InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB finalizes prepaid rule updates; moves effective date
On January 24, the CFPB released updates to the final rule governing prepaid accounts (Rule) delaying the effective date of the rule by one year, to April 1 2019. In December, as previously covered by InfoBytes, the Bureau announced its plan to delay the effective date and adopt final amendments to the Rule. In addition to certain clarifications and other minor adjustments, the updates include: (i) finalizing that the requirement for consumers to register their accounts to receive fraud and error protection benefits will only be applied prospectively, after a consumer’s identity has been verified; and (ii) creating a limited exception to certain provisions of the Rule for instances where traditional credit card accounts, subject to Regulation Z open-end credit rules, are linked to digital wallets.
Agencies offer CRA credit for certain disaster relief efforts
On January 25, the FDIC, OCC, and the Fed (collectively “Agencies”) issued an interagency statement on the availability of Community Reinvestment Act (CRA) credit for financial institution activities that “help revitalize or stabilize the U.S. Virgin Islands and Puerto Rico, which were designated as major disaster areas by the President because of Hurricane Maria.” Provided financial institutions continue to be responsive to the community needs of their own CRA assessment areas, the Agencies will now give “favorable consideration” to community development activities, such as assistance to displaced people, in the areas impacted by Hurricane Maria. The Agencies state that they may give higher consideration to activities aimed at assisting the low- and moderate-income affected areas but that general consideration will be given regardless of median or personal income.
OCC highlights supervisory priorities in fall 2017 semiannual risk report
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”
Specific areas of particular concern include the following:
- easing of commercial credit underwriting practices;
- increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
- using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
- compliance challenges under the BSA; and
- challenges in risk management involving consumer compliance regulations.
The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”
The data relied on in the report was effective as of June 30, 2017.
CFPB plans to reconsider payday rule
On January 16, the CFPB announced plans to reconsider its final rule addressing payday loans, vehicle titles loans, and certain other extensions of credit (previously covered in a Buckley Sandler Special Alert) by engaging in a rulemaking process. While the announcement was made on the effective date of the final rule, most provisions do not require compliance until August 19, 2019. However, the deadline for submitting a preliminary approval to become a registered information system is April 16, 2018. The Bureau noted that it will consider waiver requests from potential applicants.
Notably, this marks the second recent announcement in which the agency refers to itself as “the Bureau of Consumer Financial Protection,” instead of the more-commonly used “Consumer Financial Protection Bureau.” Both titles are used in the text of the Dodd-Frank Act, though the sections of the Dodd-Frank Act authorizing creation of the CFPB used the “Bureau of Consumer Financial Protection” naming convention. The agency also previously updated its mission statement located at the bottom of each release.
For more InfoBytes coverage on the latest CFPB changes, click here.
Agencies adjust civil penalties for inflation
On January 12, the CFPB published a final rule adjusting upward the maximum amount of each civil penalty within their jurisdictions, as required by the Inflation Adjustment Act. As explained in the rule, the new maximum penalty amounts for 2018 are calculated by multiplying the corresponding 2017 penalty by a “cost-of-living adjustment” multiplier—which for 2018 has been set by the OMB at 1.02041—and then rounding to the nearest dollar. The new penalty amounts apply to civil penalties assessed after January 15, 2018.
In addition, the FDIC, the OCC, and the Federal Reserve recently issued similar Civil Penalty Inflation Adjustment notices.
Federal Reserve Publishes Stress Test, CCAR FAQs
On January 8, the Federal Reserve Board (Fed) published an updated set of questions and answers to assist financial institutions in complying with the Dodd-Frank Act-mandated stress tests (DFAST) and Comprehensive Capital Analysis and Review (CCAR). According to the Fed, the FAQs are designed to provide answers concerning DFAST and CCAR reporting requirements and related guidance, and generally cover applicable questions that have been asked by covered financial institutions since August 1, 2017. The Fed instructs financial institutions that CCAR projections should only reflect new accounting standards if the standards were implemented prior to December 31 of the previous calendar year. For material business changes occurring in the fourth quarter of a year, financial institutions should discuss any changes that may materially impact the institution’s capital adequacy and funding profile in their CCAR filings. The Fed will review the information when making modelling projections and may request additional information. The Fed also explains the circumstances in which a bank is required to issue replacement capital to stay in compliance with its capital plan.
