InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
VA eliminates pre-approval process for certain loans
On May 19, the Department of Veterans Affairs (VA) issued Circular 26-22-09 to announce new procedures for loan approval and new procedures for processing joint loans. The Circular explains that, historically, the Department conducted a pre-closing review of loan application packages when the borrower had been rated unable to manage financial affairs and has a VA-appointed fiduciary. The Department also conducted a pre-closing review of cases where a loan would include more than one veteran using entitlement. In both cases, “the lender has sent such loan application packages to VA in advance of loan closing, and loan closing has not been able to proceed until after VA has issued approval.” The Circular noted that in an effort to streamline procedures to improve the veteran experience, the Department “has determined that such case-by-case reviews add a step that VA no longer believes necessary for ensuring program integrity.” The Circular also noted that that post-audit oversight would be as effective as a pre-closing review in maintaining program integrity, without the delays and additional administrative burdens that can be associated with the historical process. The Circular is effective immediately.
DOJ will not charge researchers who report cybersecurity flaws in “good faith”
On May 19, the DOJ revised its policy for charging cases under the Computer Fraud and Abuse Act (CFAA), directing prosecutors to not charge researchers who report cybersecurity flaws in “good faith.” The policy directive informs prosecutors that the DOJ will not prosecute security researchers that access computers “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.” Instead, the policy directive focuses the DOJ’s resources “on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer— such as one email account—and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users’ emails.” The new policy directive explains, however, that “claiming to be conducting security research is not a free pass for those acting in bad faith,” and provides that “discovering vulnerabilities in devices in order to extort their owners, even if claimed as ‘research,’ is not in good faith.”
FCC acts to stop international robocalls
On May 19, the FCC unanimously adopted proposed rules to ensure gateway providers that channel international call traffic comply with STIR/SHAKEN caller ID authentication protocols and validate the identity of the providers whose traffic they are routing to help weed out robocalls. As part of the agency’s robocall mitigation efforts, the proposed rules would require gateway providers to (i) “develop and submit traffic mitigation plans to the Robocall Mitigation Database”; (ii) “apply STIR/SHAKEN caller ID authentication to all unauthenticated foreign-originated Session Initiation Protocol (SIP) calls with U.S. North American Numbering Plan (NANP) numbers”; and (iii) “respond to traceback requests in 24 hours, block calls where it is clear they are conduits for illegal traffic, and implement ‘know your upstream provider’ obligations.”
“Gateway providers serve as a critical choke-point for reducing the number of illegal robocalls received by American consumers,” the FCC stated in its announcement. “The new rules require gateway providers to participate in robocall mitigation, including blocking efforts, take responsibility for illegal robocall campaigns on their networks, cooperate with FCC enforcement efforts, and quickly respond to efforts to trace illegal robocalls to their source.” Non-compliance may cause a gateway provider to lose its ability to operate. The FCC also announced it is requesting further comments on a proposal to expand robocall mitigation requirements to intermediate providers in the U.S. and not just gateway providers. The agency will also decide whether anti-robocall and spoofing rules should also apply to these intermediate providers, as they are currently not required to certify with the Robocall Mitigation Database.
Requiring domestic entry points to use STIR/SHAKEN, register in the Robocall Mitigation Database, and comply with traceback requests from the FCC and law enforcement will help the agency “figure out where these junk calls are originating from overseas,” FCC Chairwoman Jessica Rosenworcel said in a statement. “These measures will help us tackle the growing number of international robocalls. Because we can’t have these scam artists multiplying abroad and hiding from our regulatory reach. We also can’t have them hiding from our state counterparts.” To aid efforts, the FCC announced that to date 36 states have signed memoranda of understanding with the agency to share resources and information to reduce robocalls.
FDIC approves final rule for trust, mortgage servicing account insurance
On May 18, the FDIC published a final rule that amends the deposit insurance regulations for trust accounts and mortgage servicing accounts. According to the FDIC, the final rule is “intended to make the deposit insurance rules easier to understand for depositors and bankers, facilitate more timely insurance determinations for trust accounts in the event of a bank failure, and enhance consistency of insurance coverage for mortgage servicing account deposits.”
