InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS Landmark Cybersecurity Rule Set to Take Effect on March 1
On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1. As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead[] the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”
Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.
The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:
- Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
- Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
- The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
- Further clarification on the exemptions for companies regulated under New York’s Insurance Law.
With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.
InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.
OCC Proposes Final Revisions to Stress Test Information Collection
On February 2, the OCC requested comment on proposed revisions to an existing information collection entitled “Company-Run Annual Stress Test Reporting Template and Documentation for Covered Institutions with Total Consolidated Assets of $50 Billion or More Under the [Dodd-Frank Act].” The agency is also giving notice that it has sent the collection to the OMB for review. This information collection is related to the conduct of annual stress tests that the Dodd-Frank Act requires of certain financial companies, including national banks and federal savings associations. Comments on the current notice must be received by March 6, 2017.
FDIC Issues List of Banks Examined for CRA Compliance
On February 3, the FDIC released its February 2017 list of state nonmember banks recently evaluated for compliance with the Community Reinvestment Act (CRA). As part of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA), Congress mandated the public disclosure of an evaluation and rating for each bank or thrift that undergoes a CRA examination on or after July 1, 1990. A monthly list of banks examined for CRA compliance dating back to 1996 can be accessed here. The February 2017 list covers evaluation ratings that the FDIC assigned to institutions in November 2016. Of the 49 banks evaluated, five were rated Outstanding, 43 received a Satisfactory rating, and one was rated Needs to Improve.
OCC, FDIC, and Fed Release Stress Test Scenarios for 2017
On February 3, the Fed announced the release of the “Supervisory Scenarios” to be used by banks and supervisors for the 2017 Comprehensive Capital Analysis and Review (CCAR) and Dodd-Frank Act stress test exercises and also issued instructions to firms participating in CCAR. The Fed also published three letters that provide additional information on its stress-testing program. The three letters describe: (i) the Horizontal Capital Review for large, noncomplex companies; (ii) the CCAR qualitative assessment for U.S. intermediate holding companies of foreign banks, which are submitting capital plans for the first time; and (iii) improvements to how the Fed will estimate post-stress capital ratios.
On February 3, the OCC similarly released economic and financial market scenarios for 2017 that are to be used by national banks and federal savings associations (with total consolidated assets of more than $10 billion) in their annual Dodd-Frank Act-mandated stress test. On February 6, the FDIC released its stress test scenarios, working in consultation with the Fed and OCC.
The three sets of supervisory scenarios provide each agency with forward-looking information for use in bank supervision and will assist the agencies in assessing the covered institutions’ risk profile and capital adequacy.
Fed Survey: CRE Tightening Trend Continues
On February 6, the Fed released its January 2017 senior loan officer survey, addressing changes in the standards and terms on, and demand for, bank loans to businesses and households over the past three months. The January survey results indicated that over the fourth quarter of 2016, on balance, lenders left their standards on commercial and industrial (“C&I”) loans unchanged, while tightening credit for commercial real estate (“CRE”) loans. Banks reported that they expect to ease standards on C&I loans and for the asset quality of such loans to improve somewhat this year. In contrast, banks expect to tighten standards on CRE loans, while they expect the asset quality of most CRE loan categories to remain unchanged. As to loans to households, banks reported that demand for most types of home-purchase loans weakened over the fourth quarter. On balance, banks reported that they expect to ease standards and to see asset quality improve somewhat for most residential home-purchase loans in 2017.
For additional details see:
- Table 1 – Opinion Survey on Bank Lending Practices at Selected Large Banks in the U.S.
- Table 2 – Opinion Survey on Bank Lending Practices at Selected Branches & Agencies of Foreign Banks
- Charts – Measures of Supply and Demand for Commercial & Industrial Loans
Fed Finalizes Rule Simplifying Stress Testing Process for Regional Banks
On January 30, the Fed issued a finalized version of its rule aimed at simplifying the Fed’s Comprehensive Capital Analysis and Review (CCAR or “stress test”) by exempting all but the largest financial institutions from the qualitative assessment portion of the Fed’s stress test. The changes will apply to the 2017 CCAR cycle, which began on January 1, 2017.
Specifically, the new rule provides that “large and noncomplex firms”—those with total consolidated assets of at least $50 billion but less than $250 billion, and nonbank assets of less than $75 billion (and that are not U.S. global-systemically important banks)—will no longer be subject to the provisions allowing the Fed to object to a bank’s capital adequacy plan based on an evaluation of hypothetical scenarios of severe economic and financial market stress, known as a “qualitative assessment.” Previously, the Board could object to the annual capital plan of any bank subject to stress testing, based on the quantitative or qualitative findings of the exercise. However, the rule also decreases the amount of additional capital exempted banks can distribute to shareholders in connection with a capital plan without seeking prior approval from the Fed, now 0.25 percent of tier 1 capital down from 1 percent.
Special Alert: Trump Administration Initiates “Regulatory Freeze”
Buckley Sandler Special Alert
On January 20, Reince Priebus, Chief of Staff to President Trump, issued a memorandum to the heads of executive departments and agencies initiating a regulatory review to be headed by the Director of the Office of Management and Budget (“OMB”). Congressman Mick Mulvaney (R-SC) has been nominated to fill that position.
On behalf of the President, the memorandum asks the following of the agency and department heads:
- No new regulations: “[S]end no regulation to the Office of the Federal Register (the ‘OFR’) until a department or agency head appointed or designated by the President after noon on January 20, 2017, reviews and approves the regulation.”
- Withdraw final but unpublished regulations: “With respect to regulations that have been sent to the OFR but not published in the Federal Register, immediately withdraw them from the OFR for review and approval.”
- Delay the effective date of published but not yet effective regulations: “With respect to regulations that have been published in the OFR but have not taken effect, as permitted by applicable law, temporarily postpone their effective date for 60 days from the date of this memorandum” and consider notice and comment to further delay the effective date or to address “questions of fact, law, or policy.” Following the delay, regulations that “raise no substantial questions of law or policy” would be allowed to take effect. For those regulations that do raise such questions, the agency or department “should notify the OMB Director and take further appropriate action in consultation with the OMB Director.”
Rulemakings subject to statutory or judicial deadlines are exempt, and the OMB Director has the authority to grant further exemptions for “emergency situations or other urgent circumstances relating to health, safety, financial, or national security matters, or otherwise.”
Click here to read full special alert
If you have questions about the “freeze” or other related issues, visit our Consumer Financial Protection Bureau practice for more information, or contact a BuckleySandler attorney with whom you have worked in the past.