Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 25, the OCC announced the issuance of a fully revised “Corporate and Risk Governance” booklet for the Comptroller’s Handbook, as well as limited updates to the “Internal and External Audits” booklet for examiners completing core assessments affected by audit functions. Among other things, the revised “Corporate and Risk Governance” booklet is intended to provide examiners with a summary of corporate and risk governance, related risks, the board’s role and responsibilities in corporate and risk governance, strategic planning, and examination procedures. The revised booklet identifies the following as the primary risk categories associated with corporate and risk governance: (i) strategic; (ii) reputation; (iii) compliance; and (iv) operational. Updates to both booklets incorporate references to relevant OCC issuances and auditing standards published since the booklets were last issued, reflect the integration of federal savings associations into certain regulations, and make clarifying edits regarding supervisory guidance, sound risk management practices, legal language, and the roles of the bank’s board and management.
On July 23, HUD issued Mortgagee Letter 2019-10, announcing the official suspension of the effective date of the agency’s April guidance (Mortgagee Letter 2019-06), which changed the downpayment assistance (DPA) guidelines. The suspension comes just a week after the U.S. District Court for the District of Utah granted an American Indian band and its mortgage company (collectively, “plaintiffs”) a preliminary injunction halting the enforcement of the April changes, and ordering that HUD “shall not deny insurance nor cause insurance to be denied based on non-compliance with Mortgagee Letter 19-06 and shall provide public notice that the effective date of Mortgagee Letter 19-06 is suspended until after a final determination on the merits of the case.” Buckley is co-counsel in the pending litigation.
The suspended guidance, Mortgagee Letter 2019-06 (Mortgagee Letter), issued on April 18, imposed new documentation requirements purportedly aimed at confirming that Governmental Entities operate their DPA programs within the scope of their governmental capacity when providing any portion of a borrower’s Minimum Required Investment (MRI). The letter updated Handbook 4000.1 to specify that when any portion of a borrower’s MRI comes from a Governmental Entity, a mortgagee must obtain the following documentation: (i) proof that the Governmental Entity has authority to operate in the jurisdiction where the property is located; (ii) a legal opinion from the Governmental Entity’s attorneys, signed and dated within two years of closing, establishing the Governmental Entity’s authority to operate in the jurisdiction where the property is located, which in the case of a federally recognized Indian Tribe means the entity is operating on tribal land in which the property is located, or offering DPA to enrolled members of the tribe; and (iii) evidence that the Governmental Entity is providing DPA and is doing so in its governmental capacity. The Mortgagee Letter went on to require documentation indicating that the provision of DPA is not contingent upon the future transfer of the insured mortgage to a specific entity.
The plaintiffs filed suit against HUD on April 22 arguing that the Mortgagee Letter was unlawful and discriminatory, and unfairly targeted American Indian tribes by “requiring them, for the first time, to confine their DPA programs to the geographic boundaries of their reservations and to enrolled members of the tribes, literally driving them out of the national marketplace and back onto the reservation.” Additionally, the complaint argued that HUD failed to execute these changes in accordance with the protections of the Administrative Procedures Act (APA) by providing a notice and comment period—purporting the Mortgagee Letter to be an “informal ‘guidance’ document that merely ‘clarifies’ existing law.” The decision to grant the preliminary injunction was announced by the court at the conclusion of a July 16 hearing. In the written order released the following week, the court concluded that the plaintiffs were likely to succeed on claims that the agency violated the APA because the Mortgagee Letter was actually a legislative rule with the force and effect of the law, not merely an interpretive rule. Moreover, the court rejected HUD’s argument that the Mortgagee Letter merely reiterates jurisdictional limitations that were already present, and stated the plaintiffs sufficiently demonstrated irreparable harm caused by the new jurisdictional limitations in the Mortgagee Letter.
On July 23, the OCC issued Bulletin 2019-36 reminding banks to follow safety and soundness standards and guidelines when using asset dissipation underwriting (ADU)—also known as “asset depletion underwriting or asset amortization underwriting”—to originate mortgage loans. Specifically, the OCC states banks should develop and implement policies and processes for ADU in a manner consistent with existing regulatory real estate and mortgage lending standards and guidelines. Banks should also align ADU activities with their overall business plans and strategies, including “working with consumers who have a capacity to repay a mortgage loan even though they do not meet traditional income-based underwriting repayment standards.” The OCC additionally expects bank management to “develop and maintain risk governance processes that are commensurate with the credit risk of ADU, particularly if the offering constitutes a deviation from the bank’s existing mortgage lending business activities.” With regard to Fannie Mae and Freddie Mac loans, the OCC states that lenders may use ADU to underwrite mortgage loans based on certain assets, including employment-related retirement assets, for applicants who are near retirement.
