the Regional Directors.

Footnote 33: In conjunction with other organizational changes made in response to the enactment of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010, DSC was split into RMS and DCP, effective February 13, 2011.

The Director, DCP, was both aware of the Chicago Regional Office’s strategy to persuade the institution to exit the relationship with the payday lender through monthly status reports from the Chicago Regional Office as well as conference calls and email communications from the Regional Director. Although the Director, DCP, was aware that the Regional Director had planned to send, and subsequently did send, a letter to the institution requesting a plan to exit the relationship, the Director informed us that he did not receive a copy of the letter or the institution’s June 2013 response until early July 2013. The Director, DCP, indicated that his initial reaction/priority at that time was to gain an understanding of the region’s perception of the risks in the relationship and the region’s plan for following up with the institution to address the issues raised in its June 2013 response letter. No one at the FDIC informed the Chicago Regional Director that the February 2013 letter sent to the institution was inconsistent with FDIC policy or guidance until after Operation Choke Point was publicized in the media.

In the fall of 2013, the Chicago Regional Director and the Director, DCP, separately contacted the institution to clarify the FDIC’s supervisory policy and guidance for institutions that provide ACH processing for third parties, including payday lenders. FDIC officials informed us that the institution ultimately terminated its payment processing relationship with the payday lender but continued to provide other types of banking services to the merchant.

Regional Director Perspectives

We interviewed all six of the FDIC’s Regional Directors to obtain their perspectives on the FDIC’s stance towards payday lending by financial institutions and ACH processing for payday lenders. Three of the six Regional Directors informed us that it was their perception that senior FDIC executives in Washington, D.C., up to and including the former and current FDIC Chairmen, had serious concerns regarding the facilitation of payday lending by FDIC-supervised institutions. The three Regional Directors stated that senior FDIC management never made a distinction between payday lending by financial institutions and ACH processing for payday lenders when communicating their concerns. In addition, these three Regional Directors believed that there was a general expectation from executives in Washington, D.C., to discourage institutions from facilitating payday lending. Further, two of these three Regional Directors believed that if an institution was found to be facilitating payday lending, an expectation existed to pursue an exit strategy. The remaining Regional Director believed there was an expectation that examiners should place a heightened level of scrutiny on the associated controls. All three Regional Directors added that they had observed a shift in the supervisory tenor among Washington, D.C., executives towards institutions that facilitate payday lending since the fall of 2013. The current tenor, according to these Regional Directors, is that such activity is acceptable, provided that the institution complies with applicable policy, guidance, and laws.

The remaining three Regional Directors that we spoke with indicated that it was their perception that executives in Washington, D.C., viewed payday lending by financial institutions and ACH processing for payday lenders as acceptable, provided that the institution complies with applicable policy, guidance, and laws.

All six of the Regional Directors informed us that concerns regarding individual FDICsupervised institutions facilitating payday lending have been relatively infrequent in recent years. These views were consistent with our review of monthly status reports submitted by the Regional Directors to the Directors of RMS and DCP for the 4-year period ended December 31, 2014. These monthly status reports identified concerns specifically pertaining to payday lending activities facilitated through ACH processing at just three financial institutions. All three of the institutions were under the supervision of the Chicago Regional Office.

Role of Certain Former and Current FDIC Officials

As mentioned earlier in this report, the FDIC Chairman requested that as part of our planned and ongoing work related to Operation Choke Point, we conduct a fact-finding review of the actions of senior FDIC staff, including but not limited to, one former and four current officials. The Chairman’s request was prompted by concerns raised by a Congressman in a letter dated December 10, 2014, that identified five individuals that had allegedly allowed their personal and political views to interfere with the important work of the FDIC and that they had misled the American people through their emails and in meetings with, and testimony before, the Congress. These five individuals served as the former Acting General Counsel; a Deputy Director, DCP; the former Atlanta Regional Director; the Chicago Regional Director; and the Director, DCP.34 The Member’s concerns were based on information contained in a December 8, 2014 staff report of the House Oversight and Government Reform Committee, entitled Federal Deposit Insurance Corporation’s Involvement in “Operation Choke Point.”

Footnote 34: The former Atlanta Regional Director retired from the FDIC on May 3, 2014.

We performed audit procedures to determine the extent to which the individuals serving in the five referenced positions were involved in the development or implementation of Operation Choke Point and whether their actions involving the institutions we reviewed were based on personal, political, or moral agendas aimed at forcing lawful businesses on the high-risk list out of the banking sector. As part of these audit procedures, we interviewed relevant FDIC and DOJ employees, reviewed selected email communications that the five individuals sent and received on the topic of payday lenders, and reviewed supervisory records pertaining to our 23 sampled institutions.35

Footnote 35: See Appendix 1 for a detailed description of our scope and methodology, including our approach for reviewing email communications for the five individuals.

Based on our analysis, we determined that none of the five individuals played a role in the development or implementation of Operation Choke Point. In addition, we concluded that the individuals did not pursue their own personal, political, or moral agendas aimed at forcing lawfully-operating businesses on the high-risk list out of the banking sector. As it pertains to payday lending and related activities, we concluded that the officials acted consistent with a widely-held understanding that the highest levels of the FDIC disfavored these types of banking services. Concerns regarding these types of banking services were rooted in safety and soundness and consumer protection risks. We also noted instances in which internal FDIC email communications and/or a communication to a financial institution involving the former Atlanta Regional Director; the Chicago Regional Director; and the Director, DCP; were not consistent with written FDIC policy or guidance. The exceptions pertained to ACH processing for payday lenders by financial institutions. A brief description of our results by individual follows.

Former Acting General Counsel. We did not identify any actions taken by this individual that influenced the FDIC’s supervisory approach pertaining to payday lending for the institutions we reviewed. As mentioned earlier, work on a separate inquiry into the allegation that this individual provided false testimony to the Congress was completed by the OIG’s Office of Investigations at the close of our audit.

Deputy Director, DCP. We did not identify any actions taken by this individual that influenced the FDIC’s supervisory approach pertaining to payday lending for the institutions we reviewed. We did, however, note a limited number of internal email communications in which this individual attempted to cast payday lending by financial institutions in a negative light in public communications by the FDIC Chairman. However, we found no evidence that these negative connotations were incorporated into the Chairman’s communications.

Former Atlanta Regional Director. This individual played a key role in developing the FDIC’s payday lending guidance and led an internal FDIC working group in 2005 that helped to establish and implement the Corporation’s supervisory strategies pertaining to payday lending. We identified certain email communications authored by this individual, some of which were sent to his supervisor—the Director, DCP—and others of which were sent to his staff that reflected strongly-held, negative views about payday lenders and ACH processing by banks for payday lenders. Some of these communications related to one of the 23 institutions in our sample. The views expressed in these email communications were not consistent with written FDIC policy or guidance, which permits institutions to provide banking services to payday lenders provided that the institutions have adequate risk management controls and comply with applicable laws. In our view, such communications also reflected poor judgment as they had the propensity to influence staff behavior and lead to communications with financial institutions that are inconsistent with written FDIC policy and guidance.

The Chicago Regional Director. As discussed earlier, this individual sent a written communication to one of the 23 institutions in our sample discouraging the institution from providing ACH processing services to a payday lender even though material safety and soundness or consumer protection concerns to warrant doing so did not exist. This approach was not consistent with the written FDIC policy or guidance. The individual believed that his communication was consistent with senior FDIC management’s expectations to discourage financial institutions from facilitating payday lending. In addition, the individual’s supervisor— the Director, DCP—was aware of the Chicago Regional Director’s communication and the institution’s response, but did not inform the Chicago Regional Director that his communication was inconsistent with FDIC policy or guidance until concerns were raised publicly about the FDIC’s approach to financial institutions that facilitate payday lending.

Director, DCP. This individual took a lead role in responding to the FDIC Chairman’s request to investigate reports of financial institutions engaging in payday lending and recommending further steps that could be taken by the FDIC to address the associated risks. This individual established an interdivisional working group to research the risks to institutions associated with the facilitation of illegal payday lending activities through TPPPs and developed FDIC guidance on deposit advance products.

The Director, DCP, informed us that he did not advise the former Atlanta Regional Director that some of his internal email communications were inconsistent with FDIC policy and guidance because it was the Director’s belief that these communications would not be shared with anyone else. However, as described earlier, similar communications were shared with the former Atlanta Regional Director’s staff. In addition, it was the Director’s belief that the former Atlanta Regional Director’s emails were more emotional than substantive and that this individual would not take action to pressure an institution to decline banking services in violation of FDIC policy or guidance.

With respect to the Chicago Regional Director’s written communication referenced above, the Director, DCP, informed us that it was his understanding that the institution was being persuaded to terminate its relationship with the payday lender for safety and soundness reasons and not primarily because of reputation risk. Further, the Director did not advise the Chicago Regional Director that his communication with the institution was inconsistent with FDIC policy and guidance until September 2013. The Director stated that after seeing the communication in early July 2013, he attempted to understand the risks associated with the relationship and the region’s approach to addressing those risks.

Because the FDIC Chairman has already committed to reviewing the facts and circumstances pertaining to the five individuals, and taking action, as appropriate, we are not making recommendations in this area.

The FDIC’s Actions to Address Concerns Regarding Its Supervisory Approach

FDIC officials determined that there were misperceptions about the FDIC’s supervisory approach to institutions that conduct business with merchants associated with high-risk activities. As a result, beginning in September 2013, the FDIC took a number of actions to address these misperceptions. These actions are intended to promote a common understanding and consistent implementation of the FDIC’s supervisory approach in this area. These actions are described below:

- On September 27, 2013, the FDIC issued FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher- Risk Activities. The FIL clarified the FDIC’s policy and supervisory approach related to facilitating payment processing services directly, or indirectly through a third party, for merchant customers engaged in higher-risk activities. According to the FIL, facilitating payment processing for these types of merchant customers can pose risks to financial institutions. However, institutions that properly manage these relationships and risks are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law. FIL-43-2013 also states that the focus of the FDIC’s examination process is on assessing whether institutions are adequately overseeing the activities and transactions they process and appropriately managing and mitigating risks. The FIL adds that institutions with appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law.

- On July 28, 2014, the FDIC issued FIL-41-2014, FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors. The FIL reiterated the FDIC’s policy that institutions that properly manage customer relationships are neither prohibited nor discouraged from providing services to any customer operating in compliance with applicable law. The FIL also states that the focus of the FDIC’s supervisory approach to institutions with TPPP relationships is to ensure adequate procedures for conducting due diligence, underwriting, and ongoing monitoring of the relationships. According to the FIL, institutions that follow the FDIC’s outstanding guidance will not be criticized for establishing and maintaining TPPP relationships.

