InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies put out policy on CRE workouts
On June 29, the FDIC, OCC, Federal Reserve Board, and NCUA, in consultation with state bank and credit union regulators, jointly issued a final policy statement addressing prudential commercial real estate loan accommodations and workouts for borrowers experiencing financial difficulty. The policy statement applies to all supervised financial institutions and supersedes previous guidance issued in 2009. Building on existing supervisory guidance, the policy statement advises financial institutions “to work prudently and constructively with creditworthy borrowers during times of financial stress.” The policy statement (i) updates interagency supervisory guidance on commercial real estate loan workouts; (ii) adds a new section on short-term loan accommodations (for purposes of the policy statement, “an accommodation includes any agreement to defer one or more payments, make a partial payment, forbear any delinquent amounts, modify a loan or contract, or provide other assistance or relief to a borrower who is experiencing a financial challenge”); (iii) addresses relevant accounting standard changes on estimating loan losses; and (iv) provides updated examples on how to classify and account for loans modified or affected by loan accommodations or loan workout activity. The policy statement takes effect upon publication in the Federal Register.
CFPB issues guidance on small business data collection
On June 28, the CFPB released additional guidance to help financial institutions comply with the agency’s small-business lending data collection rule. The small business lending rule, which implements Section 1071 of the Dodd-Frank Act, requires financial institutions to collect and provide to the Bureau data on lending to small businesses with gross revenue under $5 million in their previous fiscal year. As previously covered by InfoBytes, the final rule prescribes a tiered compliance date schedule, with the earliest compliance date being October 1, 2024, for financial institutions that originate at least 2,500 covered small business loans in both 2022 and 2023 (financial institutions with lower origination amounts have later compliance dates).
To aid financial institutions, the Bureau updated several frequently asked questions to provide additional clarity on who is covered by the small business lending rule and to explain that a financial institution that meets the origination threshold in each of the two immediately preceding calendar years is a covered financial institution, regardless of whether the financial institution has a branch or office in a metropolitan statistical area. The FAQs also (i) outline qualified covered credit transactions and exemptions; (ii) provide a detailed breakdown of the types of transactions a financial institution must count when determining whether it satisfies the origination threshold; (iii) discuss whether a financial institution that is not subject to HMDA reporting is required to count HMDA-reportable loans as covered originations; (iv) address how to count a covered origination if multiple financial institutions were involved in originating the covered credit transaction or when a covered credit transaction is extended to multiple borrowers but only one is a small business; and (v) explain methodologies financial institutions can use to calculate estimated covered originations. In conjunction with the FAQs, the Bureau also released a compliance aid providing additional information covered during a recent Bureau presentation.
Biden announces FTC nominees
On July 3, President Biden announced his intention to nominate Andrew N. Ferguson and Melissa Holyoak to serve as Republican members of the FTC. Ferguson currently serves as the solicitor general of the Commonwealth of Virginia where he oversees appellate litigation of the state and its agencies. Prior to his time as solicitor general, Ferguson served as chief counsel to U.S. Senate Republican Leader Mitch McConnell, chief counsel for nominations and constitution to then-Judiciary Committee Chairman Lindsey Graham (R-SC), and senior special counsel to then-Judiciary Committee Chairman Chuck Grassley (R-IA). Ferguson also has extensive antitrust experience, including in litigation before the FTC and DOJ.
Holyoak is currently the solicitor general with the Utah Attorney General’s Office where she oversees areas including civil appeals, criminal appeals, constitutional defense, and the antitrust and data privacy divisions. She is an experienced litigator, where much of her 20 years of practice has focused on consumer protection, Biden said. Before joining the Utah Attorney General’s Office, Holyoak was president and general counsel of the Hamilton Lincoln Law Institute, a Washington, D.C.-based public interest firm that represents consumers challenging unfair class actions and regulatory overreach.
Following the announcement, FTC Chair Lina M. Khan issued a statement congratulating the nominees. The two seats have been vacant since former Commissioner Christine Wilson announced her resignation earlier in the year (covered by InfoBytes here).
