Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CFPB limits examiner term limits to five years after concurring with OIG recommendations

    On February 26, the Office of Inspector General for the CFPB (OIG) released a report entitled, “The CFPB Can Enhance Certain Practices to Mitigate the Risk of Conflicts of Interest for Division of Supervision, Enforcement and Fair Lending Employees.” The report found that the CFPB’s Office of Supervision Examinations (OSE) does not have a formal policy that requires bank examiners to rotate assignments in a specified time frame, which increases potential conflicts of interest. The OSE examines banks to check for compliance failures in federal consumer financial law and is based out of four regional offices: New York (Northeast), Atlanta (Southeast), Chicago (Midwest), and San Francisco (West). The OIG argued that a formal policy adopted by the OSE would more effectively monitor examiner rotations, promoting “objectivity, cross-training, and broader expertise” and reducing the risk of regulatory capture – or subjecting the same regulated entity to the same examiner and subsequently risking independence and objectivity of exams. The OIG’s report posited two recommendations: (i) that the CFPB implement a formal examiner rotation policy; and (ii) that the CFPB track and document assignments for examiners and its members.

    The OIG found that while some OSE offices have informal examiner rotation policies in place, there is no global system in place to track examiner assignments to ensure regular rotation. For example, OSE’s Northeast and West regional offices have written policies that require certain staff members to rotate every five years. However, the Southeast and Midwest offices do not have any written policies in place and stated having a “natural” turnover process based on needs and availability, among others.

    The CFPB concurred with both OIG recommendations, stating that it will limit the time for lead examiners and field managers to five years and develop a tool for tracking these assignments.

    Bank Regulatory CFPB OIG Enforcement Examination

  • SEC announces 2024 examination priorities, excludes ESG

    Securities

    On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area[]” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.

    According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology”  section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.

    SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.

    Securities SEC Examination Digital Assets Fintech Compliance Privacy, Cyber Risk & Data Security

  • FDIC announces launch of new examination portal

    On September 5, the FDIC announced the launch of a new Banker Engagement Site (“BES”) through FDICconnect. The BES will provide a secure and efficient electronic portal through which financial institutions may exchange documents, information and communications for consumer compliance and Community Reinvestment Act examinations. BES will not be used for other FDIC examinations, including safety and soundness examinations. The announcement notes that the FDIC’s existing tool to exchange examination information, the Enterprise File Exchange, will continue to be used when the pre-planning for consumer compliance and CRA activity initiated prior to the availability of BES and also may be utilized in some additional circumstances. 

    Bank Regulatory Federal Issues Examination FDIC CRA

  • GAO calls for enhanced oversight of blockchain, alternative data

    Fintech

    On August 8, the U.S. Government Accountability Office (GAO) released letters sent to the OCC, SEC, FDIC and the Fed to provide an update on GAO’s “priority open recommendations” for each regulator. Priority open recommendations refer to suggestions from GAO to bank regulators that have the potential for cost savings, elimination of mismanagement, fraud, and abuse, or addressing high-risk or duplication issues. GAO suggested that all four agencies follow its recommendation to coordinate oversight of blockchain technology. GAO referenced recent “volatility, bankruptcies, and instances of fraud in the crypto asset markets” and underscored the dangers to consumers and investors without safeguards. GAO suggests regulators jointly establish a formal coordination method to promptly identify and address risks tied to blockchain.

    For the three banking regulators in particular—the OCC, FDIC, and Fed—GAO noted that in 2011 it recommended that the three banking regulators implement noncapital triggers for early regulatory intervention tied to risky banking practices, but that such triggers had not yet been implemented. GAO also suggested that banking regulators and the “communicate the appropriate use of alternative data in the underwriting process with banks that engage in third-party relationships with fintech lenders.”

