InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
IOSCO publishes nine recommendations on decentralized finance
On December 19, 2023, the International Organization of Securities Commissions (IOSCO) published a report on decentralized finance to address market integrity and investor protection. The report includes nine policy recommendations for decentralized financial regulators to follow. Decentralized finance structures include financial products and arrangements that use a distributed ledger or blockchain technology. IOSCO’s policy recommendations on decentralized finance complement a similar report on crypto and digital asset markets, as written about on InfoBytes, here. The policy recommendations are as follows: (i) regulators should analyze decentralized finance products, services, and activities in its jurisdiction; (ii) regulators should identify the persons or entities that could be subject to its regulatory framework; (iii) regulators should use frameworks to regulate and address risks arising from decentralized finance consistent with IOSCO standards; (iv) regulators should require responsible persons to address conflicts of interest; (v) regulators should require responsible persons to address material risks, including operational and technological ones; (vi) regulators should require responsible persons to disclose information clearly to users and investors; (vii) regulators should apply comprehensive powers to decentralized financial services to detect and enforce violations under law; (viii) regulators should cooperate and share information with other regulators and authorities; and (ix) regulators should seek to understand how decentralized finance products are linked to the crypto-asset market as well as traditional finance markets. The final section of the report summarized the feedback garnered from 45 stakeholders on eight categories.
FTC sues for-profit university for deceptive and illegal practices
On December 27, 2023, the FTC filed a suit in the U.S. District Court of Arizona against a for-profit university for allegedly deceiving students, misrepresenting the university as a nonprofit entity, and committing telemarking abuses. The FTC sued under the FTC Act and Telemarketing Sales Rule (TSR). The complaint alleges that the university in question is a for-profit institution operating as a publicly traded entity, but nonetheless marketed itself as a “nonprofit” university. The complaint further alleges that the university misled students about the cost of its “accelerated” doctoral programs and used abusive telemarketing calls to try to boost enrollment. According to the FTC, the university called those who requested not to be called by the university, as well as consumers on the National Do Not Call Registry. The FTC asserts five claims against the university. The first two counts allege violations of Section 5(a) of the FTC Act for deceptive representations about its non-profit status and for falsely advertising its doctoral programs. The last three counts allege violations of the TSR predicated on deceptive telemarketing acts or practices, contacting those who have requested to not be contacted, and calling people on the National Do Not Call Registry.
FCC adopts updated data breach notification rules
On December 21, 2023, the FCC announced it adopted an updated data breach notifications rule. The rule was formerly designed to protect consumers against pretexting, “a practice in which a scammer pretends to be a particular customer or other authorized person to obtain access to that customer’s call detail or other private communications records.” As previously covered by InfoBytes, the FCC promulgated its notice of proposed rulemaking in January 2023. The rule has been updated to expand the data breach notification requirements to, among other things: (i) cover different categories of personally identifiable information that carriers hold; (ii) expand the definition of “breach” to cover unintended disclosures of consumer information, except in situations where such information is obtained in good faith by an employee or representative of a carrier or telecommunications relay service (“TRS”) provider, and where there’s no improper use or further disclosure of that information; (iii) require TRS providers and carriers to notify the FCC, FBI, and U.S. Secret Service as soon as practicable and no later than seven business days after the reasonable determination of a breach; (iv) no longer require TRS providers and carriers to notify consumers of a data breach if they reasonably determine no harm to consumers is reasonably likely; and (v) no longer require carriers to follow a mandatory waiting period to notify consumers of a breach. FCC Chairwoman Jessica Rosenworcel said in her statement that the update to the data breach policy is the first in 16 years and that under the Communications Act, “carriers have a duty to protect the privacy and security of consumer data.” The rule was adopted on December 13, 2023.
FDIC issues advisory on managing commercial real estate concentrations
On December 18, the FDIC issued an advisory to institutions with commercial real estate (CRE) concentrations. The advisory, among other things, reminds insured state non-member banks and savings associations (FDIC-supervised institutions) of the importance of “strong capital, appropriate credit loss allowance levels, and robust credit risk-management practices” when managing CRE concentrations. The advisory notes that “[r]ecent weaknesses in the economic environment and fundamentals related to various CRE sectors have increased the FDIC’s overall concern for state nonmember institutions with concentrations of CRE loans.” The FDIC said that “CRE investment property capitalization rates have not kept pace with recent rapid increases in long-term interest rates, which leads to concerns about general over-valuation of underlying collateral.” For institutions with concentrated CRE exposures, the agency “strongly recommended” that “as market conditions warrant, institutions with CRE concentrations (particularly in office lending) increase capital to provide ample protection from unexpected losses if market conditions deteriorate further.” The agency also outlined key risk-management measures for financial institutions with significant concentrations in CRE and real estate construction and development (C&D) to manage through changing market conditions: (i) “maintain strong capital levels;” (ii) “ensure that credit loss allowances are appropriate;” (iii) “manage C&D and CRE loan portfolios closely;” (iv) “maintain updated financial and analytical information;” (v) “bolster the loan workout infrastructure;” and (vi) “maintain adequate liquidity and diverse funding sources.”
