InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN rules on currency transaction reporting
On February 10, the Financial Crimes Enforcement Network (FinCEN) issued administrative ruling FIN-2020-R001 to clarify requirements for financial institutions’ reporting of currency transactions involving sole proprietorships and legal entities operating under a “doing business as” (DBA) name. The ruling replaces and rescinds two prior rulings (FIN-2006-R003 and FIN-2008-R001), and addresses reporting requirements when filing current Currency Transaction Report (CTR) FinCEN Form 112. In the ruling, FinCEN defines a sole proprietorship as “a business in which one person, operating in his or her own personal capacity, owns all of the business’s assets and is responsible for all of the business’s liabilities.” To remain consistent with the Bank Secrecy Act definition of a “person” (where a sole proprietorship is not separate from its individual owner), FinCEN instructs financial institutions to complete CTR FinCEN Form 112 for transactions involving a sole proprietorship with the individual owner’s name and information. The ruling also instructs institutions that additional entries may be required in instances where an individual owner operates a business under a DBA, or multiple DBAs. FinCEN also advises that when a CTR is prepared for a legal entity such as a partnership, incorporated business, or limited liability company, the form should contain, among other things, the entity’s home office or headquarters information. According to the ruling, “[w]hen multiple entity locations are involved in an aggregated CTR, a separate Part I section should be prepared for each location involved.”
SEC commissioner proposes cryptocurrency safe harbor
On February 6, SEC Commissioner Hester M. Pierce announced her proposal for a three-year safe harbor rule applicable to companies developing digital assets and networks. Pierce suggested that not only would the rule provide regulatory flexibility “that allows innovation to flourish,” but it would also protect investors by “requiring disclosures tailored to their needs” while still maintaining anti-fraud safeguards, allowing investors to participate in token networks of their choice. Proposed Securities Act Rule 195 would allow companies to sell or offer tokens without being subject to the Securities Act of 1933, and without the tokens being subject to the registration requirements of the Securities Act of 1934. In order to qualify for these exemptions, the proposed rule requires that a company developing a network must, among other things, (i) “intend for the network on which the token functions to reach network maturity…within three years of the date of the first token sale”; (ii) disclose key information on a freely accessible public website,” including applicable source code and descriptions of how to search and verify transactions on the network; (iii) offer and sell its tokens in order to allow access to or development of its network; (iv) make “good faith and reasonable efforts to create liquidity for users”; and (v) “file a notice of reliance” with the SEC’s EDGAR system within 15 days of the company’s first token sale made in reliance on the safe harbor. Pierce suggested that the three-year grace period for qualifying companies would allow time for the development of decentralized or functional networks, and, at the end of the three years, a successful network’s tokens would not be regulated as securities.
Fed, OCC issue 2020 stress test, capital adequacy scenarios
On February 6, the Federal Reserve Board (Fed) released the hypothetical scenarios banks and supervisors will use to conduct the 2020 Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act stress tests exercises for large bank holding companies and large U.S. operations of foreign firms. This year’s stress tests will evaluate 34 large banks with more than $100 billion in total assets to ensure that these banks have adequate capital and processes to continue lending to households and businesses, even during a severe recession. Both scenarios—baseline and severely adverse—include 28 variables that cover domestic and international economic activity. In addition, banks with large trading operations must also factor in a global market shock component as part of their scenarios. Capital plan and stress testing submissions are due by April 6. The Fed noted that it “continues to work toward having the stress capital buffer in place for this year’s stress tests,” and that “[t]he release of these hypothetical scenarios does not affect that separate rulemaking process.”
In related news, on February 6 the OCC also released its own stress testing scenarios for OCC-supervised institutions.
Fannie, Freddie to drop LIBOR in favor of SOFR
On February 5, the FHFA announced updated LIBOR transition plans for Fannie Mae and Freddie Mac (GSEs) single-family and multi-family mortgage sellers and lenders, providing the next steps in the transition from LIBOR to the Secured Overnight Financing Rate (SOFR) for adjustable rate mortgage (ARM) instruments. The next steps include (i) a “[n]ew language require[ment] for single-family Uniform…ARM instruments closed on or after June 1, 2020”; (ii) a requirement that “[a]ll LIBOR-based single-family and multifamily ARMs…loan application dates [must be] on or before September 30, 2020 to be eligible for acquisition”; and (iii) that “[a]cquisitions of single-family and multifamily LIBOR ARMs will cease on or before December 31, 2020.” The announcement links to information directly from the two GSEs: Fannie Mae Multifamily Mortgage Business Lender Letter 20-02, and Fannie Mae Single-Family Sellers Lender Letter LL-2020-01; and Freddie Mac Selling Updates Bulletin 2020-1 and Freddie Mac Multifamily Update on LIBOR Transition. The FHFA LIBOR Transition page notes that the GSEs have already stopped buying ARMs based on LIBOR that mature after 2021 in preparation for the termination of the benchmark’s use.
