InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies update guidance on liquidity risks and contingency planning
On July 28, the OCC, FDIC, NCUA and Fed issued an addendum to the Interagency Policy Statement on Funding and Liquidity Risk Management, issued in 2010. The update on liquidity risks and contingency planning emphasizes that depository institutions should regularly evaluate and update their contingency funding plans, referencing the unprecedented deposit outflows resulting from the early 2023 bank failures. According to the addendum, depository institutions should assess the stability of their funding, keep a range of funding sources, and regularly test any contingency borrowing lines in order to prepare staff in the case of adverse circumstances. Additionally, the addendum states that if contingency funding arrangements include discount windows, the depository institutions should ensure they can borrow from the discount window by (i) establishing borrowing arrangements; (ii) confirming that collateral is available to borrow in an appropriate amount; (iii) conduct small value transactions regularly to create familiarity with discount window operations; (iv) establish familiarity with the pledging process for collateral types; and (v) be aware that pre-pledging collateral can be useful in case liquidity needs arise quickly. The agencies also state that federal and state-chartered credit unions can access the Central Liquidity Facility, which provides a contingent federally sourced backup liquidity where a credit union’s liquidity and market funding sources prove inadequate.
Biden Administration to improve small business loan program
On August 1, the SBA announced implementation of additional policies aimed at expanding small business’ access to capital by modernizing SBA’s signature 7(a) and 504 Loan Programs. The new simplified guidelines for lenders include updated origination policies and procedures, lender participation requirements, and 7(a) loan servicing and liquidation requirements. SBA has also clarified affiliation standards to effectively communicate who qualifies for SBA loans, will use technology updates to bring eligibility determinations in-house, and will also use advanced data analytics and third-party data checks for fraud review on all loan programs before approval.
The following three SBA SOPs took effect on August 1, bringing many of the new policies into practice:
- SOP 50 10 7: Lender and Development Company Loan Programs: Contains SBA’s policies and procedures governing the 7(a) and 504 loan programs.
- SOP 50 56: Lender participation requirements: Contains the criteria for becoming an SBA Lender.
- SOP 50 57: 7(a) Loan Servicing and Liquidation: Contains the policies and procedures for 7(a) loan servicing and liquidation.
Finally, the SBA will begin accepting the Universal Purchase Package, a new feature that is expected to streamline the process for lenders to request SBA honor its loan guaranty. SBA will also introduce new features in E-TRAN, SBA’s online platform used by lenders to upload loan applications.
Biden Administration, agencies take action to protect renters
On July 27, the Biden administration released a fact sheet detailing new actions to develop the Blueprint for a Renters Bill of Rights, which was rolled out early this year (covered by InfoBytes here). The three new actions aim to support renters by (i) “ensuring all renters have an opportunity to address incorrect tenant screening reports”; (ii) “providing new funding to support tenant organizing efforts”; and (iii) “ensuring that renters are given fair notice in advance of eviction.” Additionally, the CFPB, USDA, FHFA, and HUD concurrently released statements aimed at landlords, reminding them of “best practices” and their obligation to inform tenants of their rights.
FHFA published Director Sandra L. Thompson’s statement on “best practices” for the delivery of adverse action notices to renters by GSE-backed multifamily housing borrowers. Referencing research showing that tenant screening reports often contain imprecise or inaccurate information, Director Thompson “strongly encouraged” borrowers who deny a rental application to provide written adverse action notices to the applicants and a copy of any consumer screening report that was relied upon. FHFA’s guidance is based on the FCRA’s requirement that landlords and property managers inform rental applicants of negative information from a consumer screening report that resulted in their rental application being rejected or another unfavorable outcome.
The CFPB posted a blog entry that emphasized landlords’ obligation under the FCRA adverse action notice requirement, which mandates that landlords who take any action against a current or prospective tenant based on a consumer report notify the tenant of the decision and how they can contact the company that created the report. The Bureau advised that renters have the right to review their rental background check report and to dispute information they believe to be inaccurate and encouraged tenants to obtain a free copy of the report from the company that compiled it and dispute any errors (covered by InfoBytes here).
In conjunction with the White House press release, HUD announced it is taking multiple actions to improve rental screening transparency and support renters. It is sending reminders to public housing agencies and property owners about their obligation to inform rejected applicants about reasons for their denial, which provides renters with the opportunity to correct any errors. Additionally, HUD is providing $10 million for tenant education and outreach in Section 8 program properties to assist tenants with “capacity building efforts” for engagement with property management. Furthermore, HUD will issue a proposed rule requiring a 30-day written notification for evictions due to nonpayment of rent in certain subsidized housing.
Also mentioned was the recent White House announcement of actions it is taking to combat “unfair and hidden fees” concerning rental housing (covered by InfoBytes here).
