Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.
On November 3, NYDFS announced the creation of the Climate Risk Division and the appointment of Dr. Yue (Nina) Chen as its Executive Deputy Superintendent and the inaugural NYDFS Director of Sustainability and Climate Initiatives. According to the announcement, the Climate Risk Division will, among other things: (i) include climate risks in its regulated entities supervision; (ii) support industry growth regarding climate risk management; (iii) coordinate with international, national, and state regulators; (iv) develop internal capacity regarding climate-related financial risks and support the capacity-building of peer regulators; and (v) ensure access to financial services is fair for all communities.
On November 3, the OCC, the Federal Reserve, and the U.S. Treasury Department released statements expressing support for the Network for Greening the Financial System (NGFS) Glasgow Declaration. OCC acting Comptroller Michael J. Hsu noted in a statement that the OCC is developing “high-level climate risk management supervisory expectations for large banks” and expects to issue the framework guidance for comment “by the end of the year.” Hsu also noted that the OCC will implement recommendations of the FSOC Climate Change Report, which was released in response to President Biden’s May executive order, and directed financial regulators to take steps to mitigate climate-related risk related to the financial system (covered by InfoBytes here). In a statement by Treasury Secretary Yellen, she discussed the importance of tackling climate change, stating that it is “the greatest economic opportunity of our time,” and noted the U.S. is “calling on the multilateral development banks to increase their efforts.” The Fed noted in a statement that it is committed to understanding and addressing climate change and, furthermore, “will address climate-related risks in an analytically rigorous, transparent, and collaborative way through our domestic work with other federal agencies including the Financial Stability Oversight Council; our international engagement through the Financial Stability Board, the Basel Committee on Banking Supervision, and the NGFS; and through our broad and transparent engagement with the private sector.”
On November 3, acting Comptroller of the Currency Michael J. Hsu spoke before the American Fintech Council’s Fintech Policy Summit 2021 and warned that “[t]he rebundling of banking services by fintechs and the fragmented supervision of universal crypto firms pose significant medium- to long-term risks to consumers, businesses, and financial stability.” Hsu also noted that large “universal” cryptocurrency firms interested in offering a wide range of financial services should “embrace comprehensive, consolidated supervision” like that given to banks. “Crypto firms today are regulated at most only partially and selectively, with no single regulator having a comprehensive view of the firm as a whole,” Hsu stated, adding “[t]his warrants greater attention as crypto firms, especially the universals, get bigger, engage in a wider range of activities and risk-taking, and deepen their interconnectedness within the crypto ecosystem and with traditional finance.” Warning that these “synthetic banking providers” (SBPs) could create a “run risk” and regulatory arbitrage, Hsu stressed the importance of removing “the disparity between the rights and obligations of banks and the rights and obligations of synthetic banking providers by holding SBPs to banking standards.” He further warned that customers’ needs must be met in a way that is reliable, consistently safe, sound, and fair, and discussed several reasons why more SBPs have not sought to become banks, including that “regulators have been unpredictable with regards to chartering new banks and approving fintech acquisitions of banks.” Establishing a clear, shared approach to the bank regulatory perimeter related to emerging technologies can address this challenge, he advised.
Hsu also announced that the OCC concluded its review of recent bank charter applications and cryptocurrency-related interpretive letters and stated that the agency will communicate its determinations and feedback to bank charter applicants in the coming weeks. Findings from a “crypto sprint” done in conjunction with the FDIC and Federal Reserve will also be communicated shortly. “The content of these communications—on the chartering decisions, interpretive letters, and the crypto sprint—will be broadly aligned with the vision for the bank regulatory perimeter laid out here today,” Hsu stated.
On November 2, the FDIC announced the creation of a new office to support the agency’s ongoing strategic and direct engagement with Minority Depository Institutions (MDIs), Community Development Financial Institution banks (CDFIs), and other mission-driven banks, in addition to promoting private sector investments in low- and moderate-income communities. The announcement further noted that FDIC Chairman Jelena McWilliams has initiated several programs for the FDIC’s MDI program since 2018, which include: (i) creating the Mission-Driven Bank Fund to facilitate critical capital investments in FDIC-insured MDIs and CDFIs (covered by InfoBytes here); (ii) establishing the MDI Subcommittee of the Advisory Committee on Community Banking; and (iii) adopting new processes to facilitate preservation of the minority character of an MDI in the case of a failure.
On October 29, NYDFS issued draft proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. Among on things, the proposed amendments:
- Define “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Amend the definition of a “debt collector” to include “as any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.”
- Require collectors to clearly and conspicuously send written notification within five days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) the name of the creditor to which the debt was originally owed or alleged to be owed; (ii) account information associated with the debt; (iii) merchant/affinity/facility brand association; (iv) the name of the creditor to which the debt is currently owed; (v) the date of alleged default; (vi) the date the last payment (including any partial payment) was made; (vii) the statute of limitations, if applicable; (viii) an itemized accounting of the debt, including the amount currently due; and (ix) notice that the consumer “has the right to dispute the validity of the debt, in part or in whole, including instructions for how to dispute the validity of the debt.”
- State that disclosures may not be sent exclusively through an electronic communication, and that a formal pleading in a civil action shall not be treated as an initial communication.
- Prohibit collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired.
- Require collectors to provide consumer written substantiation of a debt within 30 days of receiving a written request via mail (consumers who consent to receiving electronic communications must still receive substantiation via mail).
- Limit collectors to three contact attempts via telephone in a seven-day period. Only one conversation with a consumer is permitted unless a consumer requests to be contacted.
