InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC allows Hawaii institutions to temporarily close, SBA offers loans
On August 10, the OCC issued a proclamation permitting OCC-regulated institutions to close offices in areas affected by the wildfires in Hawaii. In issuing the proclamation, the OCC noted that only bank offices directly affected by potentially unsafe conditions should close, and that institutions should make every effort to reopen as quickly as possible to address customers’ banking needs. The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions.
In addition, the Small Business Association (SBA) announced that it is offering low-interest federal disaster loans to Hawaii businesses and residents and California businesses and residents affected by the severe winter storms, straight-line winds, flooding, landslides and mudslides that occurred February 21 – July 10.
Interest rates for these loans can be as low as 4% for businesses, 2.375% for private nonprofit organizations and 2.375% (2.5% for Hawaii) for homeowners and renters with terms up to 30 years. Loan amounts and terms are set by SBA and are based on each applicant’s financial condition, with loans up to $500,000 for homeowners to repair or replace damaged or destroyed real estate and $100,000 to repair or replace damaged or destroyed personal property, including personal vehicles. The loans are part of the SBA’s commitment to “providing federal disaster loans swiftly and efficiently, with a customer-centric approach to help businesses and communities recover and rebuild.”
Find continuing InfoBytes coverage on disaster relief here.
GAO calls for enhanced oversight of blockchain, alternative data
On August 8, the U.S. Government Accountability Office (GAO) released letters sent to the OCC, SEC, FDIC and the Fed to provide an update on GAO’s “priority open recommendations” for each regulator. Priority open recommendations refer to suggestions from GAO to bank regulators that have the potential for cost savings, elimination of mismanagement, fraud, and abuse, or addressing high-risk or duplication issues. GAO suggested that all four agencies follow its recommendation to coordinate oversight of blockchain technology. GAO referenced recent “volatility, bankruptcies, and instances of fraud in the crypto asset markets” and underscored the dangers to consumers and investors without safeguards. GAO suggests regulators jointly establish a formal coordination method to promptly identify and address risks tied to blockchain.
For the three banking regulators in particular—the OCC, FDIC, and Fed—GAO noted that in 2011 it recommended that the three banking regulators implement noncapital triggers for early regulatory intervention tied to risky banking practices, but that such triggers had not yet been implemented. GAO also suggested that banking regulators and the “communicate the appropriate use of alternative data in the underwriting process with banks that engage in third-party relationships with fintech lenders.”
GAO’s letter to the Fed restated GAO’s 2016 recommendation that the Fed design “a process to communicate information about the uncertainty surrounding post-stress capital ratio estimates” and “articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.” GAO also recommended that the Fed revisit its “prompt corrective action framework” by “adopting noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices.”
CFPB files reply brief supporting its constitutional structure
On August 3, the CFPB filed a Reply Brief in support of its request to overturn the Fifth Circuit’s decision in Community Financial Services Association of America v. Consumer Financial Protection Bureau, in which the 5th Circuit found that the CFPB’s funding structure violated the Constitution’s Appropriations Clause (covered by InfoBytes here, here, and here, and in a firm article here).
In its Reply Brief, the CFPB argues that Congress did not violate the Appropriations Clause by failing to specify a specific dollar amount to fund the CFPB because “the Appropriations Clause contains no dollar-amount requirement.” In support of that argument, the CFPB points to the Founders’ appropriation of funds for the Post Office and the National Mint where they did not decide the specific amounts of annual funding, the funding structure for the OCC and the Federal Reserve Board, and to current federal appropriations for Social Security payments and unemployment assistance.
The Bureau then argues that even if there was a specific dollar amount requirement, that requirement is nonetheless satisfied because “Congress fixed the CFPB’s maximum annual funding.” According to the Bureau, the fact that it has the discretion to ask for less than the maximum authorized is commonplace and “[t]o this day, Congress routinely appropriates sums ‘not to exceed’ a particular amount;’ that phrase appears more than 400 times in the Consolidated Appropriations Act, 2022.”
The Bureau then aims to refute plaintiff’s arguments that the Appropriations Clause requires time-limited funding laws and imposes special rules for law enforcement agencies. The Bureau argues that the fact that the Constitution includes a specific restriction limiting Congress from funding the army for more than two years dictates that by negative implication there is no such prohibition of a standing appropriation for a different appropriation.