The final rule, among other things: (i) establishes updates to the Banker Resources Guide Deposit Insurance Page with the Small Entity Compliance Guide (Community Bank Information) to promote understanding of the regulations; (ii) amends the deposit insurance regulations by merging the revocable and irrevocable trusts categories; (iii) “amends the regulation to expand the current per-borrower coverage of up to $250,000 to include any funds paid into the account to satisfy the principal and interest obligation of the mortgagors to the lender”; and (iv) establishes that certain “depositors within excess of $1.25 million in trusts deposits at a particular IDI may want to make changes given the new coverage limits” effective April 1, 2024.
CFPB affirms states may enforce CFPA and other federal laws
On May 19, the CFPB issued an interpretive rule addressing states’ authority to bring enforcement actions for violations of federal consumer financial protection laws, including the CFPA. Though the Bureau is charged with, among other things, administering, interpreting, and enforcing federal consumer financial laws, a category that includes the CFPA itself, the agency said it is not the only enforcer of these laws. According to the interpretive rule, “states can enforce [federal consumer financial laws] to the full extent authorized under those laws—including against entities that are not covered persons or service providers (and thus not subject to liability under section 1036(a)(1)(A)) and including against national banks and Federal savings associations.”
The interpretive rule establishes:
- States can enforce any provision of the CFPA, which includes making it unlawful for covered persons or service providers to violate any provision of federal consumer financial protection law. This provision covers the CFPA itself, in addition to its 18 enumerated consumer laws and certain other laws, along with any rule or order prescribed by the Bureau under the CFPA, an enumerated consumer law, or pursuant to certain other authorities.
- States can pursue claims and actions against a broad range of entities. The interpretive rule states that “the limitations on the Bureau’s authority in sections 1027 and 1029 generally do not constrain States’ enforcement authority.” States can bring actions against a broader cross-section of companies and individuals.
- States may pursue actions under section 1042 even if the Bureau is pursuing a concurrent enforcement action against the same entity. States are not restricted from bringing enforcement actions in coordination with the Bureau, and may also bring an enforcement action to stop or remediate harm that is not addressed by an action taken by the Bureau against the same entity. “Nothing in the [CFPA] precludes these complementary enforcement activities that serve to protect consumers at both the national and state levels,” the Bureau said in its announcement.
The Bureau stated the interpretive rule is a “part of the CFPB’s expansion of its efforts to support state enforcement activity,” and noted that it “plans to consider other steps to promote state enforcement of federal consumer financial protection law, including ways to facilitate victim redress.”
FDIC rule seeks to thwart misrepresentations about deposit insurance
On May 17, the FDIC approved a final rule implementing its authority to prohibit any person or organization from making misrepresentations about FDIC deposit insurance or misusing the FDIC’s name or logo. According to the FDIC, the final rule responds to the “increasing number of instances where individuals or entities have misused the FDIC’s name or logo, or have made false or misleading representations about deposit insurance.” To promote transparency on the FDIC’s processes for investigating and enforcing potential breaches of prohibitions under Section 18(a)(4) of the Federal Deposit Insurance Act, the final rule clarifies the agency’s procedures for identifying, investigating, and where necessary, taking formal and informal action to address potential violations, and establishes a primary point-of-contact for receiving complaints and inquiries about potential misrepresentations regarding deposit insurance. The final rule takes effect 30 days after publication in the Federal Register.
In response, the CFPB released Consumer Financial Protection Circular 2022-02 to provide that covered firms are likely in violation of the CFPA’s prohibition on deceptive acts or practices “if they misuse the name or logo of the FDIC or engage in false advertising or make material misrepresentations to the public about deposit insurance, regardless of whether such conduct (including the misrepresentation of insured status) is engaged in knowingly.” As previously covered by InfoBytes, the newly introduced circulars serve as policy statements for other agencies with consumer financial protection responsibilities. Specifically, the Bureau warned that (i) “[m]isrepresenting the FDIC logo or name will typically be a material misrepresentation”; (ii) claiming “financial products or services are ‘regulated’ by the FDIC or ‘insured’ or ‘eligible for’ FDIC insurance are likely deceptive if those claims expressly or implicitly indicate that the product or service is FDIC-insured when that is not in fact the case” (e.g. emerging financial products and services including digital assets and crypto-assets); and (iii) misusing the FDIC’s name or logo creates harm for firms that engage in honest advertising and marketing. CFPB Director Rohit Chopra, as an FDIC board member, announced the Bureau’s support for the final rule. “Misrepresentation claims about deposit insurance are particularly relevant today,” Chopra noted. “FDIC staff has noted an uptick in potential violations in recent years. We are especially concerned about potential misconduct involving novel technologies, including so-called stablecoins and other crypto-assets. While new technologies may yield significant benefits for households, workers, and small businesses, they nonetheless pose risks to consumers who may be baited by misrepresentations or false advertisements about deposit insurance.”
