InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden E.O. labels China as a country of concern; Treasury issues ANPR
On August 9, the White House announced that President Biden signed an Executive Order on Addressing United States Investments In Certain National Security Technologies and Products In Countries of Concern (E.O.). The President explained his view that some countries create national security risks by using particular technologies to advance their “military and defense industrial sectors” rather than civilian and commercial sectors. Biden stated that although open global capital flows substantially benefit the U.S., the E.O. stated that certain investments may “accelerate and increase the success of the development of sensitive technologies and products in countries that develop them to counter United States and allied capabilities.” The E.O. directs the Secretary of the Treasury to issue regulations that (i) prohibit U.S. persons from participating in specific transactions associated with particular technologies and products that present a significant and urgent risk to national security; and (ii) mandate U.S. persons to notify the Treasury about different transactions related to specific technologies and products that may contribute to the national security threat. The annex to the E.O. identifies China, including Hong Kong and Macau, as the sole nation warranting concern. The E.O. also requires the Secretary to communicate with Congress and the public regarding the E.O., consult with other agency leaders, assess whether to amend the regulations within one year, and provide reports to the President and Congress.
The Treasury simultaneously issued an Advance Notice of Proposed Rulemaking, requesting public comment on the implementation of the E.O., along with proposed definitions of key terms, before the program goes into effect. Written comments may be submitted within 45 days here.
Fed suggests enhancing supervision of “novel activities” by banks
On August 8, the Federal Reserve Board announced the issuance of two supervision letters that elaborate on the its program to supervise “novel activities” such as fintech partnerships, crypto-related activities, and activities using distributed ledger or “blockchain” technology. The first letter, SR 23-7, announces the establishment of the “Novel Activities Supervision Program,” a program designed to “ensure that the risks associated with innovation” supported by new technologies are managed appropriately by the bank. The program will focus on (i) technology-driven partnerships with non-banks; (ii) crypto-asset related activities such as asset custody, crypto-collateralized lending, asset trading, and crypto issuance and distribution; (iii) exploration or use of distributed ledger technology; and (iv) concentration of banking services to crypto-asset related entities and fintech companies. Supervisory teams will be tasked with monitoring and examining these novel activities within the existing supervisory portfolios and will take a risk-based approach on the level and intensity of supervision. The letter concludes that “the Program will also operate in keeping with the principle that banking organizations are neither prohibited nor discouraged from providing banking services to customers or any specific class or type” as permitted by law.
In the second supervisory letter, SR 23-8, the Fed announced a “nonobjection process” for banks seeking to engage in certain dollar token activities. Previously, the OCC issued an interpretive letter permitting national banks to use distributed ledger technology (or similar) to conduct payments using dollar tokens, as long as the bank could demonstrate adequate controls. (Covered by InfoBytes here). The letter clarifies that any bank supervised by the Fed that wishes to engage in those same activities must first obtain a written notice of supervisory nonobjection from the Fed. In order to do so, the bank must be able to demonstrate it has implemented adequate risk management practices, taking into account operational, cybersecurity, liquidity, illicit finance, and consumer compliance risks, among others. The bank must also demonstrate that it is aware of and can comply with laws applicable to the activities.
CFPB's small biz loan data rule stifled for many banks
On July 31, the U.S. District Court for the Southern District of Texas entered an order granting in part and denying in part a motion for a preliminary injunction against the CFPB. The injunction, filed by a bank and two trade associations (collectively “plaintiffs”), aims to prevent the CFPB from enforcing its new final rule, implementing section 1071 of the CPA, which would require financial institutions to collect and provide to the Bureau data on lending to small businesses (covered by InfoBytes here). A 2022 5th Circuit ruling (covered by an Orrick Special Alert here) in a different suit, however, deemed the CFPB’s funding structure unconstitutional.
