InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB releases draft strategic plan for FY 2022-26
On December 2, the CFPB released for public feedback its draft strategic plan for fiscal years 2022-2026, which outlines and communicates its mission, strategic goals, and objectives for the next five years.
External Factors Impacting the Bureau’s Strategic Goals and Objectives:
The Bureau identified four key external factors that may affect its strategic goals and objectives: (i) the continued effect of the Covid-19 pandemic on regulated markets; (ii) the increase of data security threats and resulting consumer harm as the role of data and technology in the consumer financial system continues to grow; (iii) rapid developments in the consumer financial marketplace technology; and (iv) executive, legislative, judicial, and state