Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS’ cybersecurity FAQs provide process for covered entities that no longer qualify for exemptions
On February 2, NYDFS updated its answers to FAQs regarding 23 NYCRR Part 500, which established cybersecurity requirements for banks, insurance companies, and other financial services institutions. (See here for previous InfoBytes coverage on updates to the FAQs.) Among other things, the update outlines the procedures covered entities must follow if the entity ceases to qualify for exemptions under Section 500.19. Covered entities who no longer qualify for an exemption will have 180 days from the end of their most recent fiscal year to comply with all applicable requirements of 23 NYCRR Part 500. NYDFS further notes that covered entities may be required to periodically refile their exemptions to ensure qualification.
New Jersey Department of Banking and Insurance adjusts maximum dollar amount of 2019 high-cost home loans
On January 31, as part of the annual review required under the Home Ownership Security Act of 2002 (the Act), the New Jersey Department of Banking and Insurance issued Bulletin 19-02, which addresses the definition of a “high cost home loan.” The bulletin adjusts the maximum principal amount of a loan that may be considered a “high cost home loan” from $487,618.86 to $498,610 and is effective for all completed loan applications subject to the Act received by a lender on or after January 1.
On December 14, Maxine Waters (D-CA) and 22 other House Democrats issued a letter urging the new CFPB Director, Kathy Kraninger, to resume supervisory examinations of the Military Lending Act (MLA). As previously covered by InfoBytes, according to reports citing “internal agency documents,” the Bureau ceased supervisory examinations of the MLA, contending the law does not authorize the Bureau to examine financial institutions for compliance with the MLA. In response, a bipartisan coalition of 33 state Attorneys General sent a letter to then acting Director, Mick Mulvaney, expressing concern over the decision (covered by InfoBytes here).
The letter from Waters, who is expected to be the next chair of the House Financial Services Committee, and the other 22 Democratic members of the Committee, argues that “there is no question the [CFPB] has the authority and the responsibility to supervise its regulated entities for compliance with the MLA.” As support, the letter cites to the Bureau’s authority to oversee a “wide range of regulated entities,” the establishment of the Bureau’s Office of Servicemember Affairs, and the 2013 amendments to the MLA, which gave the Bureau the authority to enforce the act. The letter also points to the Bureau’s work obtaining $130 million in relief for servicemembers, veterans, and their families through enforcement actions, as well as the 109 complaints the Bureau has received from military consumers since 2011.
On December 10, the CFPB released a new proposed policy on No-Action Letters (NAL) and a new federal product sandbox. The new NAL proposal, which would replace the 2016 NAL policy, is “designed to increase the utilization of the Policy and bring certain elements more in line with similar no-action letter programs offered by other agencies.” The proposal consists of six sections. Highlights include:
- Description of No-Action Letters. The letter would indicate to the applicant, that subject to good faith, substantial compliance with the terms of the letter, the Bureau would not bring a supervisory or enforcement action against the recipient for offering or providing the described aspects of the product or service covered by the letter.
- Submitting Applications. The proposal includes a description of the items an application should contain and invites applications from trade associations on behalf of their members, and from service providers and other third parties on behalf of their existing or prospective clients.
- Assessment of Applications. The Bureau intends to grant or deny an application within 60 days of notifying the applicant that the application is deemed complete.
- Issuing No-Action Letters. NALs will be signed by the Assistant Director of the Office of Innovation or other members in the office, and will be duly authorized by the Bureau. The Bureau may revoke a NAL in whole or in part, but before the Bureau revokes a NAL, recipients will have an opportunity to cure a compliance failure within a reasonable period.
- Regulatory Coordination. In order to satisfy the coordination requirements under Dodd-Frank, the Bureau notes it is interested in partnering with state authorities that issue similar forms of no-action relief in order to provide state applicants an alternative means of also receiving a letter from the Bureau.
- Disclosure of Information. The Bureau intends to publish NALs on its website and in some cases, a version or summary of the application. The Bureau may also publish denials and an explanation of why the application was denied. The policy notes that disclosure of information is governed by the Dodd-Frank Act, FOIA and the Bureau’s rule on Disclosure of Records and Information, which generally would prohibit the Bureau from disclosing confidential information.
Notable changes from the 2016 NAL policy include, (i) NALs no longer have a temporal duration—under the new proposal, there is no temporal limitation except in instances of revocation; (ii) applicants are no longer are required to commit to sharing data about the product or service covered by the application; and (iii) the letters are no longer staff recommendations, but issued by authorized officials in the Bureau to provide recipients greater assurance of the relief.