Plaintiffs urged the 5th Circuit to enjoin enforcement of the small business lending rule pending Supreme Court resolution of the constitutionality of the CFPB’s funding structure, estimating that the burden of complying with the final rule would be $100,000 per community bank, and “the nonrecoverable costs of complying with an invalid regulation constitute irreparable harm,” among other things. The court held that the plaintiff bank had standing because its injury is imminent and not speculative based on the effective date of the final rule, and the costs of preparation for compliance. The court also held that there is a “substantial likelihood” that the plaintiffs would prevail in asserting the final rule is invalid based on the claim that the Bureau’s funding is unconstitutional. The court agreed with plaintiffs’ claim that the costs of compliance with the final rule are “more than de minimis and thus constitute irreparable harm,” despite the CFPB’s argument that the costs of compliance would not be incurred now. Finally, the court held that the CFPB failed to show any evidence that a stay of the final rule will cause harm. While the court entered an injunction, it limited it to the plaintiffs and their members, declining to enter a nationwide injunction as requested by plaintiffs, because “generic reasons such as ‘nationwide scope’ or ‘need for uniformity’ without more are insufficient.”
The final rule is scheduled to go into effect on August 29.
FFIEC updates BSA/AML examination manual
On August 2, the Federal Financial Institutions Examination Council (FFIEC) updated its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and adherence to BSA regulatory requirements. The revisions include updates to the following sections:
- Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity
- Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions
- Due Diligence Programs for Private Banking Accounts
- Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions
The FFIEC noted that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but rather are intended to “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.” In addition, the Manual itself does not establish requirements for financial institutions, which are found in applicable statutes and regulations but rather reinforce the agency’s risk-focused approach to BSA/AML examinations.
CFPB sues auto-loan servicer for double-billing practices
On August 2 CFPB filed a complaint in the U.S. District Court for the Northern District of Georgia against an auto-loan servicer alleging a host of illegal practices that harmed individuals with auto loans. The Bureau alleged that the auto-loan servicer engaged in unfair acts and practices in violation of the CFPA, including (i) wrongfully activating nearly 80,000 times starter-interruption devices, which are devices that warn consumers with beeps or disable their car altogether when they are late with a loan payment; (ii) failing to ensure refunds of over millions of dollars of GAP insurance premiums after consumers paid off their loan early or their car was repossessed by the auto-loan servicer; (iii) erroneously billing 34,000 consumers for collateral-protection insurance (CPI) by charging consumers twice each billing cycle, totaling around $1.9 million; (iv) wrongfully applying extra consumer payments first to late fees or CPI instead of accrued interest; and (v) wrongfully repossessing consumers’ cars dozens of times due to errors by the auto-loan servicer or its vendor.
The Bureau seeks, among other things, redress to consumers, civil money penalties, and injunctions to prevent future violations.
HUD and NAREB to educate consumers on appraisal bias
On August 2, HUD announced a partnership with the National Association of Real Estate Brokers to address appraisal bias and discrimination in the housing market. The collaboration, launching in October 2023, will include online training, roundtable discussions, and distribution of educational material designed to promote fairness in the housing market. HUD also referenced its involvement in the PAVE task force (covered by InfoBytes here), which is dedicated to ending bias in home valuation and has made critical progress since its launch in 2022.
California Privacy Protection Agency announces its first inquiry
On July 31, the California Privacy Protection Agency (CPPA) announced a review of the data privacy practices of “connected vehicle” manufacturers and related technologies. Executive Director of the CCPA Ashkan Soltani stated in the press release that the agency is “making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data.” The vehicles in question contain tracking technology that raised data concerns under the California Consumer Privacy Act. Notably, this is the first action from the agency’s enforcement division.
Senate Banking Committee holds hearing on account fees
On July 26, the Senate Banking Committee held a hearing regarding “fees and tactics impacting Americans’ wallets” in relation to financial services and the role of the CFPB in addressing harmful fees. Leading the hearing, Senator Raphael Warnock (D-GA), chairman of the committee, explained that some “excessively high” and unclear fees do not serve an economic value, referring to these as “junk fees.” Senator Warnock shared that 1/3 of households that do not use banks cite high fees as their reason for continuing without a bank account. Senator Thom Tillis (R-N.C.) criticized the CFPB’s attempts at avoiding the oversight of the Administrative Procedures Act in the rule-making process by mislabeling its actions. Tillis added that after the 2008 financial crisis, regulators emphasized the importance of overdraft revenue as, “an appropriate tool for ensuring the stability of the bank’s balance sheets.” He then criticized the shift in guidance, as the CFPB looks to reprimand banks who follow “the established prudential standards for the crime of listening to their previous federal regulators.” He also claimed that the Bureau does not have proper jurisdiction, resources, or staff to make such decisions.
