InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS proposes expanding CRA to support minority- and women-owned businesses
On November 3, NYDFS issued proposed changes to the state’s Community Reinvestment Act (New York CRA) to guarantee the department “has the necessary data to ensure banks are evolving to best serve their communities and protect against redlining and fair lending violations.” The proposed regulation further specifies the type of communities the New York CRA plans to support and will enable NYDFS to evaluate the extent to which minority- and women-owned businesses are offered and provided credit. In June 2020, NYDFS issued an industry letter (covered by InfoBytes here) to alert regulated entities that it planned to make changes to its CRA examination process in response to an amendment to the New York CRA, which required NYDFS to consider “several aspects of banking institutions’ activities with respect to minority- and women-owned businesses.” Among other things, the proposed regulation outlines data collection and submission requirements, including (i) asking whether a business applying for a loan or credit is minority- or women-owned or both; (ii) reporting application details such as the date, type of credit applied for and amount, and whether the application was approved or denied; and (iii) reporting a business’s size and location. Comments will be accepted for 60 days following publication in the State Register.
The New York CRA has undergone several expansions recently. As previously covered by InfoBytes, the New York governor signed legislation on November 1 expanding the New York CRA to cover non-depository lenders. Under the amendments, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review.
NYDFS provides affiliate cybersecurity program guidance
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
NYDFS creates Climate Risk Division
On November 3, NYDFS announced the creation of the Climate Risk Division and the appointment of Dr. Yue (Nina) Chen as its Executive Deputy Superintendent and the inaugural NYDFS Director of Sustainability and Climate Initiatives. According to the announcement, the Climate Risk Division will, among other things: (i) include climate risks in its regulated entities supervision; (ii) support industry growth regarding climate risk management; (iii) coordinate with international, national, and state regulators; (iv) develop internal capacity regarding climate-related financial risks and support the capacity-building of peer regulators; and (v) ensure access to financial services is fair for all communities.
OCC, Fed, and Treasury issue statements on climate change
On November 3, the OCC, the Federal Reserve, and the U.S. Treasury Department released statements expressing support for the Network for Greening the Financial System (NGFS) Glasgow Declaration. OCC acting Comptroller Michael J. Hsu noted in a statement that the OCC is developing “high-level climate risk management supervisory expectations for large banks” and expects to issue the framework guidance for comment “by the end of the year.” Hsu also noted that the OCC will implement recommendations of the FSOC Climate Change Report, which was released in response to President Biden’s May executive order, and directed financial regulators to take steps to mitigate climate-related risk related to the financial system (covered by InfoBytes here). In a statement by Treasury Secretary Yellen, she discussed the importance of tackling climate change, stating that it is “the greatest economic opportunity of our time,” and noted the U.S. is “calling on the multilateral development banks to increase their efforts.” The Fed noted in a statement that it is committed to understanding and addressing climate change and, furthermore, “will address climate-related risks in an analytically rigorous, transparent, and collaborative way through our domestic work with other federal agencies including the Financial Stability Oversight Council; our international engagement through the Financial Stability Board, the Basel Committee on Banking Supervision, and the NGFS; and through our broad and transparent engagement with the private sector.”
OCC says synthetic banking providers require supervision
On November 3, acting Comptroller of the Currency Michael J. Hsu spoke before the American Fintech Council’s Fintech Policy Summit 2021 and warned that “[t]he rebundling of banking services by fintechs and the fragmented supervision of universal crypto firms pose significant medium- to long-term risks to consumers, businesses, and financial stability.” Hsu also noted that large “universal” cryptocurrency firms interested in offering a wide range of financial services should “embrace comprehensive, consolidated supervision” like that given to banks. “Crypto firms today are regulated at most only partially and selectively, with no single regulator having a comprehensive view of the firm as a whole,” Hsu stated, adding “[t]his warrants greater attention as crypto firms, especially the universals, get bigger, engage in a wider range of activities and risk-taking, and deepen their interconnectedness within the crypto ecosystem and with traditional finance.” Warning that these “synthetic banking providers” (SBPs) could create a “run risk” and regulatory arbitrage, Hsu stressed the importance of removing “the disparity between the rights and obligations of banks and the rights and obligations of synthetic banking providers by holding SBPs to banking standards.” He further warned that customers’ needs must be met in a way that is reliable, consistently safe, sound, and fair, and discussed several reasons why more SBPs have not sought to become banks, including that “regulators have been unpredictable with regards to chartering new banks and approving fintech acquisitions of banks.” Establishing a clear, shared approach to the bank regulatory perimeter related to emerging technologies can address this challenge, he advised.