Finally, the Bureau argues that its combination of features is not as unique as CFSA contends, and that even if the Supreme Court ultimately finds the funding structure unconstitutional vacating the Payday Lending Rule is an inappropriate remedy because the 5th Circuit failed “to consider whether the defect it perceived could be cured by severing portions of Section 5497.”
OCC issues guidance regarding purchased loans
On August 8, the OCC issued new guidance regarding the applicability of the legal lending limit (LLL) to purchased loans. The guidance clarifies that “all loans and extensions of credit made by banks are subject to the LLL” and explains that “[w]hether a loan that a bank purchases is attributable to the seller under the LLL regulation depends on specific facts and circumstances.” The OCC then further explains, that in evaluating purchased loans, loans will be attributed to a seller if the bank has direct or indirect recourse to the seller, which can be explicit or implied. Explicit recourse is established through a written agreement and implied recourse can be established though the bank’s course of dealing with the seller. For example, the OCC noted that if a seller routinely “substituted or repurchased loans or refilled or replenished a reserve account even when the contract did not require those actions” that would be sufficient to establish implied recourse.
Fed suggests enhancing supervision of “novel activities” by banks
On August 8, the Federal Reserve Board announced the issuance of two supervision letters that elaborate on the its program to supervise “novel activities” such as fintech partnerships, crypto-related activities, and activities using distributed ledger or “blockchain” technology. The first letter, SR 23-7, announces the establishment of the “Novel Activities Supervision Program,” a program designed to “ensure that the risks associated with innovation” supported by new technologies are managed appropriately by the bank. The program will focus on (i) technology-driven partnerships with non-banks; (ii) crypto-asset related activities such as asset custody, crypto-collateralized lending, asset trading, and crypto issuance and distribution; (iii) exploration or use of distributed ledger technology; and (iv) concentration of banking services to crypto-asset related entities and fintech companies. Supervisory teams will be tasked with monitoring and examining these novel activities within the existing supervisory portfolios and will take a risk-based approach on the level and intensity of supervision. The letter concludes that “the Program will also operate in keeping with the principle that banking organizations are neither prohibited nor discouraged from providing banking services to customers or any specific class or type” as permitted by law.
In the second supervisory letter, SR 23-8, the Fed announced a “nonobjection process” for banks seeking to engage in certain dollar token activities. Previously, the OCC issued an interpretive letter permitting national banks to use distributed ledger technology (or similar) to conduct payments using dollar tokens, as long as the bank could demonstrate adequate controls. (Covered by InfoBytes here). The letter clarifies that any bank supervised by the Fed that wishes to engage in those same activities must first obtain a written notice of supervisory nonobjection from the Fed. In order to do so, the bank must be able to demonstrate it has implemented adequate risk management practices, taking into account operational, cybersecurity, liquidity, illicit finance, and consumer compliance risks, among others. The bank must also demonstrate that it is aware of and can comply with laws applicable to the activities.
Fed’s annual report: cybersecurity risk management & emerging threats
On August 1, the Fed released its 2023 Cybersecurity and Financial System Resilience Report. Required annually by the Consolidated Appropriations Act, 2021, the report describes the measures the Fed has taken to strengthen cybersecurity within the financial services sector and its supervision and regulation of financial institutions and service providers across the past year. The report details the Fed’s activities in the space, including issuing regulations and guidance for supervised institutions, examining and monitoring supervised institutions’ risk management, and collecting data on relevant cybersecurity incidents. Recent actions highlighted in the report include the publication of an updated Cybersecurity Resource Guide for Financial Institutions, a proposal to update the operational risk management requirements in Regulation HH for systematically important financial market utilities, and final joint guidance issued in conjunction with the FDIC and OCC regarding banking organizations’ risk management of third-party relationships. The Fed also describes the steps it is taking to protect its own operations and assets from cybersecurity threats.
With respect to supervisory activities, the Fed notes that it “has observed improvement in cybersecurity practices over the past several years resulting from supervised institutions’ efforts to address supervisory findings as well as proactive steps taken by the institutions.” The report notes that the Fed is taking measures to address OIG recommendations relating to the effectiveness of its cybersecurity incident response process, including updating the cybersecurity incident response process’s mission and governance structure and enhancing guidance and training. The report describes the Fed’s close coordination with other participants in the global financial system in addressing cybersecurity risk, including domestic and international agencies, governance bodies, financial regulators, and industry.