On July 22, the Federal Reserve Board, FDIC, NCUA, and the OCC along with the Financial Crimes Enforcement Network (FinCEN), released a joint statement to improve transparency of their risk-focused approach to Bank Secrecy Act/anti-money laundering (BSA/AML) supervision. The statement outlines common practices for assessing a bank’s risk profile, including (i) leveraging available information, including internal BSA/AML risk assessments, independent audits, and results from previous examinations; (ii) contacting banks between examinations or before finalizing the scope of an examination; and (iii) considering the bank’s ability to identify, measure, monitor, and control risks. Examiners will use the information from the risk assessments to scope and plan the examination, as well as to evaluate the adequacy of the bank’s BSA/AML compliance program. The statement notes that the extent of examination activities needed to evaluate a bank’s BSA/AML compliance program, “generally depends on a bank’s risk profile and the quality of its risk management processes.”
On July 17, the FTC released a notice seeking comment on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA Rule). The FTC last amended COPPA in 2013, and while the FTC usually reviews its rules every 10 years, the FTC notes that “[r]apid changes in technology, including the expanded use of education technology, reinforce the need to re-examine the COPPA Rule at this time.” The notice seeks comment on all major provisions of the COPPA Rule, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. Additionally, the notice seeks responses to specific questions, including (i) has the Rule affected the availability of websites or online services directed to children?; (ii) does the Rule correctly articulate the factors to consider in determining whether a website or online service is directed to children, or should additional factors be considered?; and (iii) what are the implications for COPPA enforcement raised by technologies such as interactive television, interactive gaming, or other similar interactive media? Comments must be received within 90 days after publication in the Federal Register.
On July 17, the FDIC, the Federal Reserve Board, and the OCC (collectively, the “agencies”) announced that they will not take action against foreign banks for qualifying foreign excluded funds, subject to certain conditions, under the Volcker Rule for an additional two years. The announcement notes that the agencies consulted with the SEC and the CFTC on the decision. Since 2017, the agencies have deferred action on qualifying foreign funds that might be covered under the Volcker Rule (covered by InfoBytes here and here). In a joint statement, the agencies note that they have not finalized revisions to regulations implementing Section 13 of the Bank Holding Company Act, and in order to “provide interested parties greater certainty about the treatment of qualifying foreign excluded funds in the near term,” the agencies are proposing not to take action through July 21, 2021.
On July 16, the FDIC approved a proposal revising certain provisions of the Securitization Safe Harbor Rule (rule). The current rule mandates that documents governing a securitization must disclose information regarding the securitized financial assets on a financial asset or pool level and on a security level that, at minimum, complies with Regulation AB, whether or not the transaction is an issuance covered by the regulation. The proposal would eliminate the requirement that securitization documents comply with Regulation AB, where Regulation AB by its terms would not apply to the issuing transaction. According to a statement by Chairwoman, Jelena McWilliams, the proposal “would remove one potential obstacle that [insured depository institutions] face in providing mortgage credit to homeowners.” FDIC Director Gruenberg dissented from the approval of the proposal.
Comments on the proposal will be due within 60 days after publication of the proposal in the Federal Register.
On July 16, the FDIC approved amendments to two final rules designed to resolve issues related to deposit insurance regulations. As previously covered by InfoBytes, the first of the final rules amends Part 370 of the FDIC’s Rules and Regulations for “Recordkeeping for Timely Deposit Insurance Determination,” to address issues raised during implementation of the final rule adopted in November 2016 (covered by InfoBytes here). Among other things, the amendments to Part 370 require banks with at least two million deposit accounts to upgrade deposit recordkeeping to allow the FDIC to determine the necessary deposit insurance coverage. The rule also allows for an optional one-year extension of the rule’s compliance date of April 1, 2020, provided prior notice is given to the FDIC. The final rule is effective October 1. FDIC Director Gruenberg dissented from the final rule’s approval.
The second final rule amends Part 330—applicable to banks of all sizes—to update the requirements for verifying participants in joint deposit accounts. Part 330 provides alternatives to the traditional signature card, and will allow satisfaction of proof of joint-ownership to be established by other information contained in a bank’s deposit account records and not solely by signed signature cards of each co-owner. The final rule takes effect 30 days after publication in the Federal Register.