Agencies finalize plans to further streamline Call Reports
On January 3, the Federal Reserve Board, FDIC, and OCC (agencies)—as members of the Federal Financial Institutions Examination Council (FFIEC)—announced finalized plans to reduce data reporting requirements and other regulatory requirements associated with the Consolidated Reports of Condition and Income (Call Reports) for financial institutions. According to the FFIEC, after reviewing comments related to the joint June 2017 proposal, the finalized changes will include:
- Reducing or remove the reporting frequency for approximately seven percent of the data items required on the Call Report for small institutions, effective June 30, 2018; and
- Revising Call Report schedules to align with the changes in accounting for equity securities, effective March 21, 2018.
The FFIEC noted that the agencies will not proceed with their June 2017 proposal to revise the instructions for determining past due status.
In addition to the June 2017 proposal, previous requests for proposed burden-reducing Call Report revisions were submitted by the agencies in August 2016 and November 2017 (see InfoBytes’ coverage of the August request here and the November request here).
Buckley Sandler Insights: Fed's LFI Risk Management Principles Open for Comments
On January 4, the Federal Reserve (Fed) issued for public comment proposed guidance setting forth core principles of effective risk management for Large Financial Institutions (“LFI”s) (“Risk Management proposal”). Given that it is increasingly likely that Congress will release financial institutions with assets below $250 billion from “SIFI” designation, the Fed’s guidance yesterday is a further effort to ensure that risk at LFIs will continue to be managed well even after many of them are no longer subject to other SIFI obligations. The proposal would apply to domestic bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more; the U.S. operations of foreign banking organizations (“FBOs”) with combined U.S. assets of $50 billion or more; and any state member bank subsidiary of these institutions. The proposal would also apply to any systemically important nonbank financial company designated by the Financial Stability Oversight Council (“FSOC”) for Fed supervision. The proposed guidance clarifies the Fed’s supervisory expectations of these institutions’ core principals with respect to effective senior management; the management of business lines; and independent risk management (“IRM”) and controls.
The Risk Management proposal is part of the Fed’s broader initiative to develop a supervisory rating system and related guidance that would align its consolidated supervisory framework for LFIs. Last August, the Fed issued for public comment two related proposals: a new rating system for LFIs (“proposed LFI rating system”) and guidance addressing supervisory expectations for board directors (“Board Expectations proposal”). (See previous InfoBytes coverage on the proposals.) The proposed LFI rating system is designed to evaluate LFIs on whether they possess sufficient financial and operational strength and resilience to maintain safe and sound operations through a range of conditions. With regard to the Board Expectations proposal, the January 4 proposal establishes supervisory expectations relevant to the assessment of a firm’s governance and controls, which consists of three chief components: (i) effectiveness of a firm’s board of directors, (ii) management of business lines, independent risk management and controls, and (iii) recovery planning. This guidance sets forth the Fed’s expectations for LFIs with respect to the second component—the management of business lines and IRM and controls, and builds on previous supervisory guidance. In general, the proposal “is intended to consolidate and clarify the [Fed’s] existing supervisory expectations regarding risk management.”
The January 4 release delineates the roles and responsibilities for individuals and functions related to risk management. Accordingly, it is organized in three parts: (i) core principals of effective senior management; (ii) core principals of the management of business lines; and (iii) core principles of IRM and controls.
Senior Management
The Risk Management proposal defines senior management as “the core group of individuals directly accountable to the board of directors for the sound and prudent day-to-day management of the firm.” Two key responsibilities of senior management are overseeing the activities of the firm’s business lines and the firm’s IRM and system of internal control. The proposed guidance highlights the principle that: Senior management is responsible for managing the day-to-day operations of the firm and ensuring safety and soundness and compliance with internal policies and procedures, laws and regulations, including those related to consumer protection.
Management of Business Lines
The proposal refers to “business line management” as the core group of individuals responsible for prudent day-to-day management of a business line and accountable to senior management for that responsibility. For LFIs that are not subject to supervision by the Large Institution Supervision Coordinating Committee (“LISCC”) these expectations would apply to any business line where a significant control disruption, failure, or loss event could result in a material loss of revenue, profit, or franchise value, or result in significant consumer harm.
