InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC approves five FCRA rule changes for auto dealers
On September 8, the FTC announced it approved final revisions to rules that would implement parts of the FCRA in line with the Dodd-Frank Act. As previously covered by InfoBytes, the agency sought comment on the proposed rule changes in 2020. In separate notices, the FTC approved largely technical, non-substantive changes, clarifying five FCRA rules enforced by the FTC, which apply only to motor vehicle dealers. The changes affect the following rules:
- Address Discrepancy Rule, which requires users of consumer reports to implement policies and procedures for, among other things, handling notices of address discrepancy received from a nationwide consumer reporting agency (CRA) and furnishing an address for a consumer that a “user has reasonably confirmed as accurate to the CRA from whom it received the notice.”
- Affiliate Marketing Rule, which provides consumers the right to restrict a person from using certain information received from an affiliate to make solicitations.
- Furnisher Rule, which requires entities to implement policies and procedures regarding the accuracy and integrity of the consumer information they provide to a CRA.
- Pre-screen Opt-Out Notice Rule, which outlines requirements for those who use consumer reports to make unsolicited credit or insurance offers to consumers.
- Risk-Based Pricing Rule, which requires that persons who use information from a consumer report to offer less favorable terms are required to provide a risk-based pricing notice to consumers about the use of such data.
Treasury seeks info on climate-related financial risks in the insurance sector
On August 31, the U.S. Treasury Department announced a request for information (RFI) seeking public comments on the Federal Insurance Office’s (FIO) future work related to the insurance sector and climate-related financial risks. The RFI is in response to an executive order issued by President Biden in May, which instructed financial regulators to take steps to mitigate, among other things, climate-related risk related to the financial system (covered by InfoBytes here). Among other things, the FIO will focus on the following initial climate-related priorities: (i) “assessing climate-related issues or gaps in the supervision and regulation of insurers, including their potential impacts on U.S. financial stability”; (ii) “assessing the potential for major disruptions of private insurance coverage in U.S. markets that are particularly vulnerable to climate change impacts, as well as facilitating mitigation and resilience for disasters”; and (iii) “increasing FIO’s engagement on climate-related issues and leveraging the insurance sector’s ability to help achieve climate-related goals.” Responses will help FIO monitor and assess the implications of climate-related financial risks for the insurance sector, and help FIO better understand how to collect “high-quality, reliable, and consistent data” required to accomplish FIO’s objectives.
Agencies issue fintech guidance for community banks
On August 27, the FDIC, OCC, and Federal Reserve Board released a guide as part of its efforts to promote and support the adoption of new technologies by financial institutions. (See also FIL-59-2021 and OCC Bulletin 2021-40.) The Conducting Due Diligence on Financial Technology Companies: A Guide for Community Banks is intended to help community banks conduct due diligence when considering relationships with prospective fintech companies. Among other things, the guide addresses six key due diligence topics for community banks to consider, including (i) business experience, strategic goals, and qualifications; (ii) financial conditions and market information; (iii) legal and regulatory compliance; (iv) risk management policies, processes, and controls; (v) information security programs; and (vi) operational resilience, such as business continuity planning, incident response, service level agreements, and reliance on subcontractors. The guide also provides practical sources of information that may be useful when evaluating fintech companies. The agencies note that use of the guide, which is consistent with the FDIC’s Guidance for Managing Third-Party Risk, is voluntary and that the guide does not anticipate all types of fintech relationships and risks. Consistent with risk-based programs, a community bank may tailor how it uses the information “based on specific circumstances, the risks posed by each third-party relationship, and the related product, service, or activity. . . offered by the fintech company.”
OCC releases new Model Risk Management booklet
On August 18, the OCC issued a new Model Risk Management booklet as part of the Comptroller’s Handbook’s safety and soundness series. The booklet is used by OCC examiners when examining and supervising national banks, federal savings associations, and federal branches and agencies of foreign banking organizations. Among other things, the new booklet (i) outlines model risk management concepts and general principles; (ii) “informs and educates examiners about sound model risk management practices that should be assessed during an examination”; and (iii) “provides information needed to plan and coordinate examinations on model risk management, identify deficient practices, and conduct appropriate follow-up.” The booklet aligns with principals laid out in OCC Bulletin 2011-12 “Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management.”
FINRA reminds firms of third-party supervisory obligations
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”
OCC updates bank accounting guidance
On August 16, the OCC released an annual update to its Bank Accounting Advisory Series (BAAS). Intended to address a variety of accounting topics and promote consistent application of accounting standards and regulatory reporting among OCC-supervised banks, the BAAS reflects updates to accounting standards issued by the Financial Accounting Standards Board through March 31, 2021, related to, among other things, (i) the amortization of premiums on callable debt securities; and (ii) evaluating goodwill impairment triggering events for private companies. The 2021 edition also includes answers to frequently asked questions from industry and bank examiners. Additionally, the OCC notes that the BAAS does not represent OCC rules or regulations but rather “represents the Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance based on the facts and circumstances presented.”
OCC updates Liquidity booklet
On August 16, the OCC issued Bulletin 2021-38 announcing the updated version of the Liquidity booklet of the Comptroller’s Handbook. The booklet replaces the 2012 version and provides information and examination procedures on liquidity coverage ratio and net stable funding ratio requirements. Among other things, the revised booklet: (i) discusses risks associated with liquidity; (ii) reflects changes in regulations and relevant OCC issuances since 2012; and (iii) clarifies edits on supervisory guidance, sound risk management practices, and legal language.
HUD and FHFA announce fair housing collaboration
On August 12, HUD announced a Memorandum of Understanding (MOU) with FHFA regarding fair housing and fair lending coordination. The MOU—a “first-of-its-kind collaborative agreement”—will expire in December 2025, and is intended to enhance enforcement of the Fair Housing Act and the agencies’ oversight of Fannie Mae, Freddie Mac, and the Federal Home Loan Banks. According to HUD, the agencies “anticipate that the MOU will lead to stronger oversight that will help advance vigorous fair housing enforcement that can begin to redress our nation’s history of discriminatory housing practices.”
FFIEC gives authentication and access guidance to financial institutions
On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and financial institution information systems. Among other things, the guidance: (i) acknowledges significant risks associated with the cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate users and for customers to protect information systems, accounts, and data; (ii) provides examples of effective risk assessment practices, such as inventory of information systems and inventory of digital banking services and customers; and (iii) indicates that single-factor authentication with layered security is inadequate, therefore, multi-factor authentication or controls of equivalent strength with layered security may be more effective.
The guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011).
FHFA includes rental history in underwriting
On August 11, FHFA announced that Fannie Mae will consider rental payment history in its risk assessment processes to expand access to credit in a safe and sound manner. According to FHFA, the update to Fannie Mae’s systems will provide future borrowers the benefit of a positive rental payment history to be included in an underwriting decision.