InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
States stress importance of CRA modernization
On August 5, a coalition of 15 state attorneys general submitted a comment letter in support of the joint notice of proposed rulemaking (NPRM) issued by the FDIC, OCC, and Federal Reserve Board (collectively, “agencies”) regarding modernizing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, the NPRM, among other things, would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the letter, the NPRM is “a marked improvement over prior proposals that some of the agencies set out in the last several years.” The AGs noted that the final rule “must ensure that all members of our communities are fully served by financial institutions” and urged the agencies to continue to strengthen it. The AGs further encouraged the agencies to focus on: (i) ensuring the NPRM “vindicates CRA’s core purpose to address racial inequalities”; (ii) increasing the regulatory bar so “that banks are taking meaningful action to meet low- and moderate income (LMI) community needs; and (iii) “[l]everaging incentives to encourage affordable housing development for LMI communities without displacement.” Additionally, the AGs suggested that the NPRM “should be modified to ensure that this once-in-a-generation modernization effort gives the regulators the tools they need to carry out CRA’s imperative—that financial institutions be required to address the needs of our most vulnerable communities—in our States and across the Nation.” The AGs also noted that some states “expressed concern that the widening racial wealth gap stemming from historical redlining would be exacerbated by an uneven pandemic recovery.” Specifically, the letter stated that “two-and-a-half years into the COVID-19 crisis, the States face an affordable and accessible housing crisis, increased homelessness and housing insecurity, and historic levels of inflation that disproportionally threaten low-income communities and communities of color.” The AGs stated that CRA regulatory reform “can be a key element of addressing these problems.”
CFTC updates its interest rate swap clearing requirements as LIBOR ends
On August 12, the CFTC issued a final rule updating its interest rate swap clearing requirement under part 50 of the CFTC’s regulations. Among other things, the final rule eliminates the requirement to clear interest rate swaps referencing LIBOR and other interbank offered rates and replaces them with requirements to clear interest rate swaps referencing overnight, nearly risk-free reference rates. The final rule also “updates the swaps required to be submitted for clearing to a derivatives clearing organization (DCO) or an exempt DCO and the compliance dates for such swaps.” According to CFTC Chairman Rostin Behnam, the final rule “promotes financial stability and mitigates systemic risk,” and “is essential to ensure cross border harmonization in the interest rate swaps market.” The final rule is effective 30 days after publication in the Federal Register.
Democrats ask OCC to rescind crypto guidance
On August 10, four U.S. Democratic Senators sent a letter to acting Comptroller of the Currency Michael Hsu urging the OCC to rescind November 2021 guidance permitting national banks to engage in certain cryptocurrency activities. According to the letter, the Senators “are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk, and ask that [Hsu] withdraw existing interpretive letters that have permitted banks to engage in certain crypto-related activities.” The letter noted that the OCC unilaterally released interpretive letters related to cryptocurrencies in July 2020 (Interpretive Letter 1170), October 2020 (Interpretive Letter 1172), and January 2021 (Interpretive Letter 1174). In the letters, the Senators noted, the OCC determined that banks were permitted to engage in certain crypto-related activities, which include, among other things: (i) “providing cryptocurrency custody service for customers”; (ii) “holding deposits that serve as reserves for certain stablecoins”; and (iii) “operating independent node verification networks [] and stablecoins for payment activities.” The Senators argued that the letters “granted banks unfettered opportunity to engage in certain crypto activities and remain problematic” after the OCC issued another interpretive letter (Interpretive Letter 1179) under Hsu attempting to limit the risks posed by the policies set forth in the earlier letters. The Senators asked Hsu to provide information so that they can “better understand banks’ exposure to the crypto market” by August 24. The Senators also urged Hsu to work with the Fed and FDIC on replacing his agency’s existing crypto guidance with a more “comprehensive approach.”
CFPB: Digital marketing providers/big tech liable for UDAAP violations
On August 10, the CFPB issued an interpretive rule addressing when the CFPA’s UDAAP provisions cover digital marketing providers that commingle the targeting and delivery of advertisements to consumers with the provision of advertising “time or space.” Currently, traditional marketing firms are exempt from the CFPA provided they allow banks and other financial institutions “time and space” in traditional media outlets such as television and newspapers to advertise products. The Bureau stated, however, that digital marketers go beyond this approach when they harvest large amounts of information about consumers and use this data to shape their marketing content strategy.
Under the interpretive rule, this exception does not apply to firms that are materially involved in the development of content strategy. Due to the different nature of the services provided, behavioral marketing and advertising for financial institutions could subject marketers to legal liability depending on how those practices are designed and implemented, the Bureau said. Because “[d]igital marketing providers are typically materially involved in the development of content strategy when they identify or select prospective customers or select or place content in order to encourage consumer engagement with advertising,” the Bureau explained that digital marketers “engaged in this type of ad targeting and delivery are not merely providing ad space and time,” and therefore do not qualify under the “time or space” exception. The interpretive rule noted, among other things, that while a covered person may specify certain parameters of the intended audience for a financial product, the digital marketers’ ads and delivery algorithms “identify the audience with the desired characteristics and determine whether and/or when specific consumers see an advertisement.”