A firm’s business line management should:
- Execute business line activities consistent with the firm’s strategy and risk tolerance.
- Identify, measure, and manage the risks associated with the business activities under a broad range of conditions, incorporating input from IRM.
- Provide a business line with the resources and infrastructure sufficient to manage the business line’s activities in a safe and sound manner, and in compliance with applicable laws and regulations, including those related to consumer protection, as well as policies, procedures, and limits.
- Ensure that the internal control system is effective for the business line operations.
- Be held accountable, with business line staff, for operating within established policies and guidelines, and acting in accordance with applicable laws, regulations, and supervisory guidance, including those related to consumer protection.
Independent Risk Management and Controls
The Risk Management proposal describes core principles of a firm’s independent risk management function, system of internal control, and internal audit function. The guidance does not prescribe in detail the governance structure for a firm’s IRM and controls. While the guidance does not dictate specifics regarding governance structure, it does set forth requirements with respect to the roles of the Chief Risk Officer and Chief Audit Executive:
- The CRO should establish and maintain IRM that is appropriate for the size, complexity, and risk profile of the firm.
- The Chief Audit Executive should have clear roles and responsibilities to establish and maintain an internal audit function that is appropriate for the size, complexity and risk profile of the firm.
The proposal requires that a firm’s IRM function be sufficient to provide an objective, critical assessment of risks and evaluates whether a firm remains aligned with its stated risk tolerance. Specifically, a firm’s IRM function should:
- Evaluate whether the firm’s risk tolerance appropriately captures the firm’s material risks and confirm that the risk tolerance is consistent with the capacity of the risk management framework.
- Establish enterprise-wide risk limits consistent with the firm’s risk tolerance and monitor adherence to such limits.
- Identify and measure the firm’s risks.
- Aggregate risks and provide an independent assessment of the firm’s risk profile.
- Provide the board and senior management with risk reports that accurately and concisely convey relevant, material risk data and assessments in a timely manner.
With regard to internal controls, the proposed guidance builds upon the expectations described in the Fed’s Supervisory Letter 12-17. A firm should have a system of internal control to guide practices, provide appropriate checks and balances, and confirm quality of operations. In particular, the guidance states that a firm should:
- Identify its system of internal control and demonstrate that it is commensurate with the firm’s size, scope of operations, activities, risk profile, strategy, and risk tolerance, and consistent with all applicable laws and regulations, including those related to consumer protection.
- Regularly evaluate and test the effectiveness of internal controls, and monitor functioning of controls so that deficiencies are identified and communicated in a timely manner.
With respect to internal audit, the proposed guidance does not expand upon the Fed’s expectations; rather it references existing supervisory expectations. The proposed guidance highlights that a firm should adhere to the underlying principle that its internal audit function should examine, evaluate, and perform independent assessments of the firm’s risk management and internal control systems and report findings to senior management and the firm’s audit committee.
Comments on the Fed’s proposed guidance are due by March 15.
VA Clarifies Third-Party Verification Requirements
On December 29, the Department of Veterans Affairs (VA) issued Circular 26-17-43 to clarify its policy that lenders may use third-party vendors to verify borrower income, employment, and asset information subject to the following caveats: (i) lenders must retain full responsibility for verifying the accuracy of information provided in the borrower’s loan application; (ii) lenders must initiate and receive all verifications related to employment and deposits, credit report requests, and credit information; (iii) lenders must assume responsibility for the quality and accuracy of information provided to the VA collected from third-parties; (iv) lenders must disclose the third party vendor relationships on VA form 26-1820, Report and Certification of Loan Disbursement, and (v) lenders must not charge veterans for the cost of obtaining third-party verification of borrower income, employment, or asset information. Where a real estate broker/agent or any other party requests borrower income, employment, or asset information, lenders must (i) identify the parties as their agents, (ii) ensure that report(s) are returned directly to them, and (iii) ensure completion of the required certification on the loan application.
