InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC issues final guidelines on recovery planning for covered banks
On October 21, the OCC issued its final guidelines meant to strengthen recovery planning for large insured banks. The guidelines were a response to significant withdrawals of uninsured deposits in March 2023 that led to the decline of several institutions with assets of $100 billion or more. The guidelines lowered the threshold for “covered banks” from $250 billion to $100 billion in average total consolidated assets, reflecting the OCC’s observation that banks of this size posed significant risks. The guidelines also incorporated a testing standard to ensure recovery plans are effective and realistic in restoring financial strength during severe stress.
The guidelines mandated that covered banks develop and maintain recovery plans specific to their size, risk profile, activities, and complexity. These plans must include triggers for financial and non-financial stress, a range of credible recovery options, and impact assessments detailing how each option would affect the bank’s capital, liquidity, and overall risk profile. To validate the effectiveness of recovery plans, covered banks must conduct periodic testing. This testing should be appropriate for the bank’s individual characteristics and confirm that the plan can realistically restore the bank to financial strength and viability. The OCC believes such testing will help banks proactively identify and address any weaknesses or deficiencies in their recovery plans. Compliance begins on January 1, 2025, when the new rules go into effect.
OCC issues final guidelines on recovery planning for covered banks
On October 21, the OCC issued its final guidelines meant to strengthen recovery planning for large insured banks. The guidelines were a response to significant withdrawals of uninsured deposits in March 2023 that led to the decline of several institutions with assets of $100 billion or more. The guidelines lowered the threshold for “covered banks” from $250 billion to $100 billion in average total consolidated assets, reflecting the OCC’s observation that banks of this size posed significant risks. The guidelines also incorporated a testing standard to ensure recovery plans are effective and realistic in restoring financial strength during severe stress.
The guidelines mandated that covered banks develop and maintain recovery plans specific to their size, risk profile, activities, and complexity. These plans must include triggers for financial and non-financial stress, a range of credible recovery options, and impact assessments detailing how each option would affect the bank’s capital, liquidity, and overall risk profile. To validate the effectiveness of recovery plans, covered banks must conduct periodic testing. This testing should be appropriate for the bank’s individual characteristics and confirm that the plan can realistically restore the bank to financial strength and viability. The OCC believes such testing will help banks proactively identify and address any weaknesses or deficiencies in their recovery plans. Compliance begins on January 1, 2025, when the new rules go into effect.
CFPB’s Chopra discusses Personal Financial Data Rights rule
On October 23, CFPB Director Rohit Chopra released prepared remarks about the CFPB’s recent finalization of the Personal Financial Data Rights rule (the Rule) under Section 1033. The Bureau believes the Rule would give consumers greater control over their financial data. As previously covered in an Orrick insight, discussed on the RegFi Podcast, and briefed on InfoBytes, the CFPB mandated that financial institutions under the EFTA, credit card issuers under TILA, and other financial services providers such as digital wallet providers (collectively “data providers”) would make covered data available to consumers and third parties in a standardized format.
The Rule would also allow consumers to authorize third parties to obtain data on their behalf, require these third parties to adhere to federal data security requirements, and seek to discourage the practice of “screen scraping.” Authorized third parties must minimize the data they collect, secure it and delete it upon consumer revocation. They would also be prohibited from obtaining permanent authorization to obtain consumers’ data.
The Rule would allow banks and fintech companies to deny third party data access requests if the requesting company does not meet minimum standards, such as proving consumer authorization and disclosing their legal entity identifier. Furthermore, the Rule would impose significant limitations on how companies can use consumer data, restricting its use to the specific product or service requested by the consumer and forbidding unrelated reuse of the data. According to CFPB Director Chopra, these measures collectively aim to enhance privacy and security in financial markets, countering the trend toward surveillance pricing. As an example, the CFPB noted how a rideshare company could use financial data to charge higher prices after a consumer receives his or her paycheck.
FDIC extends comment period for proposed rule for another month
On October 16, the FDIC extended the comment period for a proposed rule change under the Change in Bank Control Act (CBCA) to November 18. As previously covered by InfoBytes, the proposed rule would amend the regulations regarding advance notice requirements for certain acquisitions of voting securities of FDIC-supervised institutions. The original comment period, which began on August 19, has now been extended from October 18 to November 18.