FCC fines companies $20M for insufficient consumer data security measures
On July 28, the FCC announced a proposed fine of $20 million for two affiliated mobile carrier companies over alleged violations of FCC rules. The Commission alleged that the companies failed to protect the privacy and security of subscribers’ personal data by violating three provisions of section 64.2010 of FCC rules, which requires carriers to authenticate customers’ identity before providing online access to their network information. The alleged violations included relying on readily available information to control access to the network information, failing to establish “reasonable” data security standards. FCC Chairwoman Jessica Rosenworcel cited such failures to protect consumers’ privacy to underpin the importance of the FCC’s newly established Privacy and Data Protection Task Force (covered by InfoBytes here). The proposed sanctions are not final, and the companies will have an opportunity to respond.
CSBS announces Nonbank Model Data Security Law
The Conference of State Bank Supervisors (CSBS) recently released a comprehensive framework for safeguarding sensitive information held at nonbank financial institutions. CSBS’s Nonbank Model Data Security Law is largely based on the FTC’s updated Safeguards Rule, which added specific criteria for financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, to undertake when conducting risk assessments and implementing information security programs. (Covered by InfoBytes here.) Adopting the Nonbank Model Data Security Law allows for a streamlined and efficient approach to data security regulations for nonbank financial institutions, CSBS explained, adding that by leveraging the existing Safeguards Rule’s applicability to state covered nonbanks, the model law imposes minimal additional compliance burdens and ensures smoother implementation for financial institutions. States can also choose an alternative approach by requiring nonbank financial institutions to conform to the Safeguards Rule, CSBS said.
The Nonbank Model Data Security Law outlines numerous provisions, which are intended to protect customer information, mitigate cyber threats, and foster a secure financial ecosystem. These include standards for safeguarding customer information, required elements that must be included in a nonbank financial institution’s information security program, and an optional section that requires entities to notify the commissioner in the wake of a security event. CSBS noted that because “the proposed rule on notification requirements for the FTC Safeguards Rule is still pending, the model law allows each state to establish their own customer threshold number, providing flexibility in determining the extent of impact that triggers the notification obligation.” CSBS also provided a list of resources for adopting the Nonbank Model Data Security Law.
California AG warns against unlawful employer-driven debt arrangements
On July 25, California Attorney General Rob Bonta issued a Legal Alert to remind all employers of state-law restrictions on employer-driven debt. Bonta highlighted concerns about employers engaging in exploitative practices that lead to employees accumulating debts as a result of their employment. (Also covered by InfoBytes here). Such practices may include employers withholding wages, failing to reimburse necessary expenses, or charging fees that are unlawful under California labor laws.
The alert outlines that employer-driven debt arrangements may violate California Labor Code section 2802, “which mandates that employers ‘indemnify employees for all necessary expenditures or losses incurred by the employee in direct consequence of the discharge of his or her duties.’” Regarding job training, the alert mentions that California law forbids employers from making workers repay training costs, except in two cases: (i) when the training is necessary for legally practicing the profession, and (ii) when the worker voluntarily undertakes the training, not due to employer mandate. The alert warns companies that engage in exploitative practices that the protections established in the Labor Code cannot be waived by contract. The alert also states that such practices risk violating the state’s Rosenthal Fair Debt Collection Practices Act, which “prohibits an employer or its agent from engaging in unfair or deceptive acts or practices when attempting to collect on employer-driven debt.” Finally, the alert notes that if an employer takes advantage of a worker’s lack of information or knowledge about the risks or costs of the debt, they may violate the California Consumer Financial Protection Law.
Supreme Court of New York: FDCPA does not require collectors to explain how debt is acquired
On July 19, the Supreme Court of the State of New York filed an order granting defendants’ motion for summary judgment, ruling that the FDCPA does not require debt collectors to provide debtors with proof of how they came to acquire the debt from the original creditor. One of the defendants purchased plaintiff’s defaulted credit card debt, which was placed with the second defendant for collection. The second defendant sent plaintiff a collection letter that identified the original creditor, along with the last four digits of the account number and identified the current creditor by name. Plaintiff sued, alleging violations of several sections of the FDCPA, claiming the letter was “false, deceptive, and misleading” because he never entered into a transaction with the current creditor and that the defendants reported the alleged debt to the credit reporting agencies. Plaintiff also maintained that prior to filing the lawsuit, he sought to validate the alleged debt but that neither defendant provided information sufficient to establish the current creditor’s ownership of the debt. Defendants filed for summary judgment seeking dismissal of plaintiff’s claims. In granting the motion, the court held that nothing in the FDCPA requires debt collectors “to educate the debtor ‘with proof, or at least a narrative, as to how it came to acquire the debt from [the] original creditor,’” and that the statute does not require plaintiffs to be notified when their debt is sold.
DOE recognizes states’ role in investigating student loan servicers
On July 24, the Department of Education (DOE) issued a final interpretation to clarify that the Higher Education Act (HEA) preempts state laws and other applicable federal laws “only in limited and discrete respects.” Specifically, the final interpretation revises and clarifies the DOE’s position on the legality of state laws and regulations regarding certain aspects of the federal student loan servicing, including preventing unfair or deceptive practices, correcting misapplied payments, or addressing servicers’ refusals to communicate with borrowers.