- Permit collectors to communicate with consumers through electronic channels only if the consumer has voluntarily provided consent directly to the debt collector.
Comments on the proposal are due November 8.
On November 1, the New York governor signed S5246A, which expands the New York Community Reinvestment Act (New York CRA) to cover non-depository lenders. Under the act, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review. The anti-redlining law—which previously only measured banks’ activities in low- to moderate-income communities—is intended to “ensure everyone has fair and equal access to lending options in their pursuit of purchasing a home, especially in communities of color which continue to be impacted by the effects of the pandemic and have historically faced many more hurdles when seeking a mortgage,” Governor Kathy Hochul stated. The act follows a report issued by NYDFS in February, which examined redlining in the Buffalo metropolitan area and concluded that there is a “distinct lack of lending by mortgage lenders, particularly non-depository lenders” to majority-minority populations and to minority homebuyers in general. (Covered by InfoBytes here.) At the time, the report made numerous recommendations, including a recommendation to amend the New York CRA to cover nonbank mortgage lenders and a request that the OCC and the CFPB investigate federally regulated institutions serving the Buffalo area for violations of fair lending laws. The act takes effect in a year.
On November 1, the U.S. Treasury Department announced that the President’s Working Group on Financial Markets (PWG), with the FDIC and the OCC (collectively, “agencies”), released a report on stablecoins, which are a kind of digital asset intended to maintain a stable value relative to the U.S. dollar. The report noted that stablecoins may be more widely used in the future as a means of payment, which Secretary of the Treasury Janet L. Yellen said could increase “risks to users and the broader system.” Additionally, Secretary Yellen considers current stablecoin oversight to be “inconsistent and fragmented.” Among other things, the report discussed gaps in regulatory authority to reduce these risks. The report recommended that Congress promptly enact legislation to address the risks of payment stablecoins and ensure that payment stablecoins and payment stablecoin arrangements are subject to consistent and comprehensive federal oversight and to “increase transparency into key aspects of stablecoin arrangements and to ensure that stablecoins function in both normal times and in stressed market conditions.” According to the announcement, “[s]uch legislation would complement existing authorities with respect to market integrity, investor protection, and illicit finance, and would address key concerns,” including: (i) risks to stablecoin users and stablecoin runs; (ii) payment system risk; and (iii) systemic risk and concentration of economic power.
While Congress examines legislation on stablecoin, the report recommended that the Financial Stability Oversight Council consider steps for addressing risks, such as “the designation of certain activities conducted within stablecoin arrangements as, or as likely to become, systemically important payment, clearing, and settlement (PCS) activities,” which would be subject to an examination and enforcement framework. The report also recommended that stablecoin issuers “comply with activities restrictions that limit affiliation with commercial entities,” to maintain the separation of banking and commerce. Additionally, the report discussed that, in addition to existing AML/CFT regulations, stablecoin arrangements and activities may implicate the jurisdiction of the SEC and/or CFTC. Therefore, to prevent misuse of stablecoins and other digital assets, the announcement noted that Treasury “will continue leading efforts at the Financial Action Task Force (FATF) to encourage countries to implement international AML/CFT standards and pursue more resources to support supervision of domestic AML/CFT regulations.”
The same day, Treasury released a fact sheet on the PWG report, which clarified, among other things, the purpose of the report, risks posed by stablecoins, and the agencies’ recommendations. In a statement released by OCC acting Comptroller of the Currency Michael J. Hsu, he emphasized his support for the recommendations highlighted in the report pointing out that, “[s]tablecoins need federal prudential supervision to grow and evolve safely.” In a statement released by CFPB Director Rohit Chopra, he noted that though the CFPB was not a member of the PWG, the Bureau “will be taking several steps related to this market,” such as the CFPB’s orders to six large U.S. technology companies seeking information and data on their payment system business practices (covered by InfoBytes here), among other things.
On October 28, the OCC issued Bulletin 2021-52 announcing the issuance of version 2.0 of the “Retail Lending” booklet of the Comptroller’s Handbook. The booklet rescinds OCC Bulletin 2017-15, “Retail Lending: New Comptroller's Handbook Booklet” (covered by InfoBytes here) and the “Retail Lending” booklet of the Comptroller’s Handbook, version 1.1. Among other things, the revised booklet: (i) reflects changes to laws and regulations since the last update of this booklet; (ii) reflects OCC issuances published and rescinded since the last update of this booklet; (iii) clarifies supervisory guidance, sound risk management practices, and legal language; and (iv) alters some content for clarity purposes.
On October 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in September. During the month, the FDIC made public six orders consisting of “one Consent Order, two terminations of Consent Orders, one Order to Pay Civil Money Penalty, one Order Terminating Decision and Order to Cease and Desist, and one Order of Termination of Insurance.” Among the orders is an order to pay a civil money penalty imposed against a Nebraska-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “[m]ade, increased, extended, or renewed loans secured by a building or mobile home located or to be located in a special flood hazard area without requiring that the collateral be covered by flood insurance,” and also allegedly “[f]ailed to comply with proper procedures for force-placing flood insurance in instances where the collateral was not covered by flood insurance at some time during the term of the loan.” The order requires the payment of a $24,000 civil money penalty.
The FDIC also issued a consent order to a Utah-based bank, which requires the bank to take measures to correct current alleged violations (and prevent future violations) of TILA, RESPA, E-Sign Act, ECOA, CRA, and TISA, as well as the statutes’ implementing regulations. The bank neither admitted nor denied the alleged violations but agreed to, among other things, develop a sound risk-based compliance program and implement an effective training program to ensure compliance.