Acting Comptroller of the Currency Michael J. Hsu specifically called out the timeliness of the final rule in light of changes in the marketplace, technological developments, and rapidly evolving consumer behaviors. The final rule “is especially important in light of the growth of nonbank crypto firms and fintechs and their relationships with banks,” Hsu stated. “The potential for consumer confusion about the status of cash held at these firms is high and this final rule will help provide clarity.”
CFPB seeks consistent enforcement of consumer financial law
On May 16, the CFPB launched a new system for providing transparent guidance on how the agency intends to administer and enforce federal consumer financial laws. Consumer Financial Protection Circular 2022-01 discusses the broad variety of agencies responsible for enforcing federal consumer financial law, including the CFPA’s prohibition on unfair, deceptive, and abusive acts or practices, and 18 other “enumerated consumer laws” (some of which provide for private enforcement). The circulars will serve as policy statements under the Administrative Procedure Act for other agencies with consumer financial protection responsibilities such as the FDIC, OCC, Federal Reserve Board, and NCUA. Because other federal agencies, including the DOJ, the FTC, the Farm Credit Administration, and the Departments of Transportation and Agriculture, also have certain enforcement responsibilities, the Bureau stressed the importance of ensuring entities subject to the jurisdiction of multiple agencies receive consistent expectations regardless of a company’s status. Specifically, the circulars “will provide background information about applicable law, articulate considerations relevant to the CFPB’s exercise of its authorities, and advise other parties with authority to enforce federal consumer financial law.” The Bureau announced it has identified several issues that would benefit from clear and consistent enforcement and strongly encouraged other agencies to reach out to the Bureau with suggestions for new circulars. Circulars will be authorized by CFPB Director Rohit Chopra and published on the Bureau’s website and in the Federal Register. The Bureau also welcomes feedback on any issued circulars.
Agencies issue revised interagency flood insurance Q&As
On May 11, the FDIC, OCC, Federal Reserve Board, NCUA, and the Farm Credit Administration (the agencies) jointly issued revised, reorganized, and expanded interagency questions and answers (Q&As) regarding federal flood insurance laws. The revised Q&As supersede versions published in 2009 and 2011, and consolidate Q&As proposed by the agencies in 2020 and 2021 (covered by InfoBytes here). Reflecting significant changes to flood insurance requirements made by the Biggert-Waters Flood Insurance Reform Act and the Homeowner Flood Insurance Affordability Act, as well as regulations issued by the agencies to implement these laws, the revised Q&As consist of 144 Q&As (including 24 private flood insurance Q&As) covering a range of topics, including the escrow of flood insurance premiums, the detached structure exemption to the mandatory flood insurance purchase requirement, force placement procedures, and the acceptance of flood insurance policies issued by private insurers. The agencies also made non-substantive revisions to certain Q&As to provide more direct responses to questions asked, additional clarity, or make technical corrections. In response to concerns raised by several commenters, the agencies confirmed that they are providing the interagency Q&As “as guidance only,” and clarified that “all the Q&As apply to all policies, whether [National Flood Insurance Program] or a flood insurance policy issued by a private insurance company, unless otherwise noted in the Q&A.” Additionally, the agencies noted “that they are working individually and on an interagency basis to address financial risks associated with climate change consistent with the [a]gencies’ regulatory and supervisory authorities,” and therefore “decline to make changes to any of the Q&As in response to climate risk change.
The same day, the agencies issued Loans in Areas Having Special Flood Hazards; Interagency Questions and Answers Regarding Flood Insurance. The interagency questions and answers replace the 2009 and 2011 publications and consolidate Q&As proposed by the agencies in July 2020 and in March 2021. This bulletin rescinds: (i) OCC Bulletin 2009-26, Flood Disaster Protection Act: Revised Interagency Questions and Answers Regarding Flood Insurance; (ii) OCC Bulletin 2011-42, Flood Disaster Protection Act: Interagency Questions and Answers Regarding Flood Insurance’ (iii) OCC Bulletin 2020-69, Flood Disaster Protection Act: Proposed Revisions to Interagency Questions and Answers Regarding Flood Insurance; (iv) OCC Bulletin 2020-78, Flood Disaster Protection Act: Agencies Extend Comment Period on Proposed Revisions to Interagency Questions and Answers Regarding Flood Insurance; and (v) OCC Bulletin 2021-13, Flood Disaster Protection Act: Proposed Interagency Questions and Answers Regarding Private Flood Insurance.