Hsu also announced that the OCC concluded its review of recent bank charter applications and cryptocurrency-related interpretive letters and stated that the agency will communicate its determinations and feedback to bank charter applicants in the coming weeks. Findings from a “crypto sprint” done in conjunction with the FDIC and Federal Reserve will also be communicated shortly. “The content of these communications—on the chartering decisions, interpretive letters, and the crypto sprint—will be broadly aligned with the vision for the bank regulatory perimeter laid out here today,” Hsu stated.Dept. of Labor issues ETS on employer vaccinations
On November 5, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) published a rule in the Federal Register requiring employers to develop, implement and enforce a mandatory Covid-19 vaccination policy, unless they adopt a policy requiring employees to choose between vaccination or regular testing for Covid-19 and wearing a face covering at work. The emergency temporary standard (ETS) is for “employers with 100 or more employees—firm or company-wide,” which covers two-thirds of the nation's private-sector workforce. According to OSHA’s press release, the ETS requires employers to: (i) give paid time to workers to get vaccinated; (ii) permit paid leave for employees recovering from side effects; (iii) determine the vaccination status of each employee; (iv) acquire proof of vaccination from each vaccinated employee; (v) maintain records on each employee’s vaccination status; (vi) ensure each employee who is not fully vaccinated is tested for Covid-19 at least once a week, in certain circumstance; (vii) require employees to provide prompt notice after receiving a positive Covid-19 test or diagnosis; and (viii) ensure that each employee who has not been fully vaccinated working indoors or when occupying a vehicle with another person, for work purposes, wears a face covering. The ETS is effective immediately and “employers must comply with most requirements within 30 days of publication and with testing requirements within 60 days of publication.”
The same day, the Biden administration released a fact sheet clarifying the details of OSHA’s mandate. Specifically, the fact sheet noted that though the testing requirement will not take effect until January 4, 2022, employers must be in compliance with all other requirements, such as “providing paid-time for employees to get vaccinated and masking for unvaccinated workers,” by December 5.
CFPB affirms name-only matching practices violate FCRA
On November 4, the CFPB issued an advisory opinion to express its interpretation that credit reporting companies, including tenant and employment screening companies, are in violation of the FCRA if they engage in the practice of matching consumer records solely by name. According to the Bureau, the use of name-only matching procedures (without the use of other personally identifying information such as address, date of birth, or Social Security number) does not assure maximum possible accuracy of consumer information. The Bureau emphasized that there is a heightened risk of mistaken identity from name-only matching among Hispanic, Black, and Asian communities due to less surname diversity among those populations as compared to the White population. “When background screening companies and their algorithms carelessly assign a false identity to applicants for jobs and housing, they are breaking the law,” Director Rohit Chopra stated. “Error-ridden background screening reports may disproportionately impact communities of color, further undermining an equitable recovery.” The advisory opinion affirms consumer reporting companies’ obligation to use reasonable procedures to assure maximum possible accuracy, and “does not create a safe harbor to use insufficient matching procedures involving multiple identifiers.” Other practices, such as combining a name with date of birth, could also lead to cases of mistaken identity, the Bureau warned. The Bureau will work closely with the FTC to eliminate illegal conduct in the background screening industry, while the FTC may be able to take actions against unfair or deceptive conduct not covered by the CFPA. The Bureau further emphasized that violating the FCRA can lead to civil penalties, restitution, damages, and other relief.
Chopra issued a statement on the Bureau’s intention to curb false identity matching, pointing out that name-only matching is just one example of an inadequate procedure and that nothing in the advisory opinion “suggests that the responsibility to follow reasonable procedures to assure maximum possible accuracy can be met with a thoughtless application of any particular loose matching criteria, even if more than names alone are matched.” He also warned companies they should not try to evade their FCRA responsibilities “by issuing a disclaimer that their report might not be matched to the right person.” Chopra further noted that the Bureau will support the FTC in its work to monitor business models that rely on harvesting and monetizing personal data, as well as big tech companies and lesser-known data brokers that traffic data and consumer reports.