“When Big Tech firms use sophisticated behavioral targeting techniques to market financial products, they must adhere to federal consumer financial protection laws,” CFPB Director Rohit Chopra said in the announcement. “The CFPB, states, and other consumer protection enforcers can sue digital marketers to stop violations of consumer financial protection law: Service providers are liable for unfair, deceptive, or abusive acts or practices under the Consumer Financial Protection Act. When digital marketers act as service providers, they are liable for consumer protection law violations,” the Bureau added.
FHFA to require servicers to maintain fair lending data
On August 10, the FHFA announced that Fannie Mae and Freddie Mac will start requiring servicers to obtain and maintain borrowers’ fair lending data on their loans. Data must transfer with servicing throughout the mortgage term, the announcement states, adding that beginning March 1, 2023, servicers will be required to collect borrower data including age, race, ethnicity, gender, and preferred language. The update follows an announcement issued in May (covered by InfoBytes here), which requires lenders to collect information on the borrower’s language preference, and on any homebuyer education or housing counseling that the borrower received, so that lenders can increase their understanding of borrowers’ needs throughout the home buying process. To facilitate the upcoming changes, Freddie Mac issued servicing Bulletin 2022-17, which outlines servicing requirements and notes that data elements must be stored in a format that can be searched, queried, and transferred. Simultaneously, Fannie Mae issued SVC-2022-06 to incorporate the new fair lending data requirements into its Servicing Guide. “Having fair lending data travel with servicing will help servicers do the important work of providing assistance to borrowers in need, helping to further a sustainable and equitable housing finance system,” FHFA Director Sandra Thompson said, adding that this need arose from the foreclosure crisis and Covid-19 response.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
Agencies seek comment on CRE loan statement
On August 2, the FDIC, OCC, and NCUA (collectively, “the agencies”) issued a notice in the Federal Register soliciting public comment on an updated policy statement regarding accommodations and workouts for commercial real estate (CRE) loans whose borrowers are experiencing financial difficulty. In 2009, the Policy Statement on Prudent Commercial Real Estate Loan Workouts was issued by the FFIEC, which the agencies view “as being useful for both agency staff and financial institutions in understanding risk management and accounting practices for [] CRE loan workouts.” Among other things, the statement would include (i) a new section on short-term loan accommodations; (ii) information about changes in accounting principles since 2009; and (iii) revisions and additions to examples of CRE loan workouts. The new updated statement would also “address relevant accounting changes on estimating loan losses and provide updated examples of how to classify and account for loans modified or affected by loan accommodations or loan workout activity.” Specifically, the agencies seek input on how the document reflects sound practices in CRE loan accommodation and what additional information can be included to optimize the guidance of managing CRE loan portfolios.
FDIC updates its enforcement actions manual
On July 25, the FDIC announced that it updated chapters its Formal and Informal Enforcement Actions Manual, entitled Overview and Administrative Matters and Cease-and-Desist Actions, respectively, regarding the agency’s minimum standards for terminating cease and desist and consent orders issued under Section 8(b) of the FDI Act. According to the FDIC, “the manual provides direction for professional staff related to the work necessary to pursue formal and informal enforcement actions,” and is “intended to support the work of the field, regional, and Washington office’s staff involved in processing and monitoring enforcement actions.” The FDIC is authorized to issue a cease-and-desist order if an insured depository institution has engaged, or is about to engage, in “an unsafe or unsound practice in conducting the business of the institution, or [a] violation of a law and/or regulation, written agreement with the FDIC, or written condition imposed by the FDIC in connection with the granting of any application or other request.” The updates, among other things, clarify that cease-and-desist or consent orders may be terminated if: (i) the institution is in full compliance with all provisions of the order and has fully corrected legal violations, unsafe or unsound practices, or other conditions that led to the issuance of the order; (ii) any provisions deemed “not in compliance” have become outdated or irrelevant; or (iii) deterioration or any provisions deemed “not in compliance” leads to issuance of a new or revised formal action.
Treasury solicits comments on digital assets
On July 12, the U.S. Treasury Department released a notice seeking public comment regarding potential opportunities and risks presented by digital assets. According to the announcement, Treasury is requesting input that will inform its work in carrying out its mandate under Executive Order 14067, Ensuring Responsible Development of Digital Assets, which directs Treasury, in consultation with the Secretary of Labor and other relevant agencies, to report to President Biden on the implications of development and adoption of digital assets and changes in financial market and payment infrastructures. The notice also seeks feedback from the public on potential risks associated with digital asset markets and how digital assets may benefit or pose risk to vulnerable populations. Comments must be received by August 8.