Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On March 8, the OCC, Federal Reserve Board, and the FDIC released updated Community Reinvestment Act (CRA) FAQs related to Covid-19. The FAQs, first issued last May (covered by InfoBytes here), provide guidance for financial institutions and examiners regarding CRA consideration for activities taken in response to the pandemic. Highlights of the five new FAQs include:
- Banks cannot receive CRA service test consideration for Paycheck Protection Program (PPP)-related activities; however, the agencies recognize that because the PPP loan program responds to community credit needs, PPP activities will be considered under the CRA lending test when evaluating flexible or innovative lending programs offered by a bank.
- Banks should not report PPP loans that have been rescinded or returned under the SBA’s safe harbor on their CRA loan register. Moreover, examiners will not consider these loans in their CRA evaluations of banks during the applicable time period.
- PPP loans over $1 million in low- or moderate-income geographies or in distressed or underserved nonmetropolitan middle-income geographies “will be considered an eligible community development activity.”
- As noted in a joint statement released by the agencies last year (covered by InfoBytes here), favorable CRA consideration will be given to banks providing retail banking services and retail lending activities that respond to the needs of affected low- and moderate-income (LMI) individuals, small businesses, and small farms consistent with safe and sound banking practices. These activities may include waiving ATM fees, overdraft fees, and early withdrawal penalties on certificates of deposit (CDs), or allowing LMI consumers to make draws from a HELOC during the repayment period. The agencies note that allowing LMI consumers “to make a withdrawal from an IRA as allowed under the CARES Act, or to draw on a HELOC during the draw period are routine banking services and, as such, are not eligible for CRA consideration.”
- The agencies will consider community development services provided virtually by bank representatives on an individual level based on the event and the benefitted assessment area.
On March 8, the Federal Reserve Board announced the extension of the Paycheck Protection Program Liquidity Facility (PPPLF) through June 30. The PPPLF was rolled out last year to provide liquidity to banks making loans to small businesses pursuant to the Small Business Administration’s Paycheck Protection Program at the start of the Covid-19 pandemic (covered by InfoBytes here). The Board noted, however, that the remaining Covid-19 lending facilities—the Commercial Paper Funding Facility, the Money Market Mutual Fund Liquidity Facility, and the Primary Dealer Credit Facility—will terminate March 31 as planned.
On March 3, NYDFS announced a settlement with a mortgage lender to resolve allegations that the lender violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to report it was the subject of a cyber breach in 2019. Under Part 500.17, regulated entities are required to provide timely notice to NYDFS when a cybersecurity event involves harm to customers (see FAQs here). A July 2020 examination revealed that the cyber breach involved unauthorized access to an employee’s email account, which could have provided access to personal data, including social security and bank account numbers. NYDFS also claimed that the lender allegedly failed to implement a comprehensive cybersecurity risk assessment as required by 23 NYCRR Part 500. Under the terms of the consent order, the lender will pay a $1.5 million civil monetary penalty, and will make further improvements to strengthen its existing cybersecurity program to ensure compliance with 23 NYCRR Part 500. NYDFS acknowledged that the mortgage lender had controls in place at the time of the cyber incident and implemented additional controls since the incident. NYDFS also acknowledged the mortgage lender’s “commendable” cooperation throughout the examination and investigation and stated that the lender had demonstrated its commitment to remediation.
On February 25, the FFIEC published updated versions of four sections of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (Manual), which provides examiners with instructions for assessing a bank’s or credit union’s BSA/AML compliance program and compliance with BSA regulatory requirements. The revisions can be identified by a 2021 date on the FFIEC BSA/AML InfoBase and include the following updated sections: Assessing Compliance with Bank Secrecy Act Regulatory Requirements, Customer Identification Program, Currency Transaction Reporting, and Transactions of Exempt Persons. The FFIEC notes that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but are intended to “offer further transparency into the examination process and support risk-focused examination work.” In addition, the Manual itself does not establish requirements for financial institutions as these requirements are found in applicable statutes and regulations. (See also FDIC FIL-12-2021 and OCC Bulletin 2021-10.)
On February 26, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. During the month, the FDIC issued 11 orders consisting of “two consent orders, two section 19 orders, two prohibition orders, two orders to pay civil money penalties, one order terminating consent order, and two orders terminating consent orders and orders for restitution.” Among the orders is a civil money penalty issued against a Tennessee-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claims that the bank (i) failed to provide required lender-placed flood insurance notices to borrowers about the availability of flood insurance under the National Flood Insurance Act; (ii) provided an incomplete lender-placed flood insurance notice to a borrower; (iii) allowed flood insurance to lapse during the terms of several loans without placing flood insurance on borrowers’ behalf; (iv) failed to maintain an adequate amount of flood insurance; and (v) failed to provide timely notice of special flood hazards and the availability of federal disaster relief assistance. The order requires the payment of a $4,000 civil money penalty.
