InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC orders entities to stop making fraudulent deposit insurance representations
On February 15, the FDIC sent letters to four entities demanding that they stop making false or misleading representations about FDIC deposit insurance. Letters were sent to a cryptocurrency exchange and to a nonbank financial services provider demanding that the entities cease and desist from making false and misleading statements about FDIC deposit insurance and take immediate corrective action to address these statements. The FDIC also sent letters to two websites ordering them to remove similar false and misleading statements claiming that the crypto exchange and the nonbank financial services provider are FDIC-insured and that FDIC insurance will protect customers’ cryptocurrency or protect customers in the event of the nonbank’s failure. Under the Federal Deposit Insurance Act, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.”
Bowman discusses bank and third-party cyber risk management expectations
On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”
Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).
“We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”
Colorado releases privacy act updates
Last month, the Colorado attorney general released a third version of draft rules to implement and enforce the Colorado Privacy Act (CPA). A hearing on the proposed draft rules was held February 1. As previously covered by a Special Alert, the CPA was enacted in July 2021 to establish a framework for personal data privacy rights. The CPA, which is effective July 1, 2023 with certain opt-out provisions taking effect July 1, 2024, provides consumers with numerous rights, including the right to access their personal data, opt-out of certain uses of personal data, make corrections to personal data, request deletion of personal data, and obtain a copy of personal data in a portable format. Under the CPA, the attorney general has enforcement authority for the law, which does not have a private right of action. The attorney general also has authority to promulgate rules to carry out the requirements of the CPA and issue interpretive guidance and opinion letters, as well as the authority to develop technical specifications for at least one universal opt-out mechanism. The attorney general previously released two versions of the draft rules last year (covered by InfoBytes here and here).
The third set of draft rules seeks to address additional concerns raised through public comments and makes a number of changes, including:
- Clarifying definitions. The modifications add, delete, and amend several definitions, including those related to “bona fide loyalty program,” “information that a [c]ontroller has a reasonable basis to believe the [c]onsumer has lawfully made available to the general public,” “publicly available information,” “revealing,” and “sensitive data inference” or “sensitive data inferences.” Among other things, the definition of “publicly available information” has been narrowed by removing the exception to the definition that had excluded publicly available information that has been combined with non-publicly available information. Additionally, sensitive data inferences now refer to inferences which “are used to” indicate certain sensitive characteristics.
- Right to opt out and right to access. The modifications outline controller requirements for complying with opt-out requests, including when opt-out requests must be completed, as well as provisions for how privacy notice opt-out disclosures must be sent to consumers, and how consumers are to be provided mechanisms for opting-out of the processing of personal data for profiling that results in the provision or denial of financial or lending services or other opportunities. With respect to the right to access, controllers must implement and maintain reasonable data security measures when processing any documentation related to a consumer’s access request.
- Right to correct and right to delete. Among other changes, the modifications add language providing consumers with the right to correct inaccuracies and clarify that a controller “may decide not to act upon a [c]onsumer’s correction request if the [c]ontroller determines that the contested [p]ersonal [d]ata is more likely than not accurate” and has exhausted certain specific requirements. The modifications add requirements for when a controller determines that certain personal data is exempted from an opt-out request.
- Notice and choice of universal opt-out mechanisms. The modifications specify that disclosures provided to consumers do not need to be tailored to Colorado or refer to Colorado “or to any other specific provisions of these rules or the Colorado Privacy Act examples.” Additionally, a platform, developer, or provider that provides a universal opt-out mechanism may, but is not required to, authenticate that a user is a resident of the state.
- Controller obligations. Among other things, a controller may choose to honor an opt-out request received through a universal opt-out mechanism before July 1, 2024, may respond by choosing to opt a consumer out of all relevant opt-out rights should the universal opt-out mechanism be unclear, and may choose to authenticate that a user is a resident of Colorado but is not required to do so.
- Purpose specification. The modifications state that controllers “should not specify so many purposes for which [p]ersonal [d]ata could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.” Controllers must modify disclosures and necessary documentation if the processing purpose has “evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose.”
- Consent. The modifications clarify that consent is not freely given when it “reflects acceptance of a general or broad terms of use or similar document that contains descriptions of [p]ersonal [d]ata [p]rocessing along with other, unrelated information.” Requirements are also provided for how a controller may proactively request consent to process personal data after a consumer has opted out.