    GAO’s letter to the Fed restated GAO’s 2016 recommendation that the Fed design “a process to communicate information about the uncertainty surrounding post-stress capital ratio estimates” and “articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.” GAO also recommended that the Fed revisit its “prompt corrective action framework” by “adopting noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices.”

    Fintech Blockchain Examination Congress CFPB Risk Management OCC SEC FDIC Federal Reserve GAO

  • Fed’s annual report: cybersecurity risk management & emerging threats

    Privacy, Cyber Risk & Data Security

    On August 1, the Fed released its 2023 Cybersecurity and Financial System Resilience Report. Required annually by the Consolidated Appropriations Act, 2021, the report describes the measures the Fed has taken to strengthen cybersecurity within the financial services sector and its supervision and regulation of financial institutions and service providers across the past year. The report details the Fed’s activities in the space, including issuing regulations and guidance for supervised institutions, examining and monitoring supervised institutions’ risk management, and collecting data on relevant cybersecurity incidents. Recent actions highlighted in the report include the publication of an updated Cybersecurity Resource Guide for Financial Institutions, a proposal to update the operational risk management requirements in Regulation HH for systematically important financial market utilities, and final joint guidance issued in conjunction with the FDIC and OCC regarding banking organizations’ risk management of third-party relationships. The Fed also describes the steps it is taking to protect its own operations and assets from cybersecurity threats.

    With respect to supervisory activities, the Fed notes that it “has observed improvement in cybersecurity practices over the past several years resulting from supervised institutions’ efforts to address supervisory findings as well as proactive steps taken by the institutions.” The report notes that the Fed is taking measures to address OIG recommendations relating to the effectiveness of its cybersecurity incident response process, including updating the cybersecurity incident response process’s mission and governance structure and enhancing guidance and training. The report describes the Fed’s close coordination with other participants in the global financial system in addressing cybersecurity risk, including domestic and international agencies, governance bodies, financial regulators, and industry.

    Finally, the report describes current and emerging threats to the financial system, including (i) geopolitical tensions and accompanying cyberattacks; (ii) cyber-criminal activity involving ransomware as a service, targeting of authentication mechanism weaknesses, and collaboration among cyberthreat actors; (iii) increasing potential of a supply chain or third-party attack; (iv) cyber risks associated with third-party providers; (v) insider threats; and (vi) other emerging technology-related threats, such as risks inherent to machine learning and quantum computing capabilities.

    Privacy, Cyber Risk & Data Security Federal Issues Bank Regulatory Risk Management Examination Federal Reserve

  • CFPB issues Summer ’23 supervisory highlights

    Federal Issues

    On July 26, the CFPB released its Summer 2023 issue of Supervisory Highlights, which covers enforcement actions in areas such as auto origination, auto servicing, consumer reporting, debt collection, deposits, fair lending, information technology, mortgage origination, mortgage servicing, payday lending and remittances from June 2022 through March 2023. The Bureau noted significant findings regarding unfair, deceptive, and abusive acts or practices and findings across many consumer financial products, as well as new examinations on nonbanks.