Additionally, FIL-41-2014 states that the examples of merchant categories associated with higher-risk activities included in previously-issued FDIC guidance36 and the informational article in the Summer 2011 Supervisory Insights Journal led to misunderstandings regarding the FDIC's supervisory approach to TPPPs and created a misperception that the merchant categories were prohibited or discouraged. As a result, the FDIC removed the lists of examples of merchant categories from previously issued guidance and the informational article.

Footnote 36: This guidance consists of FIL-127-2008, Guidance on Payment Processor Relationships, originally issued on November 7, 2008, and revised in July 2014; FIL-3-2012, Payment Processor Relationships, Revised Guidance, originally issued on January 31, 2012, and revised in July 2014; and FIL-43-2013, FDIC Supervisory Approach to Payment Processing Relationships With Merchant Customers That Engage in Higher-Risk Activities, originally issued on September 27, 2013, and revised in July 2014.

- On January 28, 2015, the FDIC issued FIL-5-2015, Statement on Providing Banking Services. The FIL states that individual customers within broader customer categories present varying degrees of risk. Consequently, institutions should take a risk-based approach in assessing individual customer relationships rather than declining to provide banking services to entire categories of customers. Financial institutions that can properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing services to any category of customer accounts or individual customers operating in compliance with applicable state and federal law.

FIL-5-2015 recognizes that some institutions may hesitate to provide certain types of banking services due to concerns that they will be unable to comply with the associated requirements of the BSA. According to the FIL, the FDIC and the other federal banking agencies recognize that as a practical matter, it is not possible to detect and report all potentially illicit transactions that flow through an institution. Isolated or technical violations, which are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes, generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance. The FIL adds that when an institution follows existing guidance and maintains an appropriate risk-based program, the institution will be wellpositioned to appropriately manage customer accounts, while generally detecting and deterring illicit financial transactions.

FIL 5-2015 also states that any FDIC-supervised institution concerned that FDIC personnel are not following the policies on providing banking services may contact the FDIC’s Office of the Ombudsman (OO) using a dedicated, confidential toll-free number or email address. Individuals or institutions may also contact the FDIC OIG through its Web site, by phone, or by email.

- On January 28, 2015, the FDIC established an internal policy for documenting and reporting instances in which FDIC staff recommend or require institutions to terminate deposit account relationships. According to the policy, recommendations or requirements to terminate a customer deposit account should not be made through informal suggestions. In addition, criticisms of an institution’s management or mitigation of risk associated with deposit accounts that do not rise to the level of a recommendation or a requirement to terminate an account should not be made through informal suggestions. Rather, criticisms of an institution’s management or mitigation of risk associated with deposit accounts must be made in writing in a report of examination. Further, recommendations or requirements to terminate deposit accounts must be made in writing and must be approved in writing by the Regional Director before being provided to and discussed with the institution’s management and Board.

The policy provides that before findings involving customer account terminations are included in a report of examination or supervisory actions are pursued, the findings and supervisory actions must be thoroughly vetted with Regional Office and legal staff. As part of this effort, examiners should include the supervisory basis for recommending or requiring account terminations and address any specific laws or regulations examiners believe are being violated, if applicable. Further, recommendations to terminate deposit account relationships cannot be based solely on reputation risk to the institution. The policy adds that the Regional Directors must report quarterly to the Directors, RMS and DCP, as well as to the FDIC Board regarding requests or requirements for institutions to terminate deposit accounts, along with the basis for such action. The first two of these reports covered the first two quarters of 2015 and identified no requests or requirements for an institution to terminate a deposit account.

Following the issuance of the policy, the FDIC Chairman participated in a national conference call with FDIC supervisory staff to discuss the documentation and reporting requirements described above. The Chairman also met with all six of the FDIC’s Regional Directors to emphasize the importance of complying with the policy. In addition, the FDIC plans to emphasize the policy’s requirements during upcoming meetings and training sessions with supervisory staff.

We noted that the policy and guidance described above focuses on deposit accounts and does not explicitly address various other types of banking products, such as credit products. The FDIC should consider whether the policy and guidance warrants clarification to address such products.

Banker Perspectives

We interviewed senior executives at 19 of the 23 financial institutions in our sample to obtain the executives’ views on the FDIC’s supervisory approach to institutions that provided banking services (either directly or through TPPPs) to merchants on the high-risk list.37 As part of these interviews, we asked the executives for their thoughts on the FDIC’s payday lending and TPPP guidance. We also asked executives at certain institutions about their views on RALs. Although the perspectives provided by the executives varied, several salient views emerged and are described below. We are including these perspectives in our report for the FDIC’s consideration in its ongoing outreach to community banks.

Footnote 37: Executives at 4 of the 23 institutions declined our offer for an interview.

The High-Risk List. Executives at all but one of the 19 institutions were familiar with the Summer 2011 Supervisory Insights Journal article that contained the high-risk list. Executives at 14 of the other 18 institutions stated that after reading the article, it was not their impression that the FDIC discouraged institutions from conducting business with merchants on the high-risk list. However, executives at 4 of the 18 institutions believed that the article suggested that the FDIC discouraged institutions from conducting business with merchants on the high-risk list.

The FDIC’s Payday Lending Guidance. Executives at 11 of the 19 institutions stated that they were not familiar with, or had no perspectives on, the FDIC’s payday lending guidance. In several cases, this was because the executives simply had no business interest in offering that type of credit product. Executives at five institutions indicated that the payday lending guidance was generally appropriate, while executives at the remaining three institutions thought the guidance was not appropriate. Executives at one of these three institutions stated that the payday lending model as defined in guidance makes payday lending cost prohibitive for institutions.

Termination of Business Relationships. With the exception of payday lenders, none of the executives indicated that they had experienced pressure from the FDIC to terminate a business relationship with a merchant on the high-risk list, including a firearms and ammunition retailer, or tobacco retailer. Although pawnbrokers were not on the high-risk list, executives from five institutions informed us that they provided banking services to these merchants and had never experienced regulatory pressure to terminate the business relationships.

Executives at two institutions stated that they had stopped making payday loans through thirdparty arrangements with payday lenders in the mid-2000s because the cost of complying with the FDIC’s payday lending guidance was too great and the FDIC had exerted pressure on the institutions to stop making payday loans. These executives also expressed concern about the FDIC’s heightened scrutiny of payday lending and the risk of potential supervisory actions against institutions that engage in that type of activity. In addition, the executives stated that they have declined to provide banking services to payday lenders because of the associated risks.

Executives at a third institution stated that they terminated a payment processing relationship with a payday lender in 2013 in response to pressure from the FDIC. The executives at this institution stated that the pressure was based primarily on reputation risk to the institution because of its association with a payday lender. The executives added that, in their view, the relationship posed no significant safety and soundness or consumer compliance risk to the institution.

The FDIC’s TPPP Guidance. Executives at 12 institutions indicated that the risk management concepts and principles defined in the FDIC’s TPPP guidance were appropriate. Executives at one of these institutions indicated that they understood the importance of properly managing TPPPs because they can be a source of illegal transactions, while executives at a second institution stated that they would adopt the controls described in the guidance even if the guidance did not exist because doing so was a good business practice. Executives at a third institution indicated that the guidance was clear, contained an appropriate amount of detail, and that the institution was using the guidance to implement related internal controls.

Executives at seven institutions indicated that the resources required to implement risk management controls as described in the guidance are not practical, particularly for small community banks. Executives at all seven institutions expressed concern about the FDIC’s high level of scrutiny of TPPP relationships, and/or the extent to which institutions must go to ensure that the business activities and transactions of TPPP merchant clients comply with applicable federal and state laws. Executives at one of these institutions stated that such monitoring is tantamount to detective work rather than providing banking services. Executives at another institution indicated that they would never conduct business with TPPPs due to regulatory burden and pressure.

TPPPs. Executives at three institutions stated that the FDIC pressured their institutions to exit business relationships involving TPPPs. Executives from two of the institutions believed the ultimate direction came from the FDIC’s Washington, D.C., office.

RALs. Executives from two institutions stated that FDIC officials forced them to stop facilitating RALs and applied increased scrutiny of their institutions’ RAL programs. These executives also said that FDIC officials noted the lack of the Internal Revenue Service (IRS) debt indicator38 as a reason for pressuring the institutions to discontinue facilitating RALs.

Footnote 38: Prior to 2011, tax preparers who electronically submitted a client’s tax return received an acknowledgement from the IRS that included (among other things) information about whether the taxpayer would have any portion of their refund offset for delinquent tax or other debts, such as unpaid child support or delinquent federally funded student loans. This information was often referred to as the debt indicator.

State Banking Agencies. Executives at six institutions described instances in which the FDIC raised concern about their institutions’ payday lending activities, management of TPPP relationships, and/or practices for offering RALs. However, the state regulators for these institutions exhibited a lesser level of concern for these risks. In one instance, a state banking agency and the FDIC issued separate reports of examination for an institution covering the same period. The state banking agency assigned three CAMELS component ratings and a composite rating that were higher than the FDIC’s ratings.

Positive Feedback. While not specifically asked, executives at six institutions made complimentary remarks about certain FDIC personnel and/or indicated that FDIC officials treated their institutions in a fair, open, and transparent manner. One executive complimented FDIC staff for helping the institution address a consent order, and an executive from another institution stated that the FDIC helped to improve the institution’s monitoring and management of BSA risks.

Observation: Refund Anticipation Loans

During the course of our audit, we became aware of a credit product known as a RAL. Although RALs were not included on the high-risk list, we observed that the FDIC’s supervisory approach to institutions that offered this credit product raised questions similar to those that prompted the Congressional request to our office. Specifically, the FDIC took unusual and aggressive actions to prohibit institutions from offering this credit product. Below is an explanation of RALs and related risks, a description of certain aspects of the FDIC’s supervisory approach at the institutions that offered this product, and our preliminary concerns.

What is a RAL?

A RAL is a particular type of loan product typically brokered by a national or local tax preparation company in conjunction with the filing of a taxpayer’s income tax return. As part of the RAL process, the tax preparer works in cooperation with a financial institution to advance the refund as a loan, minus tax preparation costs, other fees, and a finance charge. The taxpayer in turn provides authorization to the IRS to send the refund directly to the institution to repay the loan. One benefit of RALs is that they allow taxpayers to receive cash quickly, often on the same day they file their returns. However, as discussed below, RALs also present safety and soundness and consumer protection concerns.