Pennsylvania Attorney General Michelle Henry testified about recent enforcement actions she has taken, including a recently filed suit against a Wall Street private equity-owned installment lender, who allegedly charged consumers “junk fees” for low-value or valueless add-on products. Henry also mentioned entering into a settlement relating to a bank charging “junk fees” in connection with auto finance products. Brian Johnson, a financial regulatory compliance specialist and former deputy director of the CFPB, claimed that the agencies and the White House have failed to provide a consistent definition for the “junk fees” that could subject institutions to scrutiny, and criticized the CFPB, saying that it does not follow its own regulations and laws governing how agencies make rules by publishing interpretive rules as policy statements in bulletins. A final topic raised by Senator Tina Smith (D-MN) regarded land contracts and lease-to-purchase or rent-to-own agreements that she claimed can be exploitative towards underserved communities. Smith noted that such contacts are “designed to fail,” noting that more than 80 percent of the time, people lose all their equity because they do not make it to the last payment of the contract.
FCC warns provider to stop transmitting illegal robocalls
On August 1, the FCC’s Enforcement Bureau notified a gateway intermediate provider and originator that it is allegedly transmitting and originating illegal robocalls, which could result in the FCC permitting downstream service providers to block its traffic permanently if it fails to take action. The illegal robocalls allegedly involved attempts to engage with consumers by informing consumers of fake purchase orders or asking them to confirm their order. Noting that the provider is “closely connected” to two other entities that had previously received similar enforcement letters, the FCC warned that continually changing corporate formations and serving those same entities and related principals could constitute “willful attempts to circumvent the law to originate and carry illegal traffic.” Among other things, the provider is required to investigate the identified transmissions, block all of the identified traffic if the investigation confirms that the entity served as the gateway provider for the illegal transmissions, and report the results to the FCC’s enforcement bureau.
Fed’s annual report: cybersecurity risk management & emerging threats
On August 1, the Fed released its 2023 Cybersecurity and Financial System Resilience Report. Required annually by the Consolidated Appropriations Act, 2021, the report describes the measures the Fed has taken to strengthen cybersecurity within the financial services sector and its supervision and regulation of financial institutions and service providers across the past year. The report details the Fed’s activities in the space, including issuing regulations and guidance for supervised institutions, examining and monitoring supervised institutions’ risk management, and collecting data on relevant cybersecurity incidents. Recent actions highlighted in the report include the publication of an updated Cybersecurity Resource Guide for Financial Institutions, a proposal to update the operational risk management requirements in Regulation HH for systematically important financial market utilities, and final joint guidance issued in conjunction with the FDIC and OCC regarding banking organizations’ risk management of third-party relationships. The Fed also describes the steps it is taking to protect its own operations and assets from cybersecurity threats.
With respect to supervisory activities, the Fed notes that it “has observed improvement in cybersecurity practices over the past several years resulting from supervised institutions’ efforts to address supervisory findings as well as proactive steps taken by the institutions.” The report notes that the Fed is taking measures to address OIG recommendations relating to the effectiveness of its cybersecurity incident response process, including updating the cybersecurity incident response process’s mission and governance structure and enhancing guidance and training. The report describes the Fed’s close coordination with other participants in the global financial system in addressing cybersecurity risk, including domestic and international agencies, governance bodies, financial regulators, and industry.
Finally, the report describes current and emerging threats to the financial system, including (i) geopolitical tensions and accompanying cyberattacks; (ii) cyber-criminal activity involving ransomware as a service, targeting of authentication mechanism weaknesses, and collaboration among cyberthreat actors; (iii) increasing potential of a supply chain or third-party attack; (iv) cyber risks associated with third-party providers; (v) insider threats; and (vi) other emerging technology-related threats, such as risks inherent to machine learning and quantum computing capabilities.