FFIEC releases 2022 HMDA data
On June 29, the Federal Financial Institutions Examinations Council (FFIEC) released the 2022 HMDA data on mortgage lending transactions at 4,460 covered institutions (an increase from the 4,338 reporting institutions in 2021). Available data products include: (i) the Snapshot National Loan-Level Dataset, which contains national HMDA datasets as of May 1; (ii) the HMDA Dynamic National Loan-Level Dataset, which is updated on a weekly basis to reflect late submissions and resubmissions; (iii) the Aggregate and Disclosure Reports, which provide summaries on individual institutions and geographies; (vi) the HMDA Data Browser where users can customize tables and download datasets for further analysis; and (v) the Loan/Application Register for filers of 2022 HMDA data.
The 2022 data includes information on 14.3 million home loan applications, of which 11.5 million were closed-end and 2.5 million were open-end. The Snapshot revealed that an additional 287,000 records were from financial institutions making use of the Economic Growth, Regulatory Relief, and Consumer Protection Act’s partial exemptions that did not designate closed-end or open-end status. Observations from the data relative to the prior year include: (i) the percentage of mortgages originated by non-depository, independent mortgage companies decreased, accounting for “60.2 percent of first lien, one- to four-family, site-built, owner-occupied home-purchase loans, down from 63.9 percent in 2021”; (ii) the percentage of closed-end home purchase loans for first lien, one- to four-family, site-built, owner-occupied properties made to Black or African American borrowers increased from 7.9 percent in 2021 to 8.1 percent in 2022, while the share of these loans made to Hispanic-White borrowers decreased slightly from 9.2 percent to 9.1 percent and the share made to Asian borrowers increased from 7.1 percent to 7.6 percent; and (iii) “Black or African American and Hispanic-White applicants experienced denial rates for first lien, one- to four-family, site-built, owner-occupied conventional, closed-end home purchase loans of 16.4 percent and 11.1 percent respectively, while the denial rates for Asian and non-Hispanic-White applicants were 9.2 percent and 5.8 percent respectively.”
Nevada to regulate student loan servicers and lenders
On June 14, the Nevada governor signed AB 332 (the “Act”) which provides for the licensing and regulation of student loan servicers. The Act also implements provisions for the regulation of private education loans and lenders. Among other things, the Act requires, subject to certain exemptions, persons servicing student loans to obtain a license from the Commissioner of Financial Institutions. Specifically, the Act states that a person seeking to act as a student loan servicer is exempt from the application requirements only if the commissioner determines that the person’s servicing performed in the state is conducted pursuant to a contract awarded by the U.S. Secretary of Education.
The Act also outlines numerous requirements relating to licensing applications, including that the commissioner may participate in the Nationwide Multistate Licensing System and Registry (NMLS), and may instruct NMLS to act on his or her behalf to, among other things, collect and maintain records of applicants and licensees, collect and process fees, process applications, and perform background checks. The commissioner is also permitted to enter into agreements or sharing arrangements with other governmental agencies, the Conference of State Bank Supervisors, the State Regulatory Registry, or other such associations. Additional licensing provisions set forth requirements relating to licensing renewals, reinstatements, surrenders, and denials; liquidity standards; and bond requirements. The commissioner is also granted general supervisory, investigative, and enforcement authority relating to student loan servicers and student education loans and may impose civil penalties for violations of the Act’s provisions. The commissioner must conduct investigations and examinations at least once a year (with licensees being required to pay for such investigations and examinations). The Act further provides that the student loan ombudsman shall enter into an information sharing agreement with the office of the attorney general to facilitate the sharing of borrower complaints.
With respect to private education lenders, the Act establishes certain protections for cosigners of private education loans and prohibits private education lenders from accelerating the repayment of a private education loan, in whole or in part, except in cases of payment default. A lender may be able to accelerate payments on loans made prior to January 1, 2024, provided the promissory note or loan agreement explicitly authorizes an acceleration based on established criteria. The Act also sets forth responsibilities for lenders in the case of the total and permanent disability of a private education loan borrower or cosigner, including cosigner release requirements. Additional provisions outline prohibited conduct and create requirements and prohibitions governing lenders’ business practices. Furthermore, private education lenders are not exempt from any applicable licensing requirements imposed by any other specific statute.