Concerns with RALs

The Congress, IRS, OCC, and consumer advocacy groups have all raised concerns about RALs. Specifically, the MLA (discussed earlier) limits annual percentage rates on certain loans offered to military service personnel, including RALs, to 36 percent. The IRS has expressed concern that RALs may provide tax preparers with financial incentives to take improper tax return positions to inappropriately inflate refund claims. The OCC’s February 2010 Policy Statement on Tax Refund-Related Products describes supervisory expectations for national banks that offer RALs and related products, as well as the associated legal, compliance, consumer protection, reputation, and safety and soundness risks. Because of these risks, the OCC has largely extinguished RALs from the national banking system and indicated that the agency would not accept, license, or charter an institution concentrating in these services today. Consumer advocacy groups have also criticized RALs as predatory in nature because they are costly and frequently targeted to low-income taxpayers.

The FDIC considers RALs to carry a significant degree of risk to financial institutions, including third-party, reputation, compliance, and legal risks. Of particular concern to the FDIC is the ability of a financial institution to ensure proper underwriting and compliance with consumer protection requirements when this credit product is offered through hundreds or thousands of EROs. Contributing to these concerns was the IRS’ decision, which became effective with the 2011 tax season, to discontinue providing tax preparers and financial institutions with the “debt indicator” underwriting tool. In the absence of a debt indicator, and for other reasons, the FDIC concluded that institutions could not facilitate RALs in a safe and sound manner and determined that RALs were unacceptable for FDIC-supervised institutions.

The FDIC’s Supervisory Approach to Institutions that Offered RALs

We identified three FDIC-supervised institutions that offered RALs (referred to herein as Institutions A, B, and C). Institutions A, B, and C began offering RALs in 1987, 1988, and 2007, respectively. At various times from 2004 through 2009, FDIC examiners criticized the risk management practices pertaining to the RAL programs at Institutions A and B during compliance and risk management examinations. Among other things, examiners criticized these institutions for apparent violations of consumer protection laws and regulations and insufficient oversight of their EROs. In addition, Institution A stipulated and consented to a Cease and Desist Order in February 2009 arising from deficiencies in the institution’s compliance management system with regard to RALs and the institution’s inability to adequately assess, measure, monitor, and control third-party risk.

In late 2009, the FDIC contended that Institution A had expanded its RAL program while operating under the Cease and Desist Order. This expansion prompted the FDIC to send letters to the institution’s Board, dated December 30 and 31, 2009, expressing continued concerns about the institution’s RAL products and requesting a plan for discontinuing this type of lending. In separate letters dated February 3, 2010, the FDIC notified the Boards of the two remaining institutions that RALs were unacceptable for the institutions and that plans should be developed for the expeditious exit of those lines of business. Notably, the FDIC had not identified any control weaknesses in Institution C’s RAL program prior to sending these letters.39 The FDIC’s letters to all three institutions were coordinated through the Washington, D.C., office.

Footnote 39: After sending the letters, a February 2010 examination issued by the institution’s state regulator noted that the FDIC was viewing RALs as “an unacceptable business line.” A September 2010 compliance examination report noted an inadequate bank policy and monitoring practices related to the institution’s RAL program. The report contained numerous recommendations to enhance the institution’s internal controls over its RAL program.

In early 2011, after prior efforts to convince the three institutions to discontinue offering RALs were unsuccessful, RMS, DCP, and Legal Division executives in the Washington, D.C., office undertook an aggressive, and at times confrontational, approach to compel the institutions to stop offering RALs. As part of this approach, in January 2011, the Director, DCP, and the former Senior Deputy Director, RMS, proposed, and the former FDIC Chairman approved, plans to commit significant examiner resources to conduct horizontal reviews of the institutions’ EROs throughout the United States if the institutions would not voluntarily discontinue their RAL programs. A brief description of key FDIC supervisory actions to compel the institutions to stop offering RALs beginning in early 2011 follows.

Institution A

In a memorandum dated January 7, 2011, to the Director, DCP, attorneys within the FDIC’s Legal Division assessed the litigation risk to the Corporation pertaining to a proposed enforcement action that would require Institution A to terminate its RAL program. At that time, DCP and RMS were contemplating the issuance of a Notice of Charges and Hearing against the institution because prior efforts to persuade the institution to stipulate to such an order had been unsuccessful. The Legal Division memorandum noted that although the institution was already operating under a Cease and Desist Order for deficiencies in its RAL program, the most recent compliance examination of the institution found that the deficiencies had been largely corrected.40 Without direct criticism of the institution’s RALs, or examination staff that could opine as an expert witness that a deficiency in the institution’s RAL program rose to an unsafe or unsound practice or that the institution was faced with an abnormal risk of loss from the program, the memorandum concluded that the litigation risk to the FDIC of pursuing an enforcement action based primarily on safety and soundness arguments was extremely high.

Footnote 40: The FDIC’s January 2011 litigation risk assessment indicated that the FDIC’s determination that the institution’s RAL deficiencies had apparently been corrected was based, in part, upon the results of preannounced visitations to the institution and the institution’s EROs, during which FDIC staff were accompanied by bank personnel. The FDIC did not select the EROs using statistical techniques. As a result, FDIC staff believed that deficiencies could be more pronounced if the visitations were conducted on an unannounced basis.

The memorandum noted that DCP and RMS were developing plans to conduct horizontal, unannounced site-visits of the institution’s EROs that may identify potential violations of law, rule or regulation, as well as potential unsafe and unsound practices. The memorandum indicated that such a determination could be used to support a proposed enforcement action. Accordingly, the memorandum recommended that the FDIC postpone any enforcement action pending the results of the horizontal reviews.

In an e-mail, dated January 28, 2011, and subsequent discussion held on January 31, 2011, an RMS official informed Institution A’s CEO that executing a written agreement requiring the institution to discontinue its RAL program was a prerequisite for allowing the institution to bid on failing banks. At that time, Institution A had an interest in acquiring failing banks. However, Institution A’s CEO did not sign such an agreement.

Notwithstanding the litigation risk, the FDIC issued a Notice of Charges and Hearing on February 9, 2011, charging Institution A with engaging in unsafe or unsound banking practices and violations of laws with respect to the underwriting of RALs. Specifically, the Notice stated that the institution’s underwriting procedures did not mitigate the absence of the IRS debt indicator and did not consider data needed to assess risk in an unsecured consumer loan portfolio. The institution denied the charges. On February 15, 2011, DCP and RMS commenced an unannounced visitation of the institution to review and analyze its RAL program and compliance with an outstanding February 2009 Cease and Desist Order. On the same day, DCP and RMS deployed approximately 400 examiners to conduct a 2-day horizontal review of 250 EROs in 36 states. The purpose of the review was to determine whether the EROs were complying with federal and state laws and regulations pertaining to the origination of RALs. RMS and DCP officials informed us that the number of EROs reviewed was large because a statistically valid sample was needed to support any supervisory actions that may have been warranted based on the outcome of the review.

The visitation and horizontal review identified unsafe and unsound practices and violations of laws and regulations at the institution and EROs. As a result, the FDIC issued an Amended Notice of Charges for an Order to Cease and Desist; Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law; Order to Pay; and Notice of Hearing on May 3, 2011, against Institution A. Following a series of legal actions and discussions, the FDIC and Institution A reached a settlement on December 8, 2011, regarding the Amended Notice of Charges and a lawsuit filed by the institution against the FDIC in March 2011.41 As part of the settlement, the institution agreed to discontinue making RALs after the 2012 tax season and never re-enter that line of business. Such provisions are unusual in FDIC Consent Orders as they typically allow an institution to re-enter lending activity after consulting with, or obtaining a non-objection from the FDIC. Institution A also agreed as part of the settlement to pay a CMP totaling $900,000 and voluntarily dismissed a lawsuit that had been filed against the FDIC on March 11, 2011.

Footnote 41: On March 1, 2011, Institution A filed a lawsuit against the FDIC stating that the FDIC’s action seeking to prohibit the institution from offering RALs constituted a generally applicable change in law that was required to be administered through traditional notice and comment rulemaking required by the Administrative Procedures Act or in another fashion permitted by law. The Court dismissed the lawsuit in December 2011, based on the institution’s filing for a voluntary dismissal.

Institution B

On February 3, 2011, the FDIC delivered a proposed consent order to Institution B’s Board that would have (among other things) required the institution to stop offering RALs. The proposed order was based on significant weaknesses in the institution’s oversight, control, and monitoring of third-party risk, particularly with respect to nontraditional products, and apparent violations of laws and/or regulations detailed in a May 2009 compliance examination report. On February 14, 2011, representatives from RMS, DCP, and the Legal Division participated in a meeting with the institution’s Board during which the results of the compliance examination were presented. During the meeting, FDIC officials attempted to persuade the institution’s Board to stipulate to a Cease and Desist Order requiring the institution to discontinue offering RALs. The FDIC’s approach to doing so was confrontational. An excerpt from a summary of the Board meeting prepared by an RMS employee states, in part: [A former FDIC supervisory attorney] then began by stating that management at the FDIC in Washington would bring the full force of the Corporation to bear against the bank if the Board of Directors did not immediately agree to cease offering RALs at the end of the 2011 tax season. [The FDIC attorney] said there would be immediate consequences, beginning the next day, unless the Board agreed to stop offering RALs. When asked, [the FDIC attorney] did not answer why the immediate decision was necessary although the FDIC was aware that the bank had been offering RALs since 1988 with no detrimental effect on the bank or any customer. [The FDIC attorney] said that "nothing is off the table" pertaining to actions the management of the FDIC would take. When asked by [the institution’s counsel], [the FDIC attorney] declined to state the actions FDIC management would take if the Board did not get out of the RAL business.

The institution’s Board committed to terminating its RAL program during the meeting. Immediately following the meeting, DCP and RMS executives in Washington, D.C., were notified of the Board’s decision and a decision was made to cancel the horizontal review of the institution’s EROs that was scheduled to commence the next day. On February 16, 2011, the institution issued a public press release stating that it had decided to exit the RAL business at the conclusion of the 2011 tax season following extensive conversations with its primary regulator, the FDIC, regarding its concerns about RALs.

In October 2011, Institution B stipulated to a consent order, order for restitution, and order to pay CMPs. Among other things, the Consent Order stated that the institution had exited the RAL business and would not resume that type of lending.

Institution C

In a letter dated February 3, 2011, the FDIC notified the institution’s Board that supervisory and enforcement actions may be pursued against the institution if the Board failed to submit a plan for promptly discontinuing its RAL program. In a letter dated February 9, 2011, the institution’s Board notified the FDIC that a special Board meeting had been held the previous day to discuss the FDIC’s February 2011 letter. During that meeting, it was decided that the institution would stop offering RALs after the 2011 tax season, which ended April 21, 2011.

Conclusions

Senior FDIC officials in Washington, D.C., including the former Chairman, considered the safety and soundness and consumer protection risks associated with RALs to be unacceptable and took actions to prohibit this practice at FDIC-supervised institutions.42 The FDIC drafted a policy statement in 2010 that defined the FDIC’s supervisory concerns and expectations for institutions offering RALs. However, the policy statement was never finalized. In our view, establishing such a policy would have been prudent to ensure that institutions understood the risks associated with RALs and provide transparent supervisory guidance and expectations for institutions already (or contemplating) offering RALs.