CFPB finalizes Personal Financial Data Rights under Section 1033
On October 22, the CFPB issued a final rule on personal financial data rights under 12 CFR Part 1033, mandating that financial institutions, credit card issuers and other financial providers make covered data available to consumers and third parties in a standardized format. The rule would give consumers greater choice over their financial data, promote competition, and improve consumer financial management. As previously covered by InfoBytes, this rule relates to the set of rules the CFPB finalized in June to move the consumer finance industry towards “open banking” standards.
The CFPB’s final rule faced opposition during the comment period. Many data providers expressed concerns about the costs and burdens of compliance. They argued the rule would disadvantage smaller entities and questioned the CFPB’s authority to implement such extensive requirements. Conversely, consumer advocates and third parties generally supported the rule, emphasizing the benefits of increased data access and competition.
In general, the rule would establish a regulated mechanism for third parties to access consumer financial data. Subpart A defined the rule’s coverage, set tiered compliance dates, defined terms, and set criteria for recognized standard setters. Subpart B outlined data providers’ obligations, such as making covered data available to consumers or authorized third parties upon request. Subpart C required data providers to establish and maintain an interface for data requests, and such interface must provide consumer data in a standardized, machine-readable format. The rule would also prohibit data providers from charging fees on these requests. Subpart D specified the obligations of third parties accessing covered data on behalf of consumers.
The final rule would apply to any “data provider” that controls or possesses covered data concerning a covered consumer financial product or service. Covered consumer financial product or service includes Regulation E accounts (demand deposit accounts, savings accounts, or other consumer asset accounts established primarily for personal, family or household purposes), Regulation Z credit cards (which may include BNPL providers), and the facilitation of payments from a Regulation E account or Regulation Z credit card (including a digital wallet provider), with some exceptions.
These data providers must make available consumers’ transaction information, account balance, payment information, terms and conditions, upcoming bill information, and basic account verification information via the specified interface. In addition, the rule would require third parties to obtain express information authorization, limit the use of consumer data, implement information security programs, and create a revocation mechanism. To address data privacy and security concerns, the rule would also establish a framework for recognizing standard-setting bodies that will create qualified industry standards for data transmission and security.
Dates to comply with the requirements in subparts B and C for making certain types of data available and how that will happen for different types of data providers vary and the deadlines range from April 1, 2026, to April 1, 2030. The deadlines depend on the size and type of the institution and are as follows:
- April 1, 2026 — for depository institution data providers that hold at least $250 billion in total assets and nondepository institution data providers that generated at least $10 billion in total receipts in either calendar year 2023 or calendar year 2024.
- April 1, 2027 — for data providers that are depository institutions that hold at least $10 billion in total assets but less than $250 billion in total assets or nondepository institutions that did not generate $10 billion or more in total receipts in both calendar year 2023 and calendar year 2024.
- April 1, 2028 — for depository institution data providers that hold at least $3 billion in total assets but less than $10 billion in total assets.
- April 1, 2029 — for depository institution data providers that hold at least $1.5 billion in total assets but less than $3 billion in total assets.
- April 1, 2030 — for depository institution data providers that hold less than $1.5 billion in total assets but more than $850 million in total assets.
- The rule will not apply to smaller depository institutions with total assets below $850 million.
The rule will become effective 60 days after its publication in the Federal Register.
FDIC extends compliance deadline for amended sign and advertising requirements
On October 17, the FDIC issued a notice delaying the deadline to comply with its final rule governing its official signage from January 1, 2025, to May 1, 2025. The final rule, titled “FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo” was published in the Federal Register and will apply to Part 328, subpart A. The final rule, approved by the FDIC Board in December 2023, will update the FDIC’s sign and advertising requirements for insured depository institutions to reflect modern banking practices. The FDIC shared the deadline extension was granted based on feedback from financial institutions who needed additional time to implement the new regulatory requirements.
The signage requirements govern the use of the FDIC official sign, official digital sign, and other signs differentiating deposits and non-deposit products across all banking channels, including physical premises, ATMs and digital channels. Banks will be required to display a digital sign near their name on all digital platforms and certain ATMs. The rule also will modernize the display requirements for the FDIC official sign in bank branches and other physical locations to accommodate evolving designs. Additionally, the rule requires that banks establish and maintain written policies and procedures to ensure compliance with Part 328.