On July 16, the Financial Crimes Enforcement Network (FinCEN) discussed efforts designed to restrict and impede Business Email Compromise (BEC) scammers and other illicit actors who profit from email compromise fraud schemes. BEC schemes, FinCEN reports, generally involve “criminal attempts to compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or business associates in order to misappropriate funds or to assist in financial fraud.” An updated advisory provides current operational definitions and general trends in BEC schemes, information concerning the targeting of non-business entities and data by these types of schemes, and risks associated with the targeting of vulnerable business processes. The advisory also discusses opportunities for information sharing between financial institutions concerning subjects and accounts affiliated with BEC schemes in the interest of identifying risks of fraudulent transactions and money laundering. An in-depth strategic Financial Trend Analysis of Bank Secrecy Act (BSA) data explores industries targeted by BEC scammers as well as employed methodologies, and highlights BSA information collected by regulated financial institutions. Suspicious activity report highlights reveal a nearly tripling of attempted BEC thefts—from $110 million per month in 2016 to $301 million per month in 2018 on average. FinCEN’s release also discusses its Rapid Response Program as well as international information sharing initiatives addressing BEC schemes and associated fraudulently-induced transactions.
On July 11, the Financial Industry Regulatory Authority (FINRA) issued Regulatory Notice 19-23, which provides clarifying guidance on enforcement credit for firms or individuals that provide “extraordinary cooperation” in investigations that exceed FINRA’s rule requirements. Specifically, FINRA defines “extraordinary cooperation” as including (i) self-reporting violations prior to regulator detection and intervention; (ii) taking voluntary, extraordinary steps to correct problems; (iii) making voluntary remediation to customers prior to detection; and (iv) providing a substantial amount of assistance to FINRA’s investigation. The notice, which supplements prior guidance issued in 2008, also clarifies the difference between required cooperation and extraordinary efforts, and outlines the types of credit firms or individuals may receive.
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program
- Benjamin W. Hutten to discuss "BSA program reporting, management and board of directors responsibilities" at the Georgia Bankers Association BSA Experience Program
- Hank Asbill to discuss "Ethical guidance in conducting internal investigations – The intersection of Yates and Upjohn" at the American Bar Association Southeastern White Collar Crime Institute
- H Joshua Kotin to discuss "Recent developments in fair lending and avoiding the pitfalls" at the Arkansas Community Bankers/Bankers Assurance 2019 Compliance Conference
- Brandy A. Hood to discuss "RESPA Section 8/referrals: How do you stay compliant?" at the New England Mortgage Bankers Conference
- Daniel P. Stipano to discuss "Risk management in enforcement actions: Managing risk or micromanaging it" at the American Bar Association Business Law Section Annual Meeting
- Valerie L. Hletko to discuss "Banking on guns ‘n drugs: Social policy meets financial services" at the American Bar Association Business Law Section Annual Meeting
- Daniel P. Stipano to discuss "Navigating the conflicting federal and state laws for doing business with cannabis companies" at the American Bar Association Business Law Section Annual Meeting
- Tim Lange to discuss "Services and value" at the North American Collection Agency Regulatory Association Annual Conference
- Katherine L. Halliday to discuss "UDAP, UDAAP & the Map rule compliance basics" at the Mortgage Bankers Association Regulatory Compliance Conference
- Brandy A. Hood to discuss "How to ace your TRID exam" at the Mortgage Bankers Association Regulatory Compliance Conference
- Amanda R. Lawrence to discuss "Data privacy litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Melissa Klimkiewicz to discuss "Navigating FHA rules and regs" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jeffrey P. Naimon to discuss "Washington regulatory overview" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "HMDA data is out, now what?" at the Mortgage Bankers Association Regulatory Compliance Conference
- Daniel P. Stipano to discuss "Assessing the CDD final rule: A year of transitions" at the ACAMS AML & Financial Crime Conference
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions and CMPs" at the ACAMS AML & Financial Crime Conference
- Kathryn L. Ryan to discuss "The state’s role in fintech: Providing an industry framework for innovation" at Lend360
- Jeffrey P. Naimon to discuss "Truth in lending" at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel P. Stipano to discuss "Lessons learned from recent enforcement actions" at the Institute of International Bankers Risk Management and Regulatory Examination/Compliance Seminar
- Jonice Gray Tucker to discuss "Fintech regulatory developments, crypto-assets, blockchain and digital banking, and consumer issues" at the Practising Law Institute Banking Law Institute
- Amanda R. Lawrence to discuss "How to balance a successful (and stressful) career with greater personal well-being" at the American Bar Association Women in Litigation Joint CLE Conference