Finally, the report describes current and emerging threats to the financial system, including (i) geopolitical tensions and accompanying cyberattacks; (ii) cyber-criminal activity involving ransomware as a service, targeting of authentication mechanism weaknesses, and collaboration among cyberthreat actors; (iii) increasing potential of a supply chain or third-party attack; (iv) cyber risks associated with third-party providers; (v) insider threats; and (vi) other emerging technology-related threats, such as risks inherent to machine learning and quantum computing capabilities.
Judge grants MSJ in class action over disputed debt investigation
On July 28, the U.S. District Court for the Southern District of Alabama granted summary judgment in favor of a defendant third-party debt collector in an FCRA and FDCPA putative class action, holding that the defendant carried out a reasonable investigation following plaintiff’s dispute of the debt it had reported to credit reporting agencies (CRAs) and that the plaintiff failed to establish that the defendant knew or should have known that the debt was inaccurate or invalid. Defendant entered into an asset purchase agreement with another third-party debt collector and reported debts to credit reporting agencies under the name of the non-defendant third-party debt collector, including an account erroneously associated with plaintiff. When defendant received notice that plaintiff disputed the erroneous account information, defendant verified the account information in its system and provided by the CRA, asked the creditor to provide account documentation, and then requested that the CRAs delete their reporting of the account once the creditor failed to provide account documentation within the requested thirty-day period.
In relation to the FCRA claim, the court found that the defendant “did everything required by the FCRA in response to Plaintiff’s dispute” such that the plaintiff “failed to establish how this investigation was not reasonable” or in violation of the FCRA. The court also found that plaintiff “failed to show that any different result would have occurred had [defendant] conducted any part of its investigation differently.” Finally, plaintiff’s claim failed as a matter of law concerning defendant’s initial report of the debt to the CRAs because the defendant was not required under the FCRA to “investigate the validity of a debt before commencing to report on that account to the CRAs.” While the defendant was prohibited from reporting inaccurate consumer information, no private cause of action exists for violations of this initial reporting provision of the FCRA.
For the FDCPA claim, the court held that the plaintiff failed to establish that the defendant had knowledge that the debt it reported was not accurate or was otherwise disputed or invalid. Because the CFPB passed Regulation F in November 2021, after the events at question in this litigation, furnishing information regarding a debt to a CRA before communication with plaintiff was not unlawful at that time. Finally, the court found that plaintiff failed to timely assert that defendant violated the FDCPA provision prohibiting false, deceptive, or misleading representation by using the non-defendant third-party debt collector’s name when reporting the account to the CRAs because this allegation was not present in plaintiff’s complaint.
Agencies update guidance on liquidity risks and contingency planning
On July 28, the OCC, FDIC, NCUA and Fed issued an addendum to the Interagency Policy Statement on Funding and Liquidity Risk Management, issued in 2010. The update on liquidity risks and contingency planning emphasizes that depository institutions should regularly evaluate and update their contingency funding plans, referencing the unprecedented deposit outflows resulting from the early 2023 bank failures. According to the addendum, depository institutions should assess the stability of their funding, keep a range of funding sources, and regularly test any contingency borrowing lines in order to prepare staff in the case of adverse circumstances. Additionally, the addendum states that if contingency funding arrangements include discount windows, the depository institutions should ensure they can borrow from the discount window by (i) establishing borrowing arrangements; (ii) confirming that collateral is available to borrow in an appropriate amount; (iii) conduct small value transactions regularly to create familiarity with discount window operations; (iv) establish familiarity with the pledging process for collateral types; and (v) be aware that pre-pledging collateral can be useful in case liquidity needs arise quickly. The agencies also state that federal and state-chartered credit unions can access the Central Liquidity Facility, which provides a contingent federally sourced backup liquidity where a credit union’s liquidity and market funding sources prove inadequate.