Footnote 42: Although Institutions A, B, and C stopped offering RALs, FDIC officials informed us that they continued to facilitate other products with EROs, such as tax refund anticipation checks.

We concluded that the actions taken with respect to the three institutions that offered RALs fell within the Corporation’s broad statutory authorities because the Corporation is permitted to require a financial institution to discontinue a practice if safety and soundness or consumer protection concerns warrant doing so. However, we believe that the execution of these actions and the role of the individuals involved warrants further review, and the OIG is conducting additional work in this area.

[End of Audit Results section]

Recommendations

As discussed earlier, the FDIC clarified its supervisory policy and guidance to address misperceptions regarding the Corporation’s supervisory approach to institutions that conduct business with merchants on the high-risk list. The policy and guidance, however, focuses on deposit accounts and does not explicitly address various other types of banking products, such as credit products. In addition, it is too soon, in our view, to determine whether the actions taken by the FDIC will ensure a common understanding and sustained application of the FDIC’s supervisory approach to the issues and risks discussed in this report, both within the FDIC and at FDIC-supervised institutions. In this regard, an assessment of the implementation of that approach to ensure it is having the intended effect would be prudent. Such an assessment would also be consistent with the internal control and monitoring principles defined in FDIC Circular 4010.3, FDIC Enterprise Risk Management Program. This circular provides for continuous monitoring to enhance program performance and operations and a process to identify, analyze, and reduce exposure to risks.

We recommend that the Directors, RMS and DCP, coordinate to:

1. Review and clarify, as appropriate, existing policy and guidance pertaining to the provision and termination of banking services to ensure it adequately addresses banking products other than deposit accounts, such as credit products.

2. Assess the effectiveness of the FDIC’s supervisory policy and approach with respect to the issues and risks discussed in this report after a reasonable period of time is allowed for implementation.

With respect to the use of moral suasion to address supervisory concerns with financial institutions, it would be prudent for the FDIC to review its supervisory policy and guidance to determine whether moral suasion is adequately addressed.

We recommend that the Directors, RMS and DCP, coordinate with the Legal Division to:

3. Review and clarify, as appropriate, existing supervisory policy and guidance to ensure it adequately defines moral suasion in terms of the types and circumstances under which it is used to address supervisory concerns, whether it is subject to sufficient scrutiny and oversight, and whether meaningful remedies exist should moral suasion be misused.

[End of Recommendations section]

Corporation Comments and OIG Evaluation

The Director, RMS, provided a written response on behalf of the FDIC, dated September 10, 2015, to a draft of this report. The response is presented in its entirety in Appendix 4. In the response, the Director concurred with all three of the report’s recommendations and described planned and completed corrective actions that were responsive. The FDIC expects to complete all actions to address the recommendations by September 30, 2016. A summary of the Corporation’s corrective actions is presented in Appendix 5.

In addition to actions already taken, the FDIC’s response noted that a sustained effort to communicate with its staff and the industry is important to address what it perceives as potential confusion about appropriate supervisory standards and to ensure a common understanding and sustained application of the FDIC’s approach. The FDIC committed to continuing to communicate to its staff and the industry regarding the distinctions between the standards applicable to credit products, including payday loans, offered by banks and those applicable to other banking services. To that end, the FDIC plans to update its guidance on payday lending by banks to clarify that the guidance does not apply to banks offering deposit accounts or extending credit to payday lenders.

The FDIC plans to conduct internal reviews to assess compliance with its actions to address the issues discussed in the report. The FDIC also plans to continue its reporting to the Board on deposit account terminations; highlight supervisory guidance in outreach events; and monitor inquiries and comments from the OO. In addition, the FDIC also plans to revise its written examination guidance by replacing the term moral suasion with a description of the informal communication that FDIC personnel can use to help mitigate practices that could cause a bank to experience financial or other difficulties. Further, with respect to our observation on RALs, the response stated that the FDIC would address the OIG’s results after the OIG completes additional work in this area.

As noted above, the FDIC has taken and planned corrective actions that are responsive to our recommendations. However, in reiterating our findings and providing perspective surrounding them, management did not discuss the potential impact that statements and actions by FDIC executives can have on those responsible for carrying out the FDIC’s supervisory policies and approach. As described in our report, our interviews and review of documents showed that perceptions regarding the views of senior FDIC executives about institutions involved in payday lending and RALs influenced the supervisory approach to handling risks at those institutions. In several instances, the approach was not consistent with written FDIC policy and guidance. Consequently, as it has committed to do, we believe it is prudent for FDIC senior leadership to reiterate its revised policies on a sustained basis to ensure they become engrained in the organization’s supervisory culture. Given the significance of these issues, we will, at an appropriate time, follow up on the FDIC’s actions to ensure they address the underlying concerns that support our recommendations.

[End of Corporation Comments and OIG Evaluation section]

Appendix 1 Objectives, Scope, and Methodology

Objectives

The audit objectives were to (1) describe the FDIC’s role in the DOJ initiative known as Operation Choke Point and (2) assess the FDIC’s supervisory approach to financial institutions that conducted business with merchants associated with high-risk activities for consistency with relevant statutes and regulations. To address the audit objectives, we: - determined the extent to which the FDIC participated in developing and implementing Operation Choke Point;

- evaluated the FDIC’s rationale for identifying certain merchants as being associated with high-risk activities;

- reviewed a non-statistical sample43 of 23 FDIC-supervised financial institutions to assess the FDIC’s supervisory approach to address identified concerns;

- analyzed relevant statutes, regulations, policies, procedures, guidance, and training; and

- conducted interviews of 106 current and former FDIC staff, executives at 19 FDICsupervised financial institutions, officials in DOJ’s Consumer Protection Branch, and officials with selected state banking agencies.

Footnote 43: A non-statistical sample is judgmental and cannot be projected to the population, as explained more fully later in this Appendix.

Pursuant to a request from the FDIC Chairman, dated December 17, 2014, we also reviewed the actions of one former and four current senior FDIC officials. The Chairman requested that the OIG perform this work based on concerns raised in a letter from a Congressman to the Chairman, dated December 10, 2014. Our work pertaining to these individuals focused on determining the extent to which they were involved with Operation Choke Point and whether their actions involving the institutions we reviewed were based on personal, political, or moral agendas aimed at forcing lawful businesses associated with high-risk activities out of the banking sector. To accomplish this work, we reviewed selected email communications, conducted interviews, and reviewed relevant documentation.

We also reviewed references to the individuals in a December 8, 2014 Congressional report, entitled Federal Deposit Insurance Corporation’s Involvement in “Operation Choke Point” and assessed whether the information was relevant to our audit objectives. Work on a separate inquiry by the OIG’s Office of Investigations into whether one of these five individuals had misled the American people in testimony before the Congress occurred during the audit. We coordinated with the Office of Investigations on the inquiry, as appropriate.

The scope of our audit focused on the 5-year period from 2010 through 2014. However, we also considered certain supervisory activities and information prior to this time period to obtain additional insights into the FDIC’s supervisory approach towards institutions that conducted business with high-risk merchants and to provide proper context for issues discussed in the report.

We conducted this performance audit from December 2014 through July 2015 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Scope and Methodology

To accomplish our audit objectives, we:

- Reviewed testimony related to Operation Choke Point given by FDIC and DOJ officials to Members.

- Reviewed reports issued by the Congress related to our audit objectives.

- Assessed the FDIC’s communication with DOJ personnel and FDIC staff participation in task forces, working groups, meetings, and training events pertaining to Operation Choke Point.

- Determined the extent of the FDIC’s involvement in DOJ’s issuance of subpoenas to FDIC-supervised institutions.

- Reviewed the merchants on the FDIC’s high-risk list and conducted research to identify the extent to which six non-statistically selected, major companies in the financial services industry also categorized such merchants as high-risk and/or restricted the processing of transactions involving certain merchants. We selected the six companies based on their large size and name recognition.

- Reviewed formal FDIC enforcement actions pertaining to FDIC-supervised institutions during the 5-year period 2010 through 2014 to determine the extent to which the actions involved high-risk merchants and TPPPs.

- Reviewed congressional bills and pending lawsuits related to our audit objectives.

- Reviewed training events and speeches by current and former FDIC officials and officials from other federal agencies pertaining to payday lending, TPPPs, ACH activities, and other high-risk activities.

- Reviewed DCP executive meeting highlights and monthly regional status reports submitted to the Washington, D.C. Office.

- Interviewed current and former FDIC officials from the Washington, D.C., Office, the Regional Offices, and Field Offices, including the internal and external Ombudsmen. We attempted to interview the FDIC’s former RMS Director, but this individual did not respond to multiple requests for an interview. This individual was the Director, RMS, until February 2013.

- Interviewed DOJ and state financial regulatory officials and executives at a non-statistical sample of 19 financial institutions.

- Reviewed FDIC email communications and related documentation to assess (a) the extent to which FDIC officials communicated with DOJ in connection with Operation Choke Point and (b) the FDIC’s supervisory approach for assessing banks that conducted business with certain merchants and TPPPs. This information can be broken into groups.44

Footnote 44: FDIC officials obtained these documents in response to requests from Members and the OIG. Although the FDIC could not confirm that all relevant documents were identified, we performed procedures to conclude that the documents the FDIC identified responded to the Congressional and OIG information requests and were sufficient for the purposes of our audit.

o We reviewed all 7,640 pages of FDIC staff emails and documentation that FDIC sent to Members of the Committee on Oversight and Government Reform, per their request dated June 9, 2014; and o We reviewed selected emails pertaining to specific FDIC individuals, subject matters, and institutions in connection with our audit objectives. These emails were generated from January 1, 2011, through December 31, 2014. In response to our requests for this information, the FDIC provided us with more than 423,000 emails, many of which we found not to be relevant to our objectives (279,526 of these emails were produced as a result of requests pertaining to the five current and former FDIC senior officials mentioned previously). Due to the large volume of emails provided, we were not able to review all of them and, therefore, we judgmentally selected emails for review.

- Reviewed summaries of communications between financial institutions and the FDIC’s OO that were prepared by OO pursuant to FIL-5-2015 (issued in January 2015). The FIL encouraged institutions to contact OO if they were concerned that FDIC personnel were not following applicable policies. As of July 27, 2015, OO had received a total of 18 communications pursuant to the FIL. Two of these communications were relevant to our audit objectives. In one case, an FDIC-supervised institution alleged that FDIC officials pressured the institution to not conduct business with certain entities, including TPPPs and payday lenders. In the other case, the institution stated that it changed its charter from an FDIC-supervised institution due to alleged pressure from FDIC officials to close accounts with TPPPs. OO did not provide the OIG with the names of these two financial institutions because that information is confidential. However, OO provided us with the results of its review of the circumstances pertaining to these communications. In both cases, OO determined that the concerns were unsubstantiated.