The final interpretation supersedes a 2021 DOE interpretation (covered by InfoBytes here), as well as prior statements and interpretations issued by the agency, which addressed state regulation of the servicing of student loans under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program. Following a review of public comments, the DOE modified its interpretation to more clearly describe the standard for conflict preemption, explaining that recent court rulings on the issue of conflict preemption have consistently found that the HEA does not prioritize maintaining uniformity in federal student loan servicing, and that as a result, the courts have upheld the authority of individual states to address fraud and affirmative misrepresentations in the federal student aid program without being hindered by federal preemption. Additionally, the DOE noted that courts have consistently applied conflict preemption to state laws that require licensing of the DOE’s student loan servicers, particularly in limited circumstances where the licensing requirement aims to disqualify a federal contractor from operating within the state. The final interpretation states that it is firmly established that states cannot hinder the federal government's ability to choose its contractors by imposing such licensing requirements, noting that two courts recently concluded that such preemption also applies to a state’s refusal to license federal student loan servicers.
The final interpretation is effective immediately.
SEC proposes rules for addressing conflicts of interest raised by predictive data analytics
On July 26, the SEC issued proposed rules under the Securities Exchange Act of 1924 and the Investment Advisors Act of 1940 to address certain conflicts of interest associated with the use of predictive data analytics, including artificial intelligence (AI) and similar technologies, “that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.” The SEC explained that broker-dealers and investment advisors (collectively, “firms”) are increasingly using AI to improve efficiency and returns but cautioned that, due to the scalability of these technologies and the potential for firms to quickly reach a large audience, any resulting conflicts of interest could result in harm to investors that is more pronounced and on a broader scale than previously possible.
Based on existing legal standards, the proposed rules generally would require a firm to identify and eliminate, or neutralize, the effects of conflicts of interest that result in the firm’s (or associated persons) interests being placed ahead of investors’ interests. Firms, however, would be permitted to employ tools that they believe would address such risks and that are specific to the particular technology being used. Firms that use covered technology for investor interactions would also be required to have written policies and procedures in place to ensure compliance with the proposed rules, the SEC said. These policies and procedures must include a process for evaluating the use of covered technology in investor interactions and addressing any conflicts of interest that may arise. Firms must also maintain books and records related to these requirements. Comments on the proposed rules are due 60 days after publication in the Federal Register.
SEC adopts breach-reporting rules, establishes requirements for cybersecurity risk management
On July 26, a divided SEC adopted a final rule outlining disclosure requirements for publicly traded companies in the event of a material cybersecurity incident. The final rule (proposed last year and covered by InfoBytes here) also requires companies to periodically disclose their cybersecurity risk management processes and establishes requirements for how cybersecurity disclosures must be presented. The final rule requires that material cybersecurity incidents be disclosed within four days from the time a company determines the incident was material (a disclosure may be delayed should the U.S. attorney general notify the SEC in writing that immediate disclosure poses a substantial risk to national security or public safety). Companies must also identify material aspects of the incident’s nature, scope, and timing, as well as its impact or reasonably likely impact on the company, and are required to describe their board’s and management’s oversight of risks from cybersecurity threats and previous cybersecurity incidents. These disclosures will be required in a company’s annual report. The final rule will also mandate foreign private issuers to provide comparable disclosures on forms related to material cybersecurity incidents and risk management, strategy, and governance.
The final rule is effective 30 days following publication of the adopting release in the Federal Register. The SEC noted that incident-specific disclosures will be required in Forms 8-K and 6-K beginning either 90 days after the final rule’s publication in the Federal Register or on December 18, whichever is later, though smaller reporting companies are provided an extra 180 days before they must begin providing such disclosures. Annual disclosures on cyber risk management, strategy, and governance will be required in Form 10-K and Form 20-F reports starting with annual reports for fiscal years ending on or after December 15. In terms of structured data requirements, all companies must tag disclosures in the required format beginning one year after initial compliance with the related disclosure requirement.
SEC Chair Gary Gensler commented that, in response to public comments received on the proposed rule, the final rule “streamlines required disclosures for both periodic and incident reporting” and requires companies “to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.”
In voting against the final rule, Commissioner Hester M. Pierce raised concerns that the final rule’s compliance timelines are overly aggressive even for large companies and that the short incident disclosure period could potentially mislead otherwise uninformed investors and “lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market.’” The final rule allows a company to update its incident disclosure with new information in subsequent reports that was unavailable at first and could impact investors who may suffer a loss due to the mispricing of the company’s securities following the initial reporting, Pierce said. She also criticized the risk to national security or public safety exemption as being overly narrow. Commissioner Mark Uyeda also opposed the adoption, writing that “[n]o other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.” Uyeda also questioned whether “[p]remature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, [thus] resulting in widespread panic in the market and financial contagion.”