The proposal also introduces the Bureau’s “Product Sandbox,” which offers substantially the same relief as the NAL proposal but also includes: (i) approvals under one or more of three statutory safe harbor provisions of TILA, ECOA, or the EFTA; and (ii) exemptions by order from statutory provisions of ECOA, HOEPA, and FDIA, or regulatory provisions that do not mirror statutory provisions under rulemaking authority. The proposal notes that two years is the expected duration for participation in the Sandbox, but similar to the no-action relief above, the no-action relief from the Sandbox program can be of unlimited duration—if approved under the sandbox program, “the recipient would be immune from enforcement actions by any Federal or State authorities, as well as from lawsuits brought by private parties.”
Comments on the proposals are due within 60 days of publication in the Federal Register.
NYDFS and international bank enter into second supplemental consent order over BSA/AML compliance deficiencies
On November 21, NYDFS and an international bank entered into a second supplemental consent order covering its settlement over alleged deficiencies in the bank’s Bank Secrecy Act/anti-money laundering and Office of Foreign Assets Control (OFAC) compliance program controls. As previously covered by Infobytes, in 2012, the bank agreed to engage an independent on-site monitor for 24 months to evaluate the New York branch’s BSA/AML and OFAC compliance programs and operations and was issued a $340 million civil money penalty. In 2014 NYDFS issued a subsequent consent order outlining the monitor’s findings, including reports of significant failures in the bank’s transaction monitoring. The 2014 order extended the engagement of the monitor for another two years, outlined remedial measures to address continued deficiencies, and required the bank to pay an additional $300 million civil money penalty. In April 2017, NYDFS and the bank entered into the first supplemental consent order to modify the 2012 and 2014 orders, acknowledging the bank made significant improvements in its BSA/AML compliance program but extended the monitor through December 2018 with all the other terms and conditions of the 2012 and 2014 consent orders remaining in full effect.
Now, beginning January 1, 2019, the second supplemental order issued by NYDFS requires the bank to engage an independent consultant, selected by the regulator, for a period of up to one year, with a possible extension of one additional year, to provide guidance for completing remediation called for in the 2012 and 2014 consent orders. In response to the second supplemental order, the bank stated it remained “committed to completing the remaining tasks necessary for that remediation.”
FDIC releases September enforcement actions, including breaches of fiduciary duty and BSA violations
On October 26, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in September. Included among the actions is a removal and prohibition and civil money penalty assessment issued against a bank’s president, CEO and board chairman (in his individual capacity as an institution-affiliated party) of a Florida-based bank for allegedly engaging in unsafe or unsound practices and breaches of fiduciary duty while employed by the bank. Among other claims, the respondent allegedly created a conflict of interest when he operated a consumer finance company, which he personally owned, out of one of the bank's branches. The FDIC contends that the respondent (i) operated the company through the utilization of bank property and staff without reimbursing the bank; (ii) issued loans to bank customers through the company; (iii) repaid the company using overdraft funds from customers’ bank accounts; and (iv) “caused the release and sale of bank collateral without full repayment to the bank when a portion of the sale proceeds were being used to pay on a finance company loan.” According to the FDIC, the respondent failed to disclose his actions to the bank’s board of directors as required by state law and a consent order the bank entered into in July 2010.
Additionally, a consent order was issued to a South Carolina bank related to alleged weaknesses in its Bank Secrecy Act (BSA) compliance program. The bank was ordered to, among other things, (i) revise and implement internal controls and policies and procedures for BSA compliance, including suspicious activity monitoring and reporting and customer due diligence procedures; (ii) perform an enhanced risk assessment of the bank’s operations; and (iii) take necessary steps to correct or eliminate all cited violations, such as conducting independent testing and implement effective BSA training programs.
There are no administrative hearings scheduled for November 2018. The FDIC database containing all 24 enforcement decisions and orders may be accessed here.
On October 22, the Federal Reserve Board (Board) entered into a written agreement with an Oklahoma state chartered bank, which outlines a compliance proposal to “maintain the financial soundness” of the bank. The agreement requires the bank to submit, within 60 days, written plans to improve various aspects of the bank’s functions including, but not limited to, (i) internal controls; (ii) credit risk management; (iii) liquidity and funds management; (iv) interest rate risk management; (v) information technology/cybersecurity; and (vi) BSA/AML compliance. The agreement also prevents the bank from extending, renewing, or restructuring any credit for any borrower whose loans or other extensions of credit were part of the Board’s examination critiques, without prior approval from the board of directors, who are required to document the reasons for the credit extension and certify its compliance with the terms of the agreement.