CFPB, DOE sign MOU on student loan complaint data
On February 3, the CFPB and the Department of Education (Department) announced a new agreement to share student loan complaint data. (See press releases here and here.) The newly signed Memorandum of Understanding (MOU) is the first information sharing agreement between the agencies since the Department terminated two MOUs in 2017. As previously covered by InfoBytes, the Department cancelled the “Memorandum of Understanding Between the Bureau of Consumer Financial Protection and the U.S. Department of Education Concerning the Sharing of Information” and the “Memorandum of Understanding Concerning Supervisory and Oversight Cooperation and Related Information Sharing Between the U.S. Department of Education and the Consumer Financial Protection Bureau,” and at the time rebuked the Bureau for overreaching and undermining the Department’s mission to serve students and borrowers.
The new MOU clarifies the roles and responsibilities for each agency and permits the sharing of student loan complaint data analysis and other information and recommendations. Among other responsibilities, the Department will direct complaints related to private loans governed by TILA to the Bureau, and both agencies will discuss complaints regarding federal student loans with program issues that may have an impact on federal consumer financial laws. The agencies will also conduct quarterly meetings to discuss complaint observations and borrower characteristics, as well as complaint resolution information when available. Additionally, the MOU addresses permissible uses and confidentiality of exchanged information and the development of tools for sharing data analytics.
The MOU was released a few days after Senators Sherrod Brown (D-Ohio) and Robert Menendez (D-NJ) sent a letter to CFPB Director Kathy Kraninger expressing frustration with the Bureau’s oversight of federal student loan servicers and delay in reestablishing an MOU with the Department that would allow the Bureau to resume examining federal student loan servicers.
FHFA updates Fannie, Freddie seller/servicer eligibility
On January 31, the FHFA proposed updated minimum financial requirements for Fannie Mae and Freddie Mac (GSEs) single-family mortgage sellers and servicers. The updates are designed to provide transparency and consistency of capital and liquidity requirements for sellers and servicers with different business models. A key improvement to the 2015 minimum financial requirements (covered by InfoBytes here), FHFA stated, is that the updated standards will establish financial requirements for servicing Ginnie Mae mortgages. FHFA further noted that the new minimum liquidity standards will only be applied to non-depository institutions—depository institutions will continue to rely on their existing regulatory standards to meet the GSEs’ capital and liquidity requirements. FHFA will accept comments on the proposal for 60 days, and anticipates finalizing the requirements in the second quarter of 2020, with an expected effective date six months after finalization.
Fed clarifies bank control structure under BHC and HOLA
On January 30, the Federal Reserve Board (Fed) issued a final rule to simplify and increase the transparency of existing rules for determining if a company has control over a banking organization under the Bank Holding Company Act (BHC Act) and the Home Owners’ Loan Act (HOLA). According to the Fed, the final rule—proposed last April (covered by InfoBytes here)—establishes “a comprehensive and public framework to determine when a company controls a bank or a bank controls a company” through the use of several key factors including “the company’s total voting and non-voting equity investment in the bank; director, officer, and employee overlaps between the company and the bank; and the scope of business relationships between the company and the bank.” A tiered presumptions visual accompanied the final rule, which outlines the determination of control based on the level of voting ownership at four different thresholds: less than 5 percent; 5 to 9.99 percent; 10 to 14.99 percent; and 15 to 24.99 percent. In addition, the Fed noted that the final rule “generally applies the same standards in the context of the BHC Act and HOLA” in terms of the definition of “control.” Federal Reserve Governor Lael Brainard issued a statement supporting the final rule, but stressed the importance of monitoring banking organizations’ ownership structures in light of the “control framework” and industry trends in order to identify issues affecting financial stability and competition. Brainard further emphasized that the “control framework” should be monitored in terms of how it interacts with other regulations involving ownership thresholds. The final rule takes effect April 1.
Agencies to modify Volcker Rule’s “covered funds” requirements
On January 30, the OCC, Federal Reserve Board, FDIC, SEC, and CFTC issued a notice of proposed rulemaking to modify and streamline the “covered funds” requirements under Section 13 of the Bank Holding Company Act, commonly known as the Volcker Rule (Rule). As previously covered by InfoBytes, last fall the regulators signed off on final revisions to the Rule to simplify and tailor its restrictions on a banking entity’s ability to engage in proprietary trading and own certain funds. Specifically, the proposed amendments would modify the restrictions for banking entities investing in, sponsoring, or having certain relationships with covered funds, including simplifying provisions related to foreign public funds, loan securitizations, and small business investment companies. The amendments would also, among other things, (i) limit the extraterritorial impact of the Rule on certain foreign funds offered by foreign banks to foreign investors; (ii) modify and propose several existing exclusions to allow banking entities to invest in or sponsor certain types of funds—subject to certain safeguards—such as credit funds, venture capital funds, family wealth management vehicles, and customer facilitation funds; and (iii) permit intraday extensions of credit, payment, clearing, and settlement transactions between a banking entity and covered funds the banking entity advises or sponsors, or with which the banking entity has certain other relationships. Comments will be accepted through April 1.
FDIC finalizes securitization safe harbor
On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.
SEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:
- Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
- Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
- Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
- Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
- Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
- Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
- Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.