    • Auto Origination: The CFPB examined auto finance origination practices of several institutions and found deceptive marketing of auto loans. For example, loan advertisements showcased cars larger and newer than the products for which actual loan offers were available, which misled consumers.
    • Auto Servicing: The Bureau’s examiners identified unfair and abusive practices at auto servicers related to charging interest on inflated loan balances resulting from fraudulent inclusion of non-existent options. It also found that servicers collected interest on the artificially inflated amounts without refunding consumers for the excess interest paid. Examiners further reported that auto servicers engaged in unfair and abusive practices by canceling automatic payments without sufficient notice, leading to missed payments and late fee assessments. Additionally, some servicers allegedly engaged in cross-collateralization, requiring consumers to pay other unrelated debts to redeem their repossessed vehicles.
    • Consumer Reporting: The Bureau’s examiners found that consumer reporting companies failed to maintain proper procedures to limit furnishing reports to individuals with permissible purposes. They also found that furnishers violated regulations by not reviewing and updating policies, neglecting reasonable investigations of direct disputes, and failing to notify consumers of frivolous disputes or provide accurate address disclosures for consumer notices.
    • Debt Collection: The CFPB's examinations of debt collectors (large depository institutions, nonbanks that are larger participants in the consumer debt collection market, and nonbanks that are service providers to certain covered persons) uncovered violations of the FDCPA and CFPA, such as unlawful attempts to collect medical debt and deceptive representations about interest payments.
    • Deposits: The CFPB's examinations of financial institutions revealed unfair acts or practices related to the assessment of both nonsufficient funds and line of credit transfer fees on the same transaction. The Bureau reported that this practice resulted in double fees being charged for denied transactions.
    • Fair Lending: Recent examinations through the CFPB's fair lending supervision program found violations of ECOA and Regulation B, including pricing discrimination in granting pricing exceptions based on competitive offers and discriminatory lending restrictions related to criminal history and public assistance income.
    • Information Technology: Bureau examiners found that certain institutions engaged in unfair acts by lacking adequate information technology security controls, leading to cyberattacks and fraudulent withdrawals from thousands of consumer accounts, causing substantial harm to consumers.
    • Mortgage Origination: Examiners found that certain institutions violated Regulation Z by differentiating loan originator compensation based on product types and failing to accurately reflect the terms of the legal obligation on loan disclosures.
    • Mortgage Servicing: Examiners identified UDAAP and regulatory violations at mortgage servicers, including violations related to loss mitigation timing, misrepresenting loss mitigation application response times, continuity of contact procedures, Spanish-language acknowledgment notices, and failure to provide critical loss mitigation information. Additionally, some servicers reportedly failed to credit payments sent to prior servicers after a transfer and did not maintain policies to identify missing information after a transfer.
    • Payday Lending: The CFPB identified unfair, deceptive, and abusive acts or practices, including unreasonable limitations on collection communications, false collection threats, unauthorized wage deductions, misrepresentations regarding debt payment impact, and failure to comply with the Military Lending Act. The report also highlighted that lenders reportedly failed to retain evidence of compliance with disclosure requirements under Regulation Z. In response, the Bureau directed lenders to cease deceptive practices, revise contract language, and update compliance procedures to ensure regulatory compliance.
    • Remittances: The CFPB evaluated both depository and non-depository institutions for compliance with the EFTA and its Regulation E, including the Remittance Rule. Examiners found that some institutions failed to develop written policies and procedures to ensure compliance with the Remittance Rule's error resolution requirements, using inadequate substitutes or policies without proper implementation.

    Federal Issues CFPB Consumer Finance Consumer Protection Auto Lending Examination Mortgages Mortgage Servicing Mortgage Origination Supervision Nonbank UDAAP FDCPA CFPA ECOA Regulation Z Payday Lending EFTA Unfair Deceptive Abusive

  • OCC updates cybersecurity exam procedures

    On June 26, the OCC issued Bulletin 2023-22 announcing recent updates to the agency’s approach to cybersecurity assessment procedures. The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST-CFS) and is part of the agency’s risk-based bank information technology supervision process. The CSW is intended to provide examiners an effective approach for identifying cybersecurity risks in supervised banks.

    According to an overview provided by the OCC, the CSW “provides examiners with a common framework and terminology in discussions with bank management” and is structured according to the following NIST-CSF functions: identify, protect, detect, respond, and recover (as well as related categories and subcategories). The OCC also developed an additional function, Specialty Areas, to address areas of risk that may be part of OCC cybersecurity assessments, where applicable. Examiners will use these procedures to supplement those outlined in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook, the FFIEC’s Information Technology Examination Handbook booklets, and other related supervisory guidance.