- User interface design, choice architecture, and dark patterns. The modifications provide that a consumer’s “ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.” The modifications also specify principles that should be considered when designing a user interface or a choice architecture used to obtain consent, so that it “does not impose unequal weight or focus on one available choice over another such that a [c]onsumer’s ability to consent is impaired or subverted.”
Additional modifications have been made to personal data use limitations, technical specifications, public lists of universal opt-out mechanisms, privacy notice content, loyalty programs, duty of care, and data protection assessments. Except for provisions with specific delayed effective dates, the rules take effect July 1 if finalized.
On February 28, the attorney general announced that the revised rules were adopted on February 23, but are subject to a review by the attorney general and may require additional edits before they can be finalized and published in the Colorado Register.
California Dept. of Real Estate reminds licensees of fiduciary duty requirements
The California Department of Real Estate (DRE) recently reminded real estate licensees with a mortgage loan origination (MLO) endorsement of their fiduciary duty to borrowers. DRE licensees (including brokers, salespersons, and broker-associates supervised by a broker) who provide mortgage brokerage services to a borrower act as a fiduciary of that borrower, the DRE said, explaining that this “includes placing the economic interest of the borrower ahead of their own.” The Bulletin noted that California courts have held that the fiduciary relationship not only requires the broker to act in the highest good faith toward their client but also prohibits the broker from obtaining any advantage over the client by virtue of the fiduciary relationship. Licensees who violate their fiduciary duties may face DRE-disciplinary action against their real estate license and/or MLO endorsement and may also expose themselves to civil liability.
Licensees are reminded that they are required to be aware of all laws, regulations, and rules governing their activities, including the federal Loan Originator Compensation (LO Comp) Rule, which “prohibits loan originators, including brokers, from receiving compensation based on the terms of consumer mortgage transactions.” Prior to the LO Comp Rule, mortgage brokers often received commissions that varied based on the terms of the mortgage loans they obtained for their clients, and in many cases received larger commissions on loans carrying less advantageous terms (e.g., loans with a higher interest rate would result in a larger commission than the same loan with a lower interest rate). The LO Comp Rule now prohibits this practice.
The Bulletin also reminded licensees that receiving greater compensation for acting against the economic interests of a consumer would also violate a broker’s fiduciary responsibility to place the economic interest of their client ahead of their own, should the decision be motivated by a financial desire to increase compensation. Further, licensees may not steer or direct a borrower to close a loan with a particular lender in exchange for receiving a higher commission unless the transaction is the best loan for the borrower. Licensees must also disclose to a borrower the costs and expenses associated with the loan, and disclose all compensation received in the transaction. Taking any secret or undisclosed compensation, commission, or profit is also prohibited, the Bulletin said.
Treasury roundtable examines effectiveness of Russian sanctions and export controls
On February 10, Deputy Secretary of the Treasury Wally Adeyemo convened a roundtable to hear from sanctions and U.S. foreign policy experts on the effectiveness of the unprecedented sanctions and export controls imposed on Russia by a coalition of more than 30 countries. Over the past year, the countries have imposed economic restrictions on Russia with the intention of disrupting Russia’s military supply chains and denying the Russian government funding for its war against Ukraine. Adeyemo discussed progress made on these fronts, and said the strain on Russia’s military can be seen through the government’s attempts to backfill equipment and supplies through third parties in permissive jurisdictions or sanctioned countries. Adeyemo said that in the upcoming weeks and months, Treasury intends to increase “its focus on countering sanctions evasion, including by targeting facilitators and third-country providers that may wittingly or unwittingly help Russia replenish the supplies and material it desperately needs to support its military.”
NYC Banking Commission to combat lending and employment discrimination
On February 10, the New York City Banking Commission, which consists of the city’s mayor, the comptroller, and the Commissioner of the Department of Finance, announced two transparency measures to combat lending and employment discrimination by designated banks. Designated banks are those eligible to hold NYC deposits and are expected to provide approved banking products and services for city entities. The announcement states that beginning with this year’s biennial designation cycle, a public comment process will now be included prior to and during the Banking Commission’s public hearing to designate banks that will be eligible to hold deposits of city funds. Revisions have also been made to the certifications that banks are required to submit ahead of designation in order “to reinforce the obligation for depository banks to provide detailed plans and specific steps to combat different forms of discrimination in their operations.” NYC Mayor Eric Adams added “[t]hese new steps will ensure the Banking Commission is designating only those banks that have shown that they can protect taxpayer money and that are committed to promoting equity in all aspects of their operations.”