FHFA releases NPRM on revising FHLBanking System governance
On October 16, the FHFA released its NPRM to revise regulations governing the boards of directors and management of the FHLBank System. The proposed rule would update and clarify regulatory requirements on director eligibility, nomination, election, removal processes, and the conducts of board and committee meetings. The rule would expand the required qualifying experience for regular independent directors to include AI, information technology and security, climate-related risk, CDFI business models, and modeling.
The proposed changes were informed by the FHLBank System at 100 Report, published in November 2023 (covered by InfoBytes here). The report laid out four regulatory actions: clarifying the qualifications for public interest independent directors, expanding the list of qualifying experience for regular independent directors, encouraging the FHLBanks to address gaps in board knowledge, and facilitating the nomination of individuals with technical subject matter expertise. Additionally, the proposed rule would require each FHLBank to conduct an annual assessment of the skills and experience possessed by its board and to take active steps to seek nominees who possess needed skills and experience. This would include prioritizing knowledge and experience relevant to the business, programs and mission of the FHLBank. Comments were opened on October 21 and must be received within 90 days after publication of the NPRM in the Federal Register.
FTC finalizes “Click-to-Cancel” Rule
On October 16, the FTC announced a final Negative Option Rule, also known as the “click-to-cancel” rule, requiring sellers to make it as easy for consumers to cancel their enrollment as it was to sign up for the goods or services in the first instance. As previously covered by InfoBytes, the FTC issued its NPRM seeking feedback to its proposed amendments to the agency’s Negative Option Rule, which is used to combat unfair or deceptive practices related to subscriptions, memberships, and other recurring-payment programs.
The FTC highlighted two major changes to the originally proposed rule, which include: (i) the exclusion of requiring sellers to provide annual reminders to consumers about the negative option feature of their subscription, so that sellers are no longer obligated to send yearly notifications to remind consumers of their ongoing subscription and its terms; and (ii) the removal of prohibiting sellers from informing consumers about plan modifications or reasons to keep their existing agreement during the cancellation process, so sellers can discuss alternative plans or reasons to stay subscribed with consumers seeking to cancel, only if the consumer agrees to hear about them first.
The FTC provided a fact sheet highlighting the objectives of the rule. The rule will take effect 180 days after publication in the Federal Register.
FTC, DOJ and CFPB warn consumers about potential scams after natural disasters
On October 9, the FTC, DOJ and CFPB warned consumers about potential fraud and price gouging during natural disasters. According to the agencies, scammers often exploit weather emergencies to take advantage of people trying to recover or donate to disaster victims.
FTC Chair Lina M. Khan highlighted reports of price gouging for essentials like hotels and groceries, and Deputy Assistant Attorney General Manish Kumar of the DOJ’s Antitrust Division warned companies against using the recent hurricane as an excuse for illegal behavior. CFPB Director Rohit Chopra condemned price gouging during natural disasters as unfair and illegal.
The FTC outlined common types of disaster-related scams, including fraudulent charities, scammers impersonating government officials or promoting non-existent businesses or investment opportunities, and price gouging for essential goods and services. To avoid scams, consumers are advised to be cautious of anyone insisting on payment by wire transfer, gift card, payment app, cryptocurrency, or cash. Officials emphasized that FEMA never requires those affected by a natural disaster to pay a fee to get disaster relief. The federal government also recommends taking measures to prevent fraud such as researching contractors, obtaining multiple estimates, and securing written contracts for repairs. Consumers can report scams to the FTC here.
FDIC extends comment periods on brokered deposit NPR, deposit data RFI
On October 8, the FDIC announced an extension of the comment period on its NPR to provide restrictions, update definitions, and provide new exceptions to the FDIC’s safety and soundness rule on brokered deposits (12 CFR 337.6) that implements Section 29 of the Federal Deposit Insurance Act (covered by InfoBytes here). Comments on the proposal are now due by November 21.
The FDIC also announced it is extending the comment period on its RFI for deposit data, specifically data not reported in the Federal Financial Institutions Examination Council’s (FFIEC) call reports or other regulatory reports (covered by InfoBytes here). Comments on the RFI now will be received through December 6.