On February 23, the FDIC released nine technical assistance videos on fair lending compliance. The videos provide FDIC-supervised institutions with a high-level overview on ways to assess and mitigate fair lending risk and understand how examiners evaluate fair lending compliance. Information provided in the videos includes: (i) an overview of federal fair lending laws and regulations for bank directors and senior managers; (ii) ways a bank’s compliance management system can mitigate fair lending risk; (iii) a discussion on how FDIC examiners evaluate fair lending risk during consumer compliance examinations; and (iv) commentary on the following specific fair lending risk factors, one each for overt discrimination, underwriting, pricing, steering, redlining, and marketing.
On February 22, the Federal Reserve Board, OCC, FDIC, NCUA, and the Conference of State Bank Supervisors issued a joint statement covering supervisory practices for financial institutions affected by winter storms in Texas. Among other things, the agencies called on financial institutions to “work constructively” with affected borrowers, noting that “prudent efforts” to adjust or alter loan terms in affected areas “should not be subject to examiner criticism.” Institutions facing difficulties in complying with any publishing and reporting requirements should contact their primary federal and/or state regulator. Additionally, the agencies noted that institutions may receive Community Reinvestment Act consideration for community development loans, investments, and services that revitalize or stabilize federally designated disaster areas. Institutions are also encouraged to monitor municipal securities and loans impacted by the winter storms.
Additionally, HUD announced it will make disaster assistance available to Texas by providing foreclosure relief and other assistance to homeowners living in counties affected by the severe winter storms. Specifically, HUD is providing an automatic 90-day moratorium on foreclosures of FHA-insured home mortgages for covered properties in the affected counties and is making mortgage insurance available to those victims whose homes were destroyed or severely damaged. Additionally, HUD’s Section 203(k) loan program will allow individuals who have lost homes to finance the purchase of a house, or refinance an existing house along with the costs of repair, through a single mortgage. The program will also allow homeowners with damaged property to finance the rehabilitation of existing single-family homes.
On February 18, the FDIC, Federal Reserve Board, and the OCC published a joint notice and request for comments on changes to three versions of the Call Report—FFIEC 031, FFIEC 041, and FFIEC 051. The reporting changes, first proposed by the agencies last year, will provide relief to financial institutions with under $10 billion in total assets as of December 31, 2019, by allowing them “to use the lesser of the total consolidated assets reported in its Call Report as of December 31, 2019, or June 30, 2020, when determining whether the institution has crossed certain total asset thresholds to report additional data items in its Call Reports for report dates in calendar year 2021.” The agencies also outline specific thresholds that limit certain eligibility for streamlined Call Reports or that require the reporting of certain additional data items. This relief will only be allowed for calendar year 2021. The agencies will also allow financial institutions that temporarily exceed the $10 billion total asset threshold to use the community bank leverage ratio framework in Call Report Schedule RC R from December 31, 2020, through December 31, 2021, provided the institution meets the other qualifying criteria for this framework. Comments on the proposed changes are due March 22.
NYDFS: Global social media company must prevent app developers from transmitting users’ sensitive data
On February 18, New York Governor Andrew M. Cuomo accepted a report detailing the findings of an NYDFS investigation into whether sensitive personal information, including medical and personal data, was shared with a global social media company by application and website developers without users’ consent or knowledge. In 2019, the governor directed NYDFS to perform an investigation into the company’s collection of sensitive personal data from smartphone apps after a media report emerged that claimed app developers regularly sent sensitive data to the company. According to the NYDFS press release, the report’s findings conclude, among other things, that inadequate controls at the company allowed sensitive data to be wrongfully shared, and that the company “did little to track whether app developers were violating its policies” and to date has taken “no real action against developers” that transmit the data. The report outlines various remedial measures the company has undertaken as a result of the investigation, including (i) building and implementing a screening system to identify and block sensitive information prior to entering the company’s system; (ii) enhancing app developer education to better inform developers that they are obligated to avoid transmitting sensitive data; and (iii) taking measures to provide users more control over data that is collected about them, including from off-company activity. The report also includes recommendations for the company to implement to better protect consumer privacy and ensure app developers “are fully aware of the prohibition” on transmitting sensitive data. The steps include that the company should “do more  to prevent developers from transmitting sensitive data in the first place rather than simply relying so heavily on a back-end screening system.” The report also urges the company to “undertake significant additional steps to police its own rules” by putting in place appropriate consequences for doing so.
On February 18, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a January 8 civil money penalty order against an Illinois-based bank, which requires the payment of $193,105 for an alleged pattern or practice of violations of the Flood Disaster Protection Act and its implementing regulations.
- Jonice Gray Tucker to discuss “Getting your company ready: Managing fair lending for IMBs” at the Mortgage Bankers Association Independent Mortgage Bankers Conference
- Jonice Gray Tucker to discuss “Be Your Compliance Best in 2022” at the California Mortgage Bankers Association webinar
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek
- Jonice Gray Tucker and Kari Hall to discuss “Equity, equality, regulation and enforcement – The evolving regulatory landscape of fair lending, redlining, and UDAAP” at the ABA Business Law Committee Hybrid Spring Meeting