The Act becomes effective immediately for the purpose of adopting any regulations and performing any preparatory administrative tasks that are necessary to carry out the provisions of the Act and on January 1, 2024 for all other purposes.
Maryland says crypto enforcement could affect money transmitter licensure
On June 22, the Maryland Commissioner of Financial Regulation issued an advisory on recent enforcement actions by Maryland and federal securities enforcement agencies against cryptocurrency-related businesses that could potentially impact businesses pursuing money transmitter licensure. The actions allege certain businesses offered products constituting securities while they were only licensed as money transmitters by the Commissioner of Financial Regulation. The state takes “character and fitness” into consideration for licensure and although the Commissioner does not enforce securities laws, he or she must consider violations of law, including violations of Maryland securities law, when determining whether to grant licenses. The advisory reads, “compliance with law, particularly Maryland law, regardless of whether or not the law falls within the Commissioner’s purview, must be considered when determining whether a licensee warrants the belief that business will be conducted lawfully, and thus whether the licensee is, or remains, qualified for licensure.” Moreover, violations of securities laws could form the grounds for action by the Commissioner against a licensee, “including but not limited to, an action seeking to revoke a license.”
Rhode Island enacts provisions for real estate appraisal
On June 20, the Rhode Island state governor signed SB 850 (the “Act”), which amends the Real Estate Appraiser Certification Act and the Real Estate Appraisal Management Company (AMC) Registration Act for consistency with federal laws and recommendations from the appraisal subcommittee. Among other things, the Act includes new terminology, including “covered transaction” and “state-licensed real estate appraiser.” This Act sets forth numerous additional provisions, one of which requires that appraisals must be performed by licensed or certified appraisers unless they are specifically exempt under federal law. Also amended are state-certified appraisers and state-licensed appraisers’ classifications. Specifically, the text defining residential property appraisal is replaced with a general statement that requirements for certification and licensing of appraisers will be “as required by the appraiser qualifications board of the appraisal foundation.” Another addition addresses the continuing education requirement for state-licensed and state-certified real estate appraisers, which now stipulates that up to one-half of an individual’s continuing education requirement may be completed by participation in certain educational activities approved by the board. Concerning registration, the Act contains a new subsection, detailing that AMCs cannot be registered in the state if any owner (an individual who owns more than 10 percent) of the AMC fails to submit to a background check or any owner is determined by the director to not have good moral character. Among other amendments, the Act also stipulates that registration is now valid for only one year (previously two years) after issuance.
The Act is effective upon passage.
OFAC sanctions Burma Ministry of Defense and supporting financial institutions
On June 21, pursuant to Executive Order 14014, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions against Burma’s Ministry of Defense and two regime-controlled financial institutions. In announcing the sanctions, OFAC explained that the Burmese military, which overthrew the country’s democratic government in February 2021, has increased its reliance on air strikes in civilian populated areas, resulting in the death of more than 3,600 civilians and displacing nearly than 1.5 million people, and that Burma’s Ministry of Defense has imported goods from sanctioned entities in Russia to support the Burmese military. OFAC detailed that the two sanctioned financial institutions, which primarily function as foreign currency exchanges, “enable Burma’s Ministry of Defense and other sanctioned military entities to purchase arms and other materials from foreign sources.” As a result of the sanctions, all property and interests in property belonging to the sanctioned persons that are in the U.S. or in the possession or control of U.S. persons are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more by one or more blocked persons are also blocked.” U.S. persons are generally prohibited from engaging in any dealings involving the property or interests in property of blocked or designated persons, unless authorized by a general or specific OFAC license, or if otherwise exempt.
In conjunction with the sanctions, OFAC issued a Burma-related special license (See General License 5).