NCUA to reinstate civil money penalties for late call reports
Recently, the National Credit Union Administration (NCUA) announced it will reinstate assessing civil money penalties for credit unions that fail to submit a call report (NCUA Form 5300) in a timely manner. The call report program was suspended after December 2019 during the Covid-19 pandemic. “The December 2023 Call Report will be the first reporting cycle under the reinstated program and will be due by 11:59:59 p.m. Eastern time, January 30, 2024.” The NCUA states it will send a reminder to credit unions with outstanding call reports a week before their deadline. The NCUA will also consider extenuating circumstances, including the size and good faith of the credit union, the gravity of the violation, the history of previous violations, and other matters like natural disasters or incapacitation of key employees.
Fed enters into written agreement with Ohio bank
On December 19, the Federal Reserve Board announced a written agreement with an Ohio state-chartered bank and its holding company to address certain deficiencies identified during a recent examination of the bank. Under the agreement, the bank and its holding company agreed to: (i) use the bank’s resources as a “source of strength”; (ii) submit a written plan to enhance board oversight and management; (iii) conduct a third-party assessment of the bank’s staff; (iv) submit an enhanced written investment policy that includes “periodic analysis of the investment portfolio, including, but not limited to the assessment of market risk, credit risk, interest rate risk, and liquidity risk of the underlying investments”; (v) improve the bank’s investment portfolio management and interest rate risk management practices; (vi) implement an enhanced liquidity risk management program; and (vii) submit a written plan regarding sufficient capital (among other corrective actions).
OCC issues cease-and-desist order to NY bank
On December 14, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals that are or were affiliated with such entities. Included is a cease-and-desist order against an upstate New York bank for allegedly engaging in unsafe or unsound practices, including on the bank’s corporate governance, capital planning, interest rate risk management, liquidity risk management, and reports of condition.
Under the order, the bank must appoint a compliance committee to take corrective action, submit a three-year strategic plan to establish objectives for the bank’s risk profile, earnings performance, growth, and balance sheet mix, among other areas, and maintain a capital ratio of at least 15 percent, a common equity tier 1 capital of at least equal to 14 percent, and a leverage ratio of at least ten percent. The order also requires the bank to create an interest rate risk program and a third-party risk management program.
FSB report addresses financial risk concerns with third-party relationships
On December 4, the Financial Stability Board (FSB) published a report titled “Enhancing Third-Party Risk Management and Oversight: A Toolkit for Financial Institutions and Financial Authorities,” as summarized in this press release. The report provides a toolkit that: (i) defines common terms to improve consistency among financial institutions, including “third-party service relationship,” “service provider,” and “critical service,” among others; (ii) outlines tools for financial institutions to identify critical third-party services and manage potential risks throughout the service lifecycle, onboarding and monitoring of service providers, and reporting incidents, among others; and (iii) outlines tools for financial authorities to manage third-party risks, including how to identify third-party dependencies and potential systemic risks. In preparing the report, the FSB received public feedback over the past summer regarding risk concerns stemming from outsourcing and third-party service relationships.
FTC announces settlement of charges against operators of alleged telemarketing training scheme
On December 11, the FTC issued a press release announcing proposed orders against the CEO and other related individuals and businesses of an income telemarketing training scheme. In connection with the settlement, the FTC filed a complaint in the U.S. District Court of the Middle District of Tennessee alleging violations of the FTC Act and the Telemarking and Consumer Fraud and Abuse Prevention Act. The FTC alleged that the defendants, a Tennessee-based group of companies, practiced deceptive and unlawful advertising, marketing, promotion, distribution, and selling of money-making and investment opportunities in offering a sales mentor program. The complaint alleges defendants performed these acts through several business entities via a telemarketing sales training and coaching program and through marketing practices on social media platforms. Since 2019, consumers paid more than $29 million to defendants for access to this sales training program.
The FTC filed two stipulated judgments for “permanent injunction, monetary judgment, and other reliefs.” The orders contain a total monetary judgment of $16.4 million. The stipulated orders also prohibit the defendants from: (i) making misleading earnings claims, so if the defendants make earnings claim in the future, they have to have a reasonable basis for those claims; and (ii) misrepresenting any sales of goods or services, including the description of the good or service, any past performance, any testimonials, any future predictions of profit earnings, among others. The defendants will also be required to turn over a total of $1 million to be used to refund harmed consumers, with one CEO ordered to pay $600,000 and the other defendants ordered to pay $400,000. All defendants neither admit nor deny any of the allegations in the complaint.
Freddie Mac standardizes down payment assistance programs
On December 4, Freddie Mac announced new, standardized mortgage documents aimed at of making down payment assistance (DPA) programs more accessible nationwide. According to Freddie Mac, the subordinate lien programs for DPA programs have been specific to particular housing finance agencies which created confusion. By standardizing these documents, Freddie Mac hopes to benefit lenders by making DPA programs more efficient.
To create the standardized documents, Freddie Mac partnered with Fannie Mae and state housing finance agencies. These documents will initially be available for 19 states, and eventually for all 50 states and the District of Columbia. These changes come in tandem with Freddie Mac’s new tool, DPA One®, to aggregate and showcase down payment assistance programs on a single platform.