On August 24, 13 state banking supervisors sent a letter asking congressional leaders “to consider legislation that creates a safe harbor for financial institutions to serve state-compliant [marijuana] business, or entrusts sovereign states with the full oversight and jurisdiction of marijuana-related activity.” According to the letter, while 31 states, the District of Columbia, and two territories have legalized medical and/or recreational marijuana use as of August 1, many financial institutions choose not serve marijuana businesses due to a perceived threat of asset forfeitures or criminal penalties. The letter notes that this results in inadequate regulation, cash transactions that are difficult to track, “a diminished ability to identify operators acting to circumvent federal and state licensing and regulatory frameworks,” and concerns for public safety. In addition, according to the state regulators, the rescission of the 2013 “Cole Memo”—which outlined the DOJ’s marijuana enforcement priorities and was relied upon by a limited number of financial institutions—has led to greater uncertainty for banks that serve marijuana businesses. The letter also discusses the Financial Crimes Enforcement Network’s 2014 guidance—which clarifies expectations under the Bank Secrecy Act for financial institutions providing services to marijuana businesses—and further stresses that “the Rohrabacher amendment prohibiting federal funds being used to inhibit state medicinal marijuana programs [is] an impermanent approach that requires a permanent resolution.”
In July, and as previously covered in InfoBytes, the New York Department of Financial Services (NYDFS) issued guidance which encouraged New York state chartered banks and credit unions to consider establishing relationships with regulated and compliant medical marijuana and industrial hemp-related businesses operating in New York. NYDFS stated it will not impose any regulatory action on a New York financial institution that establishes a relationship with a regulated marijuana business as long as the institution also complies with other applicable guidance and regulations.
According to reports citing “internal agency documents,” acting Director of the CFPB Mick Mulvaney intends to cease supervisory examinations of the Military Lending Act (MLA), contending the law does not explicitly prescribe the Bureau the authority to examine financial institutions for compliance with the MLA. In 2013, amendments to the MLA granted enforcement authority to the same agencies with administrative enforcement power under TILA, including the Bureau, but these amendments did not also provide these same agencies with the statutory authority to supervise institutions for compliance with the MLA. The Bureau currently includes the MLA in the statutory- and regulation-based procedures section of the Supervision and Examination Manual and has not released a formal statement in response to reports of this supervisory change.
In August, the CFPB released an updated version of the Supervision and Examination Manual, which includes minor changes to the workpapers section of the examination process and an updated scope summary template. According to the manual, workpapers are the records documenting the review conducted by examiners to reach conclusions about the financial institution’s compliance with federal consumer protection laws. The manual emphasizes that “[a]ll information collected and all records created during the review that are used to support findings and conclusions could potentially be included in the workpapers” and all workpapers must be reviewed and signed off by the examiner in charge. The Bureau requires all workpapers and related documentation to be maintained in electronic form.
- Jeffrey S. Hydrick to discuss "State legislative update" at the NMLS Annual Conference & Training
- Kathryn L. Ryan to speak at the "Business model primer" at the NMLS Annual Conference & Training
- Daniel P. Stipano to discuss "Dynamic customer due diligence and beneficial ownership from KYC to ongoing CDD and the new rule implementation" at the Puerto Rican Symposium of Anti-Money Laundering
- Jon David D. Langlois to discuss "Regulatory risks of convenience fees" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Michelle L. Rogers to discuss "Preparing for servicing exams in the current regulatory environment" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- APPROVED Webcast: NMLS Annual Conference & Ombudsman Meeting: Review and recap
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Melissa Klimkiewicz to discuss "Servicing super session" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Jessica L. Pollet to discuss "Law & compliance speedsmarts" at the American Financial Services Association Law & Compliance Symposium
- Daniel P. Stipano to discuss "Lessons learned from recent high profile enforcement actions" at the Florida International Bankers Association AML Compliance Conference
- Moorari K. Shah to provide "Regulatory update – California and beyond" at the National Equipment Finance Association Summit
- Sasha Leonhardt and John B. Williams to discuss "Privacy" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Aaron C. Mahler to discuss "Regulation B/fair lending" at the National Association of Federally-Insured Credit Unions Spring Regulatory Compliance School
- Heidi M. Bauer to discuss "'So you want to form a joint venture' — Licensing strategies for successful JVs" at RESPRO26
- Jonice Gray Tucker to to discuss "DC policy: Everything but the kitchen sink" at CBA Live
- Jonice Gray Tucker to discuss "Small business & regulation: How fair lending has evolved & where are we heading?" at CBA Live
- Daniel P. Stipano to discuss "Lessons learned from ABLV and other major cases involving inadequate compliance oversight" at the ACAMS International AML & Financial Crime Conference
- Daniel P. Stipano to discuss "A year in the life of the CDD final rule: A first anniversary assessment" at the ACAMS International AML & Financial Crime Conference
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program