- Assessed the risk of fraud and abuse in the context of our audit objectives in the course of evaluating audit evidence.

We identified and became familiar with relevant statutes, laws, rules, regulations, and guidance as follows:

- Safety and soundness and consumer protection statutes and regulations: o Sections 8, 10, and 39 of the Federal Deposit Insurance Act; o Section 5 of the Federal Trade Commission (FTC) Act; o Electronic Fund Transfer Act; o Truth in Lending Act (TILA); o Fair Debt Collection Practices Act (FDCPA); and o Part 364 of the FDIC Rules and Regulations, Appendix A, Interagency Guidelines Establishing Standards for Safety and Soundness.

- Statutes, inter-agency policy and guidance, and FDIC policies and procedures pertaining to BSA/AML, ACH processing, and/or TPPPs: o Section 8(s), Compliance with Monetary Transaction Recordkeeping and Report Requirements, of the FDI Act; o Section 326.8, Bank Secrecy Act Compliance, of the FDIC Rules and Regulations; o Bank Secrecy Act Anti-Money Laundering Examination Manual published by the FFIEC (publications dated June 23, 2005 through November 17, 2014); and o Retail Payment Systems IT Examination Handbook published by the FFIEC (transmitted through FDIC FIL-6-2010, dated February 25, 2010). o Relevant portions of the FDIC’s: o Formal and Informal Action Procedures Manual (October 2012), o Risk Management Manual of Examination Policies (April 2015), and o Compliance Examination Manual (May 2015).

- FDIC’s and Interagency subprime, payday, and small-dollar lending guidance: o FIL-44-1997: Risks Associated with Subprime Lending (May 2, 1997); o Interagency Guidance on Subprime Lending (transmitted through FDIC FIL-20-99, dated March 4, 1999); o FIL-9-2001: Subprime Lending (January 31, 2001); o PR-70-2003: FDIC Issues Examination Guidance for Payday Lending, (July 2, 2003); o FIL-14-2005: Payday Lending Programs (March 1, 2005); o FIL-50-2007: Affordable Small-Dollar Loan Products, Final Guidelines (June 19, 2007); and o FDIC Guidance 6714-01-P: Guidance on Supervisory Concerns and Expectations Regarding Deposit Advance Products (November 21, 2013).

- FDIC’s and Interagency TPPP guidance and training materials: o FIL-127-2008: Guidance on Payment Processor Relationships (November 7, 2008); o FIL-3-2012: Payment Processor Relationships, Revised Guidance (originally issued on January 31, 2012 and revised in July 2014); o FIL-43-2013: FDIC Supervisory Approach to Payment Processing Relationships with Merchant Customers that Engage in Higher-Risk Activities (originally issued on September 27, 2013 and revised in July 2014); o FIL-41-2014: FDIC Clarifying Supervisory Approach to Institutions Establishing Account Relationships with Third-Party Payment Processors (July 28, 2014); o FDIC and interagency training materials on TPPPs; and o Department of the Treasury Financial Crimes Enforcement Network advisory: Risk Associated with Third-Party Payment Processors, FIN-2012-A010 (October 22, 2012).

- Other FDIC guidance: o FIL-44-2008: Guidance for Managing Third-Party Risk (June 6, 2008); o FIL-5-2015: Statement on Providing Banking Services (January 28, 2015); and o Circular 4010.3: FDIC Enterprise Risk Management Program (April 16, 2012).

- FDIC informational publication: o Supervisory Insights article: Managing Risks in Third-Party Payment Processors (originally issued in the summer of 2011 and revised in July 2014).

We selected a nonstatistical sample of FDIC-supervised financial institutions to assess the FDIC’s supervisory approach for addressing identified concerns. To select the institutions, we first asked FDIC officials to inform us of known institutions that conducted business with TPPPs and/or or merchants that were deemed “high-risk.” The FDIC does not generally track or identify institutions engaged in these activities, but may learn of this information through its regular oversight and monitoring activities. Through our own research and/or assistance from the FDIC, we also identified institutions that facilitated payday lending either directly or indirectly through third parties, had high ACH returns, were subpoenaed by DOJ in connection with Operation Choke Point, conducted business pertaining to RALs, or terminated business relationships with high-risk merchants, such as payday lenders or customers in the firearms industry.

Based on our analysis, we identified 130 financial institutions that fit the criteria described above.45 We selected 25 of the 130 institutions for a detailed review. We judgmentally selected the 25 institutions in such a manner as to include representation from each of the FDIC’s six Regional Offices and representation of the criteria used to identify the 130 institutions. Of the 25 institutions, we omitted two institutions because we subsequently learned that they had not conducted business with high-risk merchants. As a result, we assessed and based our results on a total of 23 institutions.

Footnote 45: We considered our universe to be all FDIC-supervised institutions. As of December 31, 2014, the FDIC supervised a total of 4,138 financial institutions.

For our sampled institutions, we:

- Reviewed risk management and compliance reports of examination, visitation reports, formal and informal enforcement actions, correspondence, and consumer complaints in various FDIC systems of record to assess the extent and type of supervisory actions and approach the FDIC took related to the institutions’ business relationships with high-risk merchants and TPPPs. We did not review the FDIC’s examination workpapers.

- Interviewed institution executives to obtain their perspectives on the FDIC’s supervision, the degree to which the institutions had lending or deposit relationships with high-risk merchants, and their viewpoints on the FDIC’s payday lending and TPPP guidance, and in certain instances, supervisory approach to RALs.46

- Interviewed, as we deemed appropriate, FDIC officials to obtain their perspectives on the FDIC’s supervision of institutions. We also interviewed officials from two state regulatory agencies covering these same topics.

Footnote 46: Four institutions declined our offer for an interview.

The Table on the following page presents the merchants that the FDIC identified as having a higher prevalence of being associated with high-risk activities. The 23 financial institutions in our sample, taken as a whole, conducted business, either directly or indirectly through a third party, with the merchant categories having a “check mark.” We based this determination on our review of available documentation and interviews with bank executives and FDIC officials.

Table: Merchants Associated with High-Risk Activities

[Check Mark] Ammunition Sales Life-Time Memberships Cable Box De-scramblers [Check Mark] Lottery Sales [Check Mark] Coin Dealers Mailing Lists/Personal Information Credit Card Schemes [Check Mark] Money Transfer Networks [Check Mark] Credit Repair Services [Check Mark] On-line Gambling Dating Services [Check Mark] PayDay Loans Debt Consolidation Scams [Check Mark] Pharmaceutical Sales Drug Paraphernalia Ponzi Schemes [Check Mark] Escort Services [Check Mark] Pornography [Check Mark] Firearms Sales [Check Mark] Pyramid-Type Sales [Check Mark] Fireworks Sales Racist Materials [Check Mark] Get Rich Products Surveillance Equipment Government Grants [Check Mark] Telemarketing Home-Based Charities [Check Mark] Tobacco Sales Life-Time Guarantees [Check Mark] Travel Clubs

Source: The FDIC Supervisory Insights Journal, Summer 2011 [original] publication. [End of table]

We performed our audit work at the FDIC’s offices in Arlington, Virginia; Atlanta, Georgia; Chicago, Illinois; Dallas, Texas; and Washington, D.C.

[End of Appendix 1 section]

Appendix 2 Glossary of Terms

Term Definition Automated Clearing House (ACH) The ACH network is a nationwide electronic payment network which enables participating financial institutions to distribute electronic credit and debit entries to bank accounts and settle these entries. Common ACH credit transfers include the direct deposit of payroll and certain benefits payments. Direct debit transfers also may be made through the ACH network and include consumer payments for insurance premiums, mortgage loans, and other types of bills. In 2013, there were nearly 22 billion ACH transactions that transferred nearly $39 trillion in the United States.

Bank Board Resolution An informal commitment adopted by a financial institution’s Board of Directors (often at the request of the FDIC) directing the institution’s personnel to take corrective action regarding specific noted deficiencies. A bank board resolution may also be used as a tool to strengthen and monitor the institution’s progress with regard to a particular component rating or activity.

Bank Secrecy Act (BSA) BSA (formally known as the Currency and Foreign Transactions Reporting Act of 1970—31 U.S.C. 5311-5330) was implemented to detect and prevent money laundering. This Act established requirements for record keeping and reporting by private individuals and financial institutions designed to help identify the source, volume, and movement of currency and other monetary instruments transported or transmitted into or out of the United States or deposited in financial institutions. BSA required individuals and financial institutions to file currency reports with the Department of the Treasury, properly identify persons conducting transactions, and keep appropriate records of financial transactions to enable law enforcement and regulatory agencies to pursue investigations of criminal, tax, and regulatory violations.

Cease and Desist Order A formal order to stop a violation of law, rule, regulation, or unsafe or unsound practice and require affirmative action to correct any conditions resulting from the violation or practice. Cease and Desist Orders may be issued after notice and hearing or after stipulation by the institution. By ordering an institution to cease and desist from violations or practices and/or to take affirmative actions, the FDIC may prevent the institution’s problems from reaching such serious proportions as to require more severe corrective measures. Section 8(b) of the FDI Act authorizes the FDIC to issue Cease and Desist Orders.

Chargeback The reversal of the dollar value (financial liability), in whole or in part, of a particular transaction by the card issuer to the acquirer, and usually by the merchant bank to the merchant.

Civil Money Penalty (CMP) A formal enforcement action that may be assessed for violations of final and temporary orders, written agreements with the FDIC, and laws and regulations; unsafe and unsound practices; and breaches of fiduciary duty. Section 8(i)(2) of the FDI Act authorizes the FDIC to issue CMPs.

Conference of State Bank Supervisors A nationwide organization of banking regulators from all 50 states, the District of Columbia, Guam, Puerto Rico, and the United States Virgin Islands.

Consent Order A formal enforcement action issued by a financial institution regulator to a bank or affiliated party to stop an unsafe or unsound practice or violation. All parties agree to the terms of a consent order. A consent order may be terminated by a regulator when it has determined that the bank’s condition has significantly improved and the action is no longer needed or the bank has materially complied with its terms.

Debt Indicator An acknowledgement that the IRS previously sent to tax preparers who electronically submitted a client’s tax return, which shows whether the taxpayer will have any portion of the refund offset for delinquent tax or other debts such as unpaid child support or delinquent federally funded student loans. Tax preparers use the debt indicator as an underwriting tool for RALs. The IRS stopped sending this acknowledgment to tax preparers in 2011.