9th Circuit: Plaintiffs may proceed with citizenship status claims
On October 26, the U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of civil rights claims for lack of standing, holding in an unpublished opinion that the plaintiffs satisfied Article III standing requirements by alleging that a bank discriminated against non-U.S. citizens in barring them from opening accounts online. The plaintiffs, lawful residents with valid Social Security numbers, filed a putative class action complaint claiming the bank allowed U.S. citizens to apply for new checking accounts online, but required the plaintiffs (based solely on their status as non-U.S. citizens) to apply in person at a branch office. The district court dismissed the claims, ruling that the plaintiffs failed to establish standing for their discrimination claims on the basis of citizenship status. The 9th Circuit disagreed, finding that “discrimination itself . . . can cause serious non-economic injuries to those persons who are denied equal treatment solely because of their membership in a disfavored group,” and concluding that the plaintiffs alleged a concrete injury-in-fact sufficient to confer Article III standing. “The fact that [p]laintiffs would have ultimately obtained the same checking account given to U.S. citizens does not vitiate the alleged discriminatory injury: that [the bank] imposes on non-U.S. citizens a requirement to apply in person that it does not impose on others,” the appellate court said. The 9th Circuit added that this injury was directly linked to the bank’s policy and reversed the dismissal but declined to rule on the substance of the claims.
District Court grants MTD in CFPB, NY AG debt collector case
On October 27, the U.S. District Court for the Western District of New York denied a motion to dismiss an action brought by the CFPB and the New York attorney general against the operators of a debt-collection scheme, rejecting the defendants’ argument that they did not have fraudulent intent and their actions were taken for legitimate reasons. As previously covered by InfoBytes in April, the CFPB and the AG filed a complaint against the defendants for allegedly transferring ownership of his $1.6 million home to his wife and daughter for $1 shortly after he received a civil investigative demand and learned that the Bureau and the AG were investigating his debt-collection activities. The complaint further alleged that the transfer of the property was a fraudulent transfer under the FDCPA and made with the intent to defraud (a violation of the New York Debtor and Creditor Law), and that the owner-defendant “removed and concealed assets in an effort to render the Judgment obtained by the Government Plaintiffs uncollectable.” In 2019 the Bureau and the AG settled with the debt collection operation to resolve allegations that the defendants established and operated a network of companies that harassed and/or deceived consumers into paying inflated debts or amounts they may not have owed (covered by InfoBytes here).
The court denied the defendants’ motion to dismiss, concluding that the CFPB and AG raised sufficient allegations that the debtor’s transfers and mortgage on his property were knowingly fraudulent. The court determined that fraudulent intent under the FDCPA may be determined by several factors, sometimes called “badges of fraud,” including whether “‘the transfer or obligation was to an insider,’ ‘the debtor retained possession or control of the property transferred after the transfer,’ ‘before the transfer was made or obligation was incurred, the debtor had been sued or threatened with suit,’ ‘the value of the consideration received by the debtor was reasonably equivalent to the value of the asset transferred or the amount of the obligation incurred,’ and ‘the transfer occurred shortly before or shortly after a substantial debt was incurred.’” The court held it was reasonable to infer that the defendant was aware “that he would likely face civil prosecution” and judgments “would be beyond his ability to pay.” The court noted that the defendant engaged in transferring a personally significant asset—his $1.6 million residence—to two insiders for nominal consideration, which was considered to be “highly unusual.” Additionally, the defendant alleged that he continued to “’reside at and exercise control over’ the property and is now unwilling or unable to pay off the judgment,” which indicated the conveyance was also part of a sham divorce. Further, the court noted that “the complaint plausibly alleges that the mortgage ‘was not granted in good faith’ and was ‘made with the intent to make it appear that the Property was encumbered.’”
FDIC establishes MDI support office
On November 2, the FDIC announced the creation of a new office to support the agency’s ongoing strategic and direct engagement with Minority Depository Institutions (MDIs), Community Development Financial Institution banks (CDFIs), and other mission-driven banks, in addition to promoting private sector investments in low- and moderate-income communities. The announcement further noted that FDIC Chairman Jelena McWilliams has initiated several programs for the FDIC’s MDI program since 2018, which include: (i) creating the Mission-Driven Bank Fund to facilitate critical capital investments in FDIC-insured MDIs and CDFIs (covered by InfoBytes here); (ii) establishing the MDI Subcommittee of the Advisory Committee on Community Banking; and (iii) adopting new processes to facilitate preservation of the minority character of an MDI in the case of a failure.