NYDFS publishes new proposal on cybersecurity regs
On June 28, NYDFS published an updated proposed second amendment to the state’s cybersecurity regulation (23 NYCRR 500) reflecting revisions made by the department in response to comments received on proposed expanded amendments published last November. (Covered by InfoBytes here.) NYDFS’ cybersecurity regulation, effective in March 2017, imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. (Covered by InfoBytes here.) Proposed changes include:
- New and amended definitions. The proposed second amendment defines “Chief Information Security Office or CISO” to mean “a qualified individual responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing its cybersecurity policy, who has adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain an effective cybersecurity program.” Certain references to a CISO’s responsibilities have been moved and slightly modified throughout. The amendments also clarify that affiliates should only include “those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity” for the purposes of calculating the number of employees and gross annual revenue for consideration as a “Class A Company.” The definition of a “privileged account” has also been modified to remove a condition that an authorized user account or service account be able to affect a material change to the technical or business operations of the covered entity. Risk assessments also no longer include a requirement that a covered entity “take into account the specific circumstances of the covered entity, including but not limited to its size, staffing, governance, businesses, services, products, operations, customers, counterparties, service providers, vendors, other relations and their locations, as well as the geographies and locations of its operations and business relations.” Additionally, “senior governing body” now specifies that for “any cybersecurity program or part of a cybersecurity program adopted from an affiliate under section 500.2(d) of this Part, the senior governing body may be that of the affiliate.”
- Notice of a cybersecurity event. Under 23 NYCRR 500, entities are required to notify NYDFS within 72 hours after a determination has been made that a cybersecurity event has occurred at a covered entity, its affiliates, or a third-party service provider. The amendments remove a 90-day period for covered entities to provide the superintendent with requested information, and instead provides that “[e]ach covered entity shall promptly provide any information requested regarding such event. Covered entities shall have a continuing obligation to update and supplement the information provided.” Covered entities will be required to maintain for examination, and now inspection by the department upon request, all records, schedules, and supporting data and documentation.
- Exemptions. The proposed second amendment now offers that “[a]n employee, agent, wholly-owned subsidiary, representative or designee of a covered entity, who is itself a covered entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, wholly-owned subsidiary, representative or designee is covered by the cybersecurity program of the covered entity.”
- Additional modifications. Other slight modifications have been made throughout that include removing a requirement that covered entities “document material issues found during testing and report them to its senior governing body and senior management,” and deleting a requirement that Class A companies use external experts to conduct risk assessments at least once every three years. The proposed second amendment makes changes to third-party service provider policy requirements and multi-factor authentication provisions and replaces a reference to a covered entity’s board of directors or equivalent with the “senior governing body.” Language defining these responsibilities has been slightly modified. Additionally, incident response plans must also now include a root cause analysis describing “how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence.” Furthermore, when assessing penalties, the superintendent may now also consider “the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST.”
The proposed second amendment is subject to a 45-day comment period expiring August 14.
Nevada enacts health data privacy measures
On June 16, the Nevada governor signed SB 370 (the “Act”) to enact provisions imposing broad restrictions on the use of consumer health data. The Act is intended to cover health data and persons or entities not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as a person who conducts business in the state of Nevada or produces or provides products or services that are targeted to consumers in the state that “determines the purpose and means of processing, sharing or selling consumer health data.” Exempt from the Act’s requirements are government agencies, financial institutions and data that is collected, maintained or sold subject to the Gramm-Leach-Bliley Act and certain other federal laws, law enforcement agencies, and third parties that obtain consumer health data from a regulated entity through a merger, acquisition, bankruptcy or other transaction, among others.
The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain voluntary consent from consumers prior to collecting, sharing, and selling their health data, and are required to provide a means by which a consumer can revoke such authorization; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific security policies and procedures. Consumers are also empowered with the right to have their health data deleted and may request a list of all third parties with whom the regulated entity has shared or sold their health data. The Act details prohibited practices and outlines numerous compliance elements relating to access restrictions, responding to consumers, and processor requirements.
Furthermore, a violation of the Act constitutes a deceptive trade practice. While the Act does not create a private right of action, under existing law a court has authority “to impose a civil penalty of not more than $12,500 for each violation upon a person whom the court finds has engaged in a deceptive trade practice directed toward an elderly person or a person with a disability. Additionally, under existing law if a person violates a court order or injunction brought by the Commissioner of Consumer Affairs, the Director of the Department of Business and Industry, the district attorney of any county in the state or the attorney general, “the person is required to pay a civil penalty of not more than $10,000 for each violation.” Willful violations may incur an additional penalty of not more than $5,000, as well as injunctive relief.
The Act is effective March 31, 2024.