CSBS says state regulators need access to FinCEN’s beneficial ownership database
On February 14, the Conference of State Bank Supervisors commented that FinCEN should be more explicit in its inclusion of state regulators as agencies that can request access to FinCEN’s forthcoming secure, non-public beneficial ownership information database. (See comment letter here.) As previously covered by InfoBytes, last December FinCEN issued a notice of proposed rulemaking (NPRM) to implement provisions of the Corporate Transparency Act (CTA) that govern the access to and protection of beneficial ownership information (BOI). The NPRM proposed regulations for establishing who may request beneficial ownership information, how the information must be secured, and non-compliance penalties, and also addressed aspects of the database that are currently in development. Agreeing that the new database would help enhance anti-money laundering and countering the financing of terrorism standards and help prevent the use of privacy to hide illicit activity from law enforcement and government authorities, CSBS asked that the final rule “explicitly define state regulators so that there is no confusion about their ability to access BOI when examining state-chartered banks and non-depository trust companies for compliance with customer due diligence requirements under the Bank Secrecy Act (BSA).” According to CSBS, state regulators conducted over 1,200 BSA exams in 2021. CSBS further pointed out that being able request BOI on an as needed basis would aid investigative and enforcement responsibilities for both state-chartered banks and state-licensed nonbank financial services providers.
Brainard resigns as Fed vice chair to join Biden economic team
On February 14, President Biden appointed Federal Reserve Board Vice Chair Lael Brainard to serve as Director of the National Economic Council (NEC). Touting Brainard’s domestic and international economic expertise, Biden said she will be the second female director of the NEC. Brainard submitted her resignation from the Fed the same day, effective on or around February 20. Brainard has been a Fed Board member since June 2014, and has served as vice chair since May 2022. During her time at the Board, Brainard “chaired multiple committees, including the Committee on Financial Stability, the Committee on Economic and Monetary Affairs, the Committee on Payments, Clearing, and Settlement, and the Committee on Board Affairs, among others.” Brainard also served as chair of the Federal Open Market Committee's communication subcommittee, and has represented the Board internationally, including at the Bank for International Settlements, the Group of Seven, and the Financial Stability Board.
FHA seeks feedback on enhancements to rehabilitation mortgage insurance program
On February 14, FHA issued a request for information (RFI) seeking input on ways the agency can enhance its Single Family 203(k) Rehabilitation Mortgage Insurance Program. Under the 203(k) Program, borrowers who are purchasing or refinancing a home may obtain FHA insurance on a mortgage that will cover the home’s current value plus rehabilitation costs. The 203(k) Program currently offers two options for borrowers: (i) the Standard 203(k) Mortgage, which is used for remodeling and major repairs, carries a minimum repair cost of $5,000, and requires the use of a 203(k) consultant; and (ii) the Limited 203(k) Mortgage, which is used for minor remodeling and non-structural repairs, has a maximum repair cost of $35,000, and does not require the use of a 203(k) consultant. FHA will use information gathered in response to the RFI “to identify barriers that limit the origination of 203(k) insured mortgages and lender participation in the program and consider opportunities to enhance the 203(k) Program to support HUD’s goal of increasing the available supply of affordable housing in underserved communities.” Comments on the RFI are due April 17.
SEC proposes revisions to Privacy Act
On February 14, the SEC issued a proposed rule to revise the Commission’s regulations under the Privacy Act of 1974, as amended. The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained by the federal agencies. Under the Privacy Act, individuals are afforded a right of access to records pertaining to them and a right to have inaccurate records corrected. Among other things, the revisions would clarify, update, and streamline the language of several procedural provisions to codify current practices for processing public requests. The revisions would also clarify the SEC’s process for how individuals can access information pertaining to themselves. If adopted, the proposed rule would also revise procedural and fee provisions, eliminate unnecessary provisions, and allow for electronic methods to verify one’s identity and submit Privacy Act requests. Comments on the proposed rule are due April 17, or 30 days after publication in the Federal Register, whichever is later.