Agencies propose new capital requirements for biggest banks
On July 27, the FDIC’s Board of Directors unveiled proposed interagency amendments to the regulatory capital requirements for the largest and most complex banks in the United States. The notice of proposed rulemaking (NPRM), issued jointly by the FDIC, OCC, and the Federal Reserve Board (and passed by an FDIC Board vote of 3-2 and a Fed vote of 4-2), would revise capital requirements for large banking organizations with at least $100 billion in assets, as well as certain banking organizations with significant trading activity. (See also FDIC fact sheet here.) The proposed changes would implement the final components of the Basel III agreement—recent changes made to international capital standards issued by the Basel Committee on Banking Supervision—as well as modifications made in response to recent bank failures in March, the agencies said.
Specifically, the NPRM would implement standardized approaches for market risk and credit valuation adjustment risk by amending the way banks calculate their risk-weighted assets. According to FDIC FIL-38-2023, the new “expanded risk-based approach” would incorporate a standardized approach for credit risk and operational risk, a revised internal models-based approach, a new standardized measure for market risk, and a new revised approach for credit valuation adjustment. Banks subject to Category III and IV standards would also be required “to calculate their regulatory capital in the same manner as banking organizations subject to Category I and II standards, including the treatment of accumulated other comprehensive income, capital deductions, and rules for minority interest.” Additionally, the supplementary leverage ratio and the countercyclical capital buffer would be applied to banks subject to Category IV standards.
The agencies said the proposed modifications are intended to:
- Better reflect banks’ underlying risks;
- Increase transparency and consistency by revising the capital framework in four main areas: credit, market, operational, and credit valuation adjustment risk;
- Strengthen the banking system, by applying consistent capital requirements across large banks by requiring institutions to (i) include unrealized gains and losses from certain securities in capital ratios; (ii) comply with the supplementary leverage ratio requirement; and (iii) comply with the countercyclical capital buffer, if activated.
The agencies predict that these changes will “result in an aggregate 16 percent increase in common equity tier 1 capital requirements for affected bank holding companies, with the increase principally affecting the largest and most complex banks.” The impact would vary by bank based on activities and risk profiles, the agencies stated, noting that most banks currently have enough capital to meet the proposed requirements. The NPRM would not amend capital requirements for smaller, less complex banks or for community banks. The agencies propose a three-year phased-in transition process beginning July 1, 2025, to provide banks sufficient time to accommodate the changes and minimize potentially adverse impacts. The changes would be fully phased in on July 1, 2028.
Separately, the Fed also issued an NPRM on a proposal that would modify certain provisions relating to the calculation of the capital surcharge for the largest and most complex banks in order to “better align the surcharge to each bank’s systemic risk profile. . .by measuring a bank’s systemic importance averaged over the entire year, instead of only at the year-end value.”
Comments on both NPRMs are due November 30.
FDIC Chairman Martin Gruenberg stressed that “[e]nhanced resilience of the banking sector supports more stable lending through the economic cycle and diminishes the likelihood of financial crises and their associated costs.” Also voting in favor of the NPRM was CFPB Chairman and FDIC Board Member Rohit Chopra who expressed interest in feedback from the public on ways to simplify the methodologies used to calculate the requirements. Acting Comptroller of the Currency Michael also voted in favor and encouraged commenters “to include assumptions about capital distributions and competition from banks and other financial institutions in their analyses of the impacts of the proposal on lending and economic growth.”
Voting against the new standards, FDIC Vice Chairman Travis Hill argued that while he supports strong capital requirements, he has several “concerns with the impact of excessive gold plating of international standards.” He stressed that the “proposal rejects the notion of capital neutrality and takes a starkly different path, ‘gold plating’ the new Basel standard in a number of ways and dramatically increasing capital requirements for banks with certain business models.”
OCC releases recent enforcement actions
On July 20, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Among the enforcement actions is a formal agreement with a California-based bank to update its BSA/AML compliance program. According to the agreement, the OCC identified deficiencies and violations relating to the bank’s compliance with BSA/AML laws and regulations. Among other things, the bank agreed to establish a compliance committee and revise its adherence to appropriate policies and procedures for collecting customer due diligence “when opening new accounts, when renewing or modifying existing accounts for customers, and when the [b]ank obtains event-driven information indicating that it needs to obtain updated customer due diligence information.” The bank also agreed to institute an “enhanced written risk-based program of internal controls and processes” to ensure an appropriate review of BSA/AML suspicious activity.