Agencies overhaul CRA requirements
On May 5, the Federal Reserve Board, FDIC, and OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM) on new regulations implementing the Community Reinvestment Act (CRA) to update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the NPRM, the “CRA encourages banks to help meet the credit needs of the local communities in which they are chartered, consistent with a bank’s safe and sound operations, by requiring the Federal banking regulatory agencies to examine banks’ records of meeting the credit needs of their entire community, including low- and moderate-income neighborhoods.” The agencies are, among other things, proposing to:
- Expand access to credit, investment, and banking services in low- and moderate-income (LMI) communities to promote community engagement and financial inclusion. The proposal would also evaluate bank lending to small businesses and farms with gross annual revenues of $250,000 or less to maintain focus on the borrowers with the greatest need;
- Adapt changes to update CRA assessment areas to include activities associated with online and mobile banking, branchless banking, and hybrid models;
- Use a retail lending volume screen and metric-based performance ranges to evaluate a bank’s retail lending volumes. CRA evaluations of retail lending and community development financing will include public benchmarks for greater clarity and consistency. The proposal would also clarify eligible CRA activities, such as affordable housing, that are focused on LMI, underserved, and rural communities;
- Tailor CRA evaluations and data collection to recognize differences in bank size and business models. Smaller banks would continue to be evaluated under the existing CRA framework with the option of being evaluated under aspects of the proposed framework; and
- Maintain a unified approach across agencies and incorporate stakeholder feedback.
The agencies also released a Fact Sheet describing key elements of the proposal. Acting Comptroller of the Currency, Michael J. Hsu, called the issuance of the joint NPRM an “important milestone” in bringing the three federal banking agencies back together to develop a uniform approach for addressing inequalities in credit access and other financial services. Fed Governor Lael Brainard pointed out that “[t]he last major revisions to the CRA regulations were made in 1995.” “The CRA is one of our most important tools to improve financial inclusion in communities across America, so it is critical to get reform right,” she stressed. CFPB Director Rohit Chopra, who voted in favor of the NPRM as an FDIC board member, said the proposal “better effectuates Congressional directives intended to ensure that the needs of historically underserved individuals and communities are adequately met,” but reminded policymakers that it is also important “to consider whether nonbank mortgage lenders should also be required to better meet the needs of the communities they serve.” Treasury Secretary Janet Yellen similarly applauded the release of the NPRM. Comments on the NPRM are due August 5.
A Buckley Special Alert is forthcoming.
FTC proposes TSR amendments to extend robocall protections
On April 28, the FTC proposed rulemakings to extend protections for small businesses against telemarketing business-to-business schemes and strengthen safeguards to protect consumers from other telemarking scams. Both the notice of proposed rulemaking (NPR) and advance notice of proposed rulemaking (ANPRM) stem from the FTC’s regulatory review of the Telemarketing Sales Rule (TSR) and address public comments received as part of the review.
The NPR proposes to amend TSR recordkeeping requirements to require telemarketers to retain seven new categories of information related to their telemarketing activities, including records concerning each unique prerecorded message, records sufficient to show the established business relationship between a seller and a consumer, records of the service providers used by a telemarketer to deliver outbound calls, and records of the FTC’s Do Not Call Registry that were used to ensure compliance with this rule. Additionally, the NPR seeks comments on whether the FTC should amend the TSR to prohibit material misrepresentations and false or misleading statements in business-to-business telemarketing transactions to prevent harm caused by deceptive telemarketing, and proposes adding a definition of “previous donor” related to charitable donation solicitations.
The ANPRM seeks comments on a range of issues related to whether calls related to tech-support scams should be covered by the TSR, whether telemarketers should be required to provide consumers with a simple click-to-cancel process when they sign up for subscription plans, and whether the TSR should stop treating telemarketing calls made to businesses differently from those made to consumers. According to the FTC, robocalls made to businesses are generally exempt from certain TSR provisions.
Comments on both proposed rulemakings are due 60 days after publication in the Federal Register.