Deposit Advance Product Small-dollar, short-term advances that some institutions offer to customers that maintain a deposit account, reloadable prepaid card, or similar depositrelated vehicle at a bank. After receiving an advance, a customer repays it from the proceeds of his/her next direct deposit. Deposit advance products can have similar characteristics to payday loans, such as high fees, short lump-sum repayment terms, and inadequate attention to the consumer’s ability to repay.

Equal Credit Opportunity Act (ECOA) ECOA (15 U.S.C. § 1691 et. seq.) prohibits certain discriminatory practices, including creditor practices that discriminate based on race, color, religion, national origin, sex, marital status, or age.

Fair Debt Collection Practices Act (FDCPA) FDCPA (15 U.S.C. § 1692-1692p) was enacted in 1977 and was designed to eliminate abusive, deceptive, and unfair debt collection practices. It applies only to the collection of debt incurred by a consumer primarily for personal, family, or household purposes. The FDCPA covers such activities as communication with the debtor, validation of the debt, and application of payments received.

Federal Deposit Insurance (FDI) Act A statute enacted on September 21, 1950 that governs the FDIC (12 U.S.C. § 1811 et. seq.).

Federal Financial InstitutionsExamination Council (FFIEC) The FFIEC is a formal interagency body empowered to: (1) prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the FDIC, FRB, CFPB, OCC, and National Credit Union Administration and (2) make recommendations to promote uniformity in the supervision of financial institutions.

Federal Trade Commission Act (FTC Act) The FTC Act (15 U.S.C. §§ 41-58, as amended) empowers the Federal Trade Commission to, among other things, prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.

Formal Action A Notice or order issued by the FDIC against an insured financial institution and/or individual respondent. The purpose of a formal action is to correct noted safety and soundness deficiencies, ensure compliance with federal and state banking laws, assess civil money penalties, and/or pursue removal or prohibition proceedings. Formal actions are legally enforceable and final orders are available to the public after issuance.

Higher-risk Activities The FDIC described these activities as those that have been understood by industry and financial regulators as activities that may be subject to complex or varying legal and regulatory environments, such as activities that may: - be legal only in certain states; - be prohibited for certain consumers, such as minors; - be subject to varying state and federal licensing and reporting regimes; or - tend to display a higher incidence of consumer complaints, returns, or chargebacks.

Because these risks may be posed directly by bank customers, or indirectly through relationships established by bank customers with other parties (merchants, for example), banks have enhanced their customer due diligence policies and processes to better protect against harm. Harm to a bank can range from operating losses attributable to unanticipated consumer reimbursements that were not properly reserved for, to civil or criminal actions for facilitation of violations of law.

Informal Action A voluntary commitment made by an institution’s Board of Directors that is designed to correct noted safety and soundness deficiencies or ensure compliance with federal and state laws. Informal actions are neither publicly available nor legally enforceable.

The FDIC may initiate informal action when a financial institution is found to be in a marginally unsatisfactory condition or to address specific concerns. Although an informal action is not legally enforceable and viewed as a voluntary corrective administrative action, it represents an alternative to formal action when moral suasion will not, by itself, accomplish the FDIC’s goal of correcting identified deficiencies in an institution’s operations.

An informal action is particularly appropriate when the FDIC has communicated with bank management regarding deficiencies and determined that the institution’s managers and BOD are committed to and capable of effecting correction with some direction, but without initiating a formal action.

Examples of informal actions include bank board resolutions, memoranda of understanding, and supervisory letters.

Memorandum of Understanding A Memorandum of Understanding is an informal agreement between the institution and the FDIC, which is signed by both parties. A State Authority may also be party to the agreement. MOUs are designed to address and correct identified weaknesses in an institution’s condition.

Moral Suasion The FDIC does not have a formal definition of moral suasion. Based on FDIC manuals, moral suasion is a process used by FDIC examiners involving reason to persuade financial institution management to correct an identified deficiency in an institution’s operations, unacceptable risk level, or unacceptable risk management practice without imposing an informal or formal enforcement action.

Payday Loan A small-dollar, short-term, unsecured loan that borrowers promise to repay out of their next paycheck or regular income payment (such as a social security check). Payday loans are usually priced at a fixed dollar fee, which represents the finance charge to the borrower. Because payday loans have short terms to maturity, the cost of borrowing, expressed as an annual percentage rate, can be very high. Most payday loans are from $250 - $700.

Refund Anticipation Check An amount of money that is limited to the size of a taxpayer’s refund less applicable fees that a financial institution sends to a customer via direct deposit, prepaid card, or bank check. A refund anticipation check allows the consumer to pay for tax preparation fees out of the tax refund and not up front. This product may also be referred to as a refund transfer.

Refund Anticipation Loan (RAL) A short-term loan product secured by a consumer’s expected income tax refund and offered by financial institutions through third-party tax preparers.

This product enables consumers to receive their income tax refund the same day they file their return, or shortly thereafter, less the cost of tax preparation and interest and fees for the loan.

Removal, Prohibition, or Suspension Action Formal enforcement actions issued by a financial regulator that result in the removal of IAPs from banking and prohibit them from participating in the affairs of any insured depository institution for a period of time that could include a life-time ban. These orders are designed to protect the banking industry and issued pursuant to section 8(e)(1) of the FDI Act.

Rent-a-Charter An arrangement that allows a lender in one state to use the authority of an institution in another state to circumvent rate caps in the lender’s state, in exchange for a fee. As a result, the lender is permitted to charge its customers higher interest rates permitted in the state where the institution is located.

Reputation Risk The risk that potential negative publicity regarding a financial institution’s business practices could cause a decline in the customer base, costly litigation, or revenue reductions. Many risks confronting financial institutions carry an inherent element of reputation risk.

Consistent with the Uniform Financial Institutions Rating System (UFIRS), reputation risk is one of a number of enumerated factors FDIC examiners consider in assessing a financial institution's safety and soundness. The UFIRS explicitly addresses reputation risk in the following two CAMELS component definitions:

- Asset Quality: The Asset Quality component definition includes consideration of "[a]ll other risks that may affect the value or marketability of an institution's assets, including, but not limited to, operating market, reputation, strategic, or compliance risks...” - Management: The component states in part: “[d]epending on the nature and scope of an institution's activities, management practices may need to address some or all of the following risks: credit, market, operating or transaction, reputation, strategic, compliance, legal, liquidity, and other risks."

Return A return or ACH return is an ACH entry that has been rejected by a receiving financial institution because it cannot be posted due to things such as non-sufficient funds or an account closure.

Suspicious Activity Report A report made by an institution to FinCEN, an agency of the Department of the Treasury, regarding suspicious or potentially suspicious activity. An institution is required to file a suspicious activity report when it detects a known or suspected criminal violation of federal law or a suspicious transaction related to money laundering or a violation of the Bank Secrecy Act.

Third-Party Payment Processor (TPPP) Financial institution customers that provide payment processing services to merchant clients and other business entities. TPPPs often use their commercial bank accounts to process these payments. TPPPs may offer merchants a variety of alternatives for accepting payments, including credit and debit card transactions, traditional check acceptance, or ACH debits.

Truth in Lending Act (TILA) Contained in Title I of the Consumer Credit Protection Act, the Truth in Lending Act requires meaningful disclosure of credit and leasing terms (15 U.S.C. §§ 1601-1667f).

Uniform Financial Institutions Rating System (UFIRS) The FFIEC established the UFIRS in 1979 to evaluate the soundness of financial institutions on a uniform basis and identify those institutions raising concern or requiring special attention. The FFIEC updated the UFIRS to reflect changes in the banking industry, with the most recent version adopted in 1996. The UFIRS defines the six component ratings for Capital, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk, referred to as CAMELS.

USA PATRIOT Act The USA PATRIOT Act (formally known as the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001—Public law 107-56) was signed into law on October 26, 2001, in response to the September 11, 2001, terrorist attacks.

This Act criminalized the financing of terrorism and augmented the existing BSA framework by strengthening customer identification procedures; prohibiting financial institutions from engaging in business with foreign shell banks; requiring financial institutions to have due diligence procedures and, in some cases, enhanced due diligence procedures for foreign correspondent and private banking accounts; and improving information sharing between financial institutions and the U.S. government. The Act also increased the civil and criminal penalties for money laundering, facilitated records access by requiring financial institutions to respond to regulatory requests for information within 120 hours, and required regulatory agencies to consider a financial institution’s AML record when reviewing applications for business combinations.

[End of Appendix 2]

Appendix 3 Acronyms and Abbreviations

Acronym Explanation ACH Automated Clearing House ACP Alternative Credit Product AML Anti-Money Laundering BBB Better Business Bureau BSA Bank Secrecy Act CAMELS Capital, Asset Quality, Management, Earnings, Liquidity, and Sensitivity to Market Risk CDD Customer Due Diligence CEO Chief Executive Officer CFO Chief Financial Officer CFPB Consumer Financial Protection Bureau C.F.R. Code of Federal Regulations CMP Civil Money Penalty CRA Community Reinvestment Act D.C. District of Columbia DCP Division of Depositor and Consumer Protection DOJ or Department United States Department of Justice DSC Division of Supervision and Consumer Protection ECOA Equal Credit Opportunity Act ERO Electronic Refund Originator FDCPA Fair Debt Collection Practices Act FDI Act Federal Deposit Insurance Act FDIC Federal Deposit Insurance Corporation FFIEC Federal Financial Institutions Examination Council FIL Financial Institution Letter FinCEN Financial Crimes Enforcement Network FOS Field Office Supervisor FRB Board of Governors of the Federal Reserve System FTC Federal Trade Commission IRS Internal Revenue Service IT Information Technology Members Members of Congress MOU Memorandum of Understanding OCC Office of the Comptroller of the Currency OIG Office of Inspector General OO Office of the Ombudsman OPR Office of Professional Responsibility (a DOJ office) RAL Refund Anticipation Loan RMS Division of Risk Management Supervision TILA Truth in Lending Act TPPP Third-Party Payment Processor UFIRS Uniform Financial Institutions Rating System U.S.C. United States Code

[End of Appendix 3]

Appendix 4 Corporation Comments

[FDIC letterhead, Federal Deposit Insurance Corporation, Division of Risk Management Supervision, 550 17th Street NW, Washington, D.C., 20429-9990]

DATE: September 10, 2015 MEMORANDUM TO: Mark F. Mulholland Assistant Inspector General for Audits, Office of Inspector General

FROM: Doreen R. Eberley /Signed/ Director, Division of Risk Management Supervision

SUBJECT: Response to the Draft Audit Report Entitled, The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High- Risk Activities (Assignment No. 2015-010)

Thank you for the opportunity to comment on behalf of the FDIC on the Office of Inspector General (OIG) draft report, The FDIC’s Role in Operation Choke Point and Supervisory Approach to Institutions that Conducted Business with Merchants Associated with High-Risk Activities (Report). We appreciate the extensive work done by the OIG on this matter.