Buckley Sandler Insights: OMB releases updated and possibly outdated CFPB rulemaking agenda
OMB has released the CFPB’s Fall 2017 rulemaking agenda. Although this is the first update to the agenda since Richard Cordray left the agency in November 2017, delays in the publication of rulemaking agendas are common so the updated agenda may not reflect the views of new CFPB leadership. The updated agenda does not appear on the Bureau’s website. Further:
- HMDA & ECOA Amendments: The updated agenda states that the Bureau planned to determine by December 2018 whether to make permanent adjustments to the threshold for reporting open-end lines of credit. However, as discussed in greater detail here, the CFPB stated on December 21 that it intended to engage in a broader rulemaking to (i) re-examine the criteria determining whether institutions are required to report data; (ii) adjust the requirements related to reporting certain types of transactions; and (iii) re-evaluate the required reporting of additional information beyond the data points required by the Dodd-Frank Act.
- Prepaid Cards: The updated agenda states that the CFPB expected to finalize amendments to its rule on prepaid cards in November 2017, but no final amendments have been issued. Instead, on December 21, the CFPB announced its intent to adopt final amendments “soon after the new year” and stated that it expects to extend the April 1, 2018 effective date to allow more time for implementation.
- Debt Collection: The updated agenda states that the CFPB expects to issue a proposed rule in February 2018 “concerning FDCPA collectors’ communications practices and consumer disclosures.” However, on December 14, OMB announced that the CFPB had withdrawn its planned survey regarding debt collection disclosures because “Bureau leadership would like to reconsider the information collection in connection with its review of the ongoing related rulemaking.”
See previous InfoBytes coverage on the HMDA, Prepaid, and Debt Collection rulemaking updates.
Other noteworthy aspects of the updated agenda include:
- Regulation Reviews: The updated agenda reiterates the Bureau’s intent to review the regulations inherited from other agencies and “clarify ambiguities, address developments in the marketplace, and modernize or streamline regulatory provisions.” The updated agenda lists “pre-rule activities” as continuing through February 2018, rather than September 2017 under the prior agenda.
- “Larger Participants” in Installment Lending: Consistent with the prior agenda, the CFPB states that it is preparing a proposed rule to define the “larger participants” in the personal loan market (including consumer installment loans and vehicle title loans) that will be subject to Bureau examinations. The updated agenda also states that the Bureau is still considering “whether rules to require registration of these or other non-depository lenders would facilitate supervision, as has been suggested to the Bureau by both consumer advocates and industry groups.” However, while the prior agenda indicated that a proposal was expected in September 2017, the new agenda lists May 2018.
- Overdrafts: The updated agenda states only that the CFPB is “continuing to engage in additional research and consumer testing initiatives relating to the opt-in process” for overdraft protection and that “pre-rule activities” will continue through this month. Under the prior agenda, pre-rule activities were scheduled to continue through June 2017.
- Small Business Lending: The agenda indicates that the long-delayed implementation of the small business data reporting provisions of the Dodd-Frank Act will be delayed even longer. The last agenda listed “pre-rule activities” as continuing through June 2017, stating that the CFPB “is focusing on outreach and research to develop its understanding of the players, products, and practices in the small business lending market and of the potential ways to implement section 1071.” The new agenda states that these activities will continue until May 2018, after which the Bureau “expects to begin developing proposed regulations concerning the data to be collected, potential ways to minimize burdens on lenders, and appropriate procedures and privacy protections needed for information-gathering and public disclosure.”
- TRID/Know Before You Owe Amendments: The updated agenda lists April 2018 as the expected release date for finalization of the July 2017 proposed rule addressing the “black hole” issue, which is discussed in a Buckley Sandler Special Alert. The prior agenda listed March 2018.
- Mortgage Servicing Amendments: In October 2017, the CFPB issued proposed amendments to the mortgage periodic statement requirements to further address circumstances in which servicers transition between modified and unmodified statements in connection with a consumer’s bankruptcy case. The updated agenda does not provide an expected release date for final amendments.
- Credit Card Agreement Submission: The agenda continues to state that the Bureau is considering rules to modernize its database of credit card agreements to reduce the submission burden on issuers and to make the database more useful for consumers and the general public. The agenda lists “pre-rule activities” as continuing through February 2018. Under the prior agenda, pre-rule activities were scheduled to continue through October 2017.