    The OCC encourages supervised banks to use standardized approaches to assess and improve cybersecurity preparedness. Banks may choose from a variety of standardized tools and available frameworks, and should use the agency’s CSW cross-references table for further guidance. No new regulatory expectations are established with the issuance of the CSW.

    Bank Regulatory Federal Issues Privacy, Cyber Risk & Data Security OCC Supervision Examination NIST

  • OCC’s new enforcement policy targets banks with “persistent weaknesses”

    On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”

    Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”

    “Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.

    The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.

    Bank Regulatory Federal Issues OCC Enforcement Supervision Comptroller's Handbook Examination Risk Management

  • NYDFS to impose supervision fees on virtual currency licensees

    State Issues

    On April 17, NYDFS announced the adoption of a final regulation establishing how certain licensed virtual currency businesses will be assessed for supervision and examination costs. Under 23 NYCRR Part 102, licensed virtual currency companies holding a Bitlicense will be assessed for their supervisory costs, similar to other licensees regulated by the Department. Last year, NYDFS first proposed a provision in the state budget authorizing the Department to collect supervisory costs from virtual currency businesses licensed pursuant to the Financial Services Law in order to add talent to its virtual currency regulatory team. (Covered by InfoBytes here.) NYDFS explained that the regulation will only apply to licensed virtual currency businesses and that the fees will only cover the costs and expenses associated with the Department’s oversight of a licensee’s virtual currency business activities. A licensee’s total annual assessment fee will be the sum of its supervisory component and its regulatory component, as defined in the regulation, and will be billed five times per fiscal year, once per quarter and a final true-up at the end of the fiscal year. The background to the final regulation notes that to the extent that a person holds multiple licenses to engage in virtual currency business activities, or concurrently acts as a money transmitter, such person will be billed separately for each license, adding that “[p]ersons who engage in virtual currency business activities as a limited purpose trust company or a banking organization will continue to be assessed under 23 NYCRR Part 101.” The final regulation takes effect upon publication of the Notice of Adoption in the New York State Register.

    State Issues State Regulators NYDFS Digital Assets Supervision Examination 23 NYCRR Part 102 Money Service / Money Transmitters

  • Hsu says OCC focused on fairness in banking

    On March 30, acting Comptroller of the Currency Michael J. Hsu commented that the safety and soundness of the federal banking system continues to be a top agency priority, as is improving fairness in banking. Speaking at a conference, Hsu discussed several measures taken by the OCC to elevate and advance fairness, particularly for the underserved and financially vulnerable. Explaining that OCC examiners are encouraging bank management to review existing overdraft protection programs and consider adopting pro-consumer reforms, Hsu referred to CFPB guidance issued last October to address unfair, deceptive, and abusive practices associated with “so-called ‘surprise overdraft’ fees.” (Covered by InfoBytes here.) He also commented that both the Federal Reserve Board and the FDIC have cited the risk of violating UDAP in connection with the certain overdraft practices. Hsu noted that not all overdraft practices are equal, stating that “authorize positive, settle negative” and “representment” fees both present heightened risks.

    Recognizing the recent decline in banks’ reliance on overdraft fees, Hsu emphasized that most bankers he has spoken to “understand the importance of treating their customers fairly and have been open to learning about best practices.” He noted that “[t]hese bankers are committed to being there for their customers and providing them with short-term, small dollar liquidity when it is needed most. Many customers tell their banks, as well as groups that have studied overdraft practices, that this banking service helps them meet payments when they come due.” Hsu added that the OCC’s intended goal is to “improve the fairness of these programs by making them more pro-consumer, not to eliminate them,” and that “[m]ore fairness means more financially healthy communities, which means more trust in banking.” Hsu also discussed efforts taken by the OCC to combat discriminatory lending practices, including working to enhance supervisory methods for identifying appraisal discrimination.

    Bank Regulatory Federal Issues OCC Overdraft Examination Discrimination Supervision Appraisal Consumer Finance CFPB Federal Reserve FDIC

Pages

Upcoming Events