The Federal Deposit Insurance Corporation (FDIC) welcomes confirmation from an independent review that the FDIC did not participate in the development, coordination, or execution of the Department of Justice (DOJ) initiative Operation Choke Point; that the FDIC did not use the so-called high-risk list to target financial institutions; and that the FDIC has acted within its supervisory authorities. As the Report acknowledges, the FDIC has taken a number of steps to reinforce to agency staff, banks, and others that the FDIC neither prohibits nor discourages banks from providing banking services to entire categories of merchants. The FDIC will continue to reinforce this policy going forward.

Summary of Findings

The OIG’s Report finds the FDIC’s involvement with Operation Choke Point “to have been inconsequential to the overall direction and outcome of the initiative.” The Report also finds that the limited communications with the DOJ were related to the FDIC’s responsibility to understand and consider the implications of potential illegal activity involving FDIC-supervised institutions.

In reaching the determination that the FDIC’s involvement with Operation Choke Point was inconsequential, the OIG also found that:

• The FDIC did not participate in the development of Operation Choke Point. • The FDIC did not coordinate with DOJ to assemble evidence of proof of fraudulent activity by FDIC-supervised institutions. • The FDIC did not identify institutions to receive subpoenas from DOJ. • DOJ did not notify the FDIC which financial institutions received subpoenas.

• DOJ did not discuss with the FDIC the inclusion of supervisory guidance with its subpoenas. • The FDIC never detailed any employee to DOJ to work on Operation Choke Point. • Senior FDIC officials had no discussions with DOJ regarding Operation Choke Point. • The FDIC’s approach to financial institutions that conducted business with merchants on the high-risk list was within the FDIC’s authorities granted under the Federal Deposit Insurance Act and other relevant statutes and regulations.

As we have previously stated, and as the OIG Report confirms, the FDIC’s communications with DOJ consisted of responding to requests from DOJ officials about FDIC-supervised institutions that DOJ was investigating, responding to DOJ inquiries about potential remedies in the event illegal activity was associated with those institutions, and reviewing documents obtained by DOJ in the course of its investigative activities.

Similarly, regarding the development and intent of the list of high-risk activities that had been included in a 2011 article in the FDIC journal Supervisory Insights (SIJ) and regulatory guidance, the OIG found:

• No evidence that the FDIC used the high-risk list to target financial institutions. • Both the SIJ article and the guidance were developed prior to the inception of Operation Choke Point and were not a principal factor in the initiative’s implementation. • The high-risk list was consistent with similar lists maintained by private-sector companies in the payments industry, as well as preexisting interagency guidance. • The focus of FDIC and Federal Financial Institutions Examination Council training materials was on the risks associated with third-party payment processor deposit accounts and how institutions should manage those risks. • The training materials contained no indications that examiners were encouraged to pressure financial institutions to decline banking services to merchants based on the category of their business.

Further, among the financial institutions it reviewed, the OIG found:

• No instances in which the FDIC pressured an institution to terminate an existing customer relationship with a firearms or ammunition retailer, pawnbroker, or tobacco retailer. • No instances, beyond one previously identified instance involving a payday lender, in which the FDIC discouraged an institution from providing banking services to a merchant on the high-risk list.

Finally, we note that the OIG determined that none of the five individuals who were the subject of the requested review played a role in the development or implementation of Operation Choke Point. In addition, the OIG concluded that the supervisory approach of the five individuals did not involve personal, political, or moral agendas aimed at forcing lawful businesses on the high-risk list out of the banking sector. The OIG Report did identify instances in which there appeared to us to be some confusion by FDIC employees about which supervisory standards to apply to specific types of activities involving payday lenders and FDIC-supervised financial institutions, and we have taken steps to clarify the standards. Banks Making Payday Loans

As the Report notes, the FDIC and other federal banking agencies have longstanding safety and soundness and consumer protection concerns and guidance for banks making payday or payday-like loans because of the significant risks of payday lending.1 FDIC guidance for banks making payday loans describes payday lending as being among the highest risk subsets of subprime lending, and expects banks to maintain significantly higher levels of capital to offset the credit risk. Payday loans pose substantial credit risk to a bank because borrowers who obtain payday loans generally have cash flow difficulties, the loans are unsecured, and underwriting analysis of the borrower’s ability to repay is generally limited. Consequently, the FDIC issued guidance more than a decade ago establishing the FDIC’s expectations for prudent risk-management practices, both safety and soundness and consumer protection, for banks making payday loans, and warning that serious deficiencies in risk-management practices may result in instruction to discontinue payday lending. These supervisory expectations are consistent with longstanding FDIC emphasis on sound risk management of lending activities more generally. Sound management of credit risk by FDIC-insured institutions is of fundamental importance in minimizing costs to the Deposit Insurance Fund and, relatedly, the deposit insurance assessments paid by all insured institutions.

Footnote 1: FDIC Guidelines for Payday Lending, July 2, 2003, https://www.fdic.gov/news/news/press/2003/pr7003.html; FDIC Revised Guidelines for Payday Lending, March 2, 2005, https://www.fdic.gov/news/news/press/2005/pr1905.html; OCC website discussion of payday lending, http://www.occ.gov/topics/consumer-protection/payday-lending/index-payday-lending.html; OCC Advisory Letter on Payday Lending, November 27, 2000, http://occ.gov/static/news-issuances/memos-advisory-letters/2000/advisory-letter-2000-10.pdf; Federal Reserve Board, Proposed revisions to official staff commentary to Regulation Z, November 5, 1999, http://www.federalreserve.gov/boarddocs/press/boardacts/1999/199911033/R-1050.pdf

The FDIC has applied this same supervisory approach to banks offering or considering making loans with similar characteristics, such as deposit advance loans or refund anticipation loans. The same supervisory approach has also been applied in instances in which banks facilitate their payday lending activities through third parties that originate loans on behalf of the bank, so-called rent-a-charter arrangements, designed to avoid the application of state usury laws.

The FDIC’s guidance on payday lending applies only to banks making payday loans and circumstances in which the activities facilitate payday lending by the bank. It does not apply to banks making loans to non-bank payday lenders or to banks offering deposit account services to non-bank payday lenders, even if these activities facilitate payday lending activities.

Banks Offering Deposit Accounts to Non-Bank Payday Lenders

A different set of rules and guidance applies to deposit accounts offered by banks to non-bank payday lenders. Banks offer deposit accounts to non-bank payday lenders directly and indirectly through third-party payment processors (TPPPs) and other third-party arrangements. These deposit accounts are then used to process payday loan proceeds and repayments, typically through automated clearing house (ACH) and privately owned automated teller machine (ATM) transactions. The Federal Financial Institutions Examination Council (FFIEC)2 Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Manual describes TPPP, ACH, and ATM as higher-risk products and services and provides banks with specific guidelines to mitigate the risk of offering them.3 Parts 326 and 353 of the FDIC rules and regulations implement the BSA and the suspicious activity reporting statutes.4 The FDIC and other agencies have also issued additional guidance about how to mitigate the risk of offering deposit accounts to TPPPs.5

Footnote 2: The FFIEC was established in March 1979 to prescribe uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions. It also conducts schools for examiners employed by the five federal member agencies represented on the FFIEC and makes those schools available to employees of state agencies that supervise financial institutions. The Council consists of the following six voting members: a member of the Board of Governors of the Federal Reserve System; the Chairman of the Federal Deposit Insurance Corporation; the Director of the Consumer Financial Protection Bureau; the Comptroller of the Currency; the Chairman of the National Credit Union Administration; and the Chairman of the State Liaison Committee.

Footnote 3: FFIEC BSA/AML Manual, December 2, 2014 (most recent update to original June 30, 2005 and updated April 29, 2010 releases), http://www.ffiec.gov/bsa_aml_infobase/default.htm, see BSA/AML Risk Assessment Overview Section, Subheading Products and Services; Third Party Payment Processors – Overview; Examination Procedures – Third Party Payment Processors; Electronic Banking – Overview; Examination Procedures – Electronic Banking; Automated Clearing House Transactions – Overview; Examination Procedures – Automated Clearing House Transactions; Privately Owned Automated Teller Machines – Overview; and Examination Procedures – Privately Owned Automated Teller Machines.

Footnote 4: See FDIC rules and regulations: Bank Secrecy Act Compliance, https://www.fdic.gov/regulations/laws/rules/2000-4900.html#fdic2000part326.8; and Suspicious Activity Reports, https://www.fdic.gov/regulations/laws/rules/2000-7500.html

Footnote 5: See Federal Reserve, SR-93-64 (FIS), Interagency Advisory, Credit Card-Related Merchant Activities http://www.federalreserve.gov/boarddocs/srletters/1993/SR9364.HTM, November 18, 1993; FDIC Credit Card Activities Manual, http://www.fdic.gov/regulations/examinations/credit_card/index.html, June 12, 2007; FDIC Financial Institution Letter, FIL-127-2008, Guidance on Payment Processor Relationships, issued November 7, 2008, https://www.fdic.gov/news/news/financial/2008/fil08127.html; and OCC Bulletin 2008-12, Payment Processors - Risk Management Guidance, issued April 24, 2008, http://www.occ.gov/news-issuances/bulletins/2008/bulletin-2008-12.html; and FDIC Financial Institution Letter, FIL-3-2012, Payment Processor Relationships, Revised Guidance, issued January 2012. https://www.fdic.gov/news/news/financial/2012/fil12003.html

ACH activity is further governed by the FFIEC Information Technology Handbook, in the Retail Payment Systems Booklet.6 The Booklet advises banks that ACH operations pose a variety of risks including credit, liquidity, and operational risk. The Booklet also describes the expectations of the National Automated Clearing House Association – NACHA -- (the national association that establishes the rules and procedures governing the exchange of ACH payments) and the national ACH operators (the Federal Reserve banks and the Electronic Payments Network) that banks will manage these risks, particularly when they engage in riskier ACH activities.

Footnote 6: FFIEC Information Technology Handbook, http://ithandbook.ffiec.gov/it-booklets.aspx, see Retail Payment Systems Booklet, February 25, 2010, (update to March, 2004 release). Since 2008, the FDIC has identified a number of instances of banks offering deposit accounts to TPPPs without adopting the necessary mitigating controls described in the FFIEC BSA/AML Manual and the agency guidance on TPPP relationships. In situations in which the deficiencies were significant, the FDIC issued formal enforcement actions known as Orders to Cease and Desist or Consent Orders, in some cases directing the banks to exit TPPP relationships. Since 2008, the FDIC has issued 12 formal enforcement actions related to poor controls over TPPP relationships, eight of which directed the banks to exit TPPP relationships until such time as they could demonstrate a satisfactory control environment. These orders were not related to the type of merchant being serviced by the third-party payment processor, but rather to the banks’ inadequate due diligence, controls, and ongoing monitoring for this higher-risk deposit product. In the case of at least two of the institutions, some of the terminated TPPP relationships included non-bank payday lenders in their merchant base, and as a result, these merchants had to seek alternate deposit account services.

Misapplication of the Guidance for Banks Making Payday Loans

We note that the OIG Report describes two instances in which the FDIC’s guidance on payday lending by banks was misapplied to banks that were offering or contemplating offering deposit accounts to non-bank payday lenders. Other OIG interviews revealed a belief among some FDIC staff that the FDIC’s guidance on payday lending by banks should be applied to a deposit relationship that may facilitate payday lending. It is this apparent misunderstanding – that the FDIC’s guidance on payday lending by banks also applied to banks offering deposit accounts to non-bank payday lenders – as well as the potential for confusion about the high-risk list in general, that the FDIC has sought to address in additional guidance and training since September 2013. These actions are intended to promote a common understanding and consistent implementation of the FDIC’s supervisory approach and to ensure that the appropriate guidance is applied in the appropriate circumstance.

FDIC Actions to Clarify Supervisory Guidance

Toward that end, the FDIC issued guidance in September 2013 that made clear to FDIC staff and the financial industry that although facilitating payment processing for certain customers can pose risks to financial institutions, institutions that properly manage these relationships and risk are neither prohibited nor discouraged from providing payment processing services to customers operating in compliance with applicable law.7 We also have made clear that institutions that properly manage these relationships will not be criticized for providing payment processing services to customers operating in compliance with applicable law. In July 2014, the FDIC reiterated this policy to its staff and the industry and also sought to address any misperceptions about the high-risk list by removing the lists of merchant categories from previously issued guidance.8

Footnote 7: https://www.fdic.gov/news/news/financial/2013/fil13043.html

Footnote 8: https://www.fdic.gov/news/news/financial/2014/fil14041.html

In January 2015, the FDIC issued guidance encouraging institutions to take a risk-based approach in assessing individual customer relationships, rather than declining to provide banking services to entire categories of customers.9 The FDIC also made clear that isolated or technical violations, which are limited instances of noncompliance with the BSA that occur within an otherwise adequate system of policies, procedures, and processes, generally do not prompt serious regulatory concern or reflect negatively on management’s supervision or commitment to BSA compliance. The guidance also provided notice that any FDIC-supervised institution concerned that FDIC personnel are not following the policies laid out in the statement may contact either the FDIC’s Office of the Ombudsman through a dedicated toll-free number or email address or the FDIC OIG through its Web site, telephone number or email address.

Footnote 9: https://www.fdic.gov/news/news/financial/2015/fil15005.html

Recommendations

The OIG Report notes that it is too soon to determine the effectiveness of the FDIC’s actions to clarify its supervisory guidance and states that the actions FDIC has taken focus on deposit accounts and do not explicitly address other banking products, such as credit products. The OIG recommends that the FDIC:

1. “Review and clarify, as appropriate, existing policy and guidance pertaining to the provision and termination of banking services to ensure it adequately addresses banking products other than deposit accounts, such as credit products.”

The FDIC concurs with this recommendation and agrees that a sustained effort to communicate with its staff and the industry is important to address any potential confusion about appropriate supervisory standards and to ensure a common understanding and sustained application of the FDIC’s approach. We are committed to continuing to communicate to staff and the industry on the distinctions between the standards applicable to credit products, including payday loans, offered by banks and those applicable to other banking services. In addition to the actions already implemented, we plan to update our guidance on payday lending by banks before October 31, 2015, to clarify that it does not apply to banks offering deposit accounts or extending credit to payday lenders.

2. “Assess the effectiveness of the FDIC’s supervisory policy and approach with respect to the issues and risks discussed in this report after a reasonable period of time is allowed for implementation.”

The FDIC concurs with this recommendation. The FDIC reviews the effectiveness and clarity of our policies on an ongoing basis through our regular examination and supervision processes, supervisory personnel meetings and engagement (including periodic “all-hands” meetings with examiners and quarterly Policy Calls), and industry and other stakeholder outreach. Additionally, we have instituted a program of regular reviews of regional office implementation of and adherence to outstanding supervisory policies and guidance.

To assess the effectiveness of the actions we have taken with respect to the issues and risks discussed in the report, our Internal Control and Review Section will undertake a horizontal review of each region’s compliance with the actions, to be completed by the third quarter of 2016, in order to allow sufficient time to elapse for implementation. Additionally, the Internal Control and Review Section will incorporate compliance with our actions in their regularly scheduled regional office reviews. In the interim, each region will continue to provide quarterly reports regarding account terminations pursuant to the internal policy we adopted in January 2015, which is described in more detail below. These reports are shared with the FDIC Board of Directors each quarter, to ensure proper oversight. The FDIC will also continue to highlight the January 2015 guidance in regular outreach events and monitor inquiries and comments received through the FDIC’s Office of the Ombudsman and respond as appropriate. The OIG Report also recommends that the FDIC focus attention on the use of moral suasion in the supervisory process.10 Specifically, the OIG recommends the FDIC:

Footnote 10: The term “moral suasion” has been used in the FDIC’s Manual of Examination Policies since 1982. See also, http://www.occ.gov/publications/publications-by-type/other-publications-reports/prbbnkgd.pdf; http://www.federalreserve.gov/boardDocs/Speeches/2005/20050106/default.htm; and http://www.oxfordreference.com/view/10.1093/oi/authority.20110810105427712

3. “Review and clarify, as appropriate, existing supervisory policy and guidance to ensure it adequately defines moral suasion in terms of the types and circumstances under which it is used to address supervisory concerns, whether it is subject to sufficient scrutiny and oversight, and whether meaningful remedies exist should moral suasion be misused.”

The FDIC concurs with this recommendation. The FDIC agrees that clarity in its supervisory policies and procedures is essential to consistent understanding and application. Given the questions raised by the OIG about the adequacy of the definition of moral suasion, we intend to reissue the Risk Management Manual of Examination Policies and the Formal and Informal Actions Procedures Manual by December 31, 2015. In the updated Manuals, we will replace the term moral suasion with a description of the informal communication that is intended to help mitigate practices that could cause a bank to experience financial or other difficulties.

The ability for examiners and supervised institutions to engage in informal discussion is a vital and longstanding part of the examination process. Bankers frequently see their examiners as a source of expertise and information, especially with regard to new or developing issues. These informal discussions can provide valuable assistance to banks, especially small community banks that otherwise might need to contract for similar assistance, and identify and address issues before they become a problem for the bank or require a formal enforcement action.

We also recognize that some discussions between examiners and a bank should be more formal. In particular, formal communication should be required in situations in which the FDIC staff recommends or requires a bank to terminate particular relationships. In January 2015, the FDIC established an internal policy for documenting and reporting instances in which FDIC staff recommend or require a bank to terminate customer deposit account relationships and for documenting criticisms of a bank’s management or mitigation of risk associated with deposit accounts. The policy states that:

• Recommendations or requirements for termination of deposit accounts should not be made through informal suggestions. • Recommendations or requirements for terminating deposit accounts must be made in writing and must be approved by regional management before being provided to and discussed with the bank’s management and board of directors. • Recommendations may not be based solely on reputation risk. • Criticisms of a bank’s management or mitigation of risk associated with deposit accounts that do not rise to a level requiring termination should not be made through informal suggestions and must be made in writing in a report of examination. • Before such findings may be included in the report of examination or supervisory actions are pursued, the findings must be thoroughly vetted with regional office and legal staff. • In each case, the recommendations of the examiner in charge should include the supervisory basis for recommending or requiring account termination, including any specific laws or regulations the examiner believes are being violated, if applicable.

The policy additionally establishes an FDIC Board-level reporting mechanism to ensure appropriate oversight. Further, as previously noted, the FDIC has also provided notice that any FDIC-supervised institution concerned that FDIC personnel are not following the policies laid out in the January 2015 Statement may contact either the FDIC’s Office of the Ombudsman through a dedicated toll-free number or email address or the FDIC OIG through its Web site, telephone number or email address.11

Footnote 11: https://www.fdic.gov/news/news/financial/2015/fil15005.html

Observations

The Report contains an observation on the FDIC’s supervisory approach in early 2011 to financial institutions that offered a credit product known as a refund anticipation loan (RAL). The OIG concluded that the supervisory actions taken with respect to institutions that offered RALs fell within the FDIC’s broad statutory authorities. However, the OIG also stated its belief that the execution of supervisory actions by FDIC management and staff warranted further review, and advised that the OIG is conducting additional work in this area. We look forward to receiving the results of that review, and will address the results at that time.

Closing

Again, we appreciate the thoroughness of the OIG’s review of this matter. We look forward to addressing any remaining concerns.



[End of Appendix 4]

Appendix 5 Summary of the Corporation’s Corrective Actions

This table presents corrective actions taken or planned by the Corporation in response to the recommendations in the report and the status of the recommendations as of the date of report issuance.

Row 1 Rec. No.: 1 Corrective Action: Taken or Planned: The FDIC will continue to communicate to its staff and the banking industry the distinctions between the supervisory standards applicable to credit products, including payday loans, offered by banks and those applicable to other banking services. In addition to other actions it has already taken, the FDIC will update its guidance on payday lending by banks to clarify that the guidance does not apply to banks offering deposit accounts or extending credit to payday lenders. Expected Completion Date: 10/31/15 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 2 Rec. No.: 2 Corrective Action: Taken or Planned: RMS’ Internal Control and Review section will conduct horizontal and regional office reviews to assess compliance with the FDIC’s actions to address the issues discussed in the report. The FDIC will also continue to report to the Board on deposit account terminations; highlight supervisory guidance in outreach events; and monitor inquiries and comments from the OO. Expected Completion Date: 9/30/16 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open

Row 3 Rec. No.: 3 Corrective Action: Taken or Planned: The FDIC will revise its written examination guidance by replacing the term moral suasion with a description of the informal communication that FDIC personnel can use to help mitigate practices that could cause a bank to experience financial or other difficulties. Expected Completion Date: 12/31/15 Monetary Benefits: $0 Resolved:a Yes or No: Yes Open or Closedb: Open:

a Resolved – (1) Management concurs with the recommendation, and the planned, ongoing, and completed corrective action is consistent with the recommendation. (2) Management does not concur with the recommendation, but alternative action meets the intent of the recommendation. (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as management provides an amount. b Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective actions are complete or (b) in the case of recommendations that the OIG determines to be significant, when the OIG confirms that corrective actions have been completed and are responsive.

[End of table] [End of Appendix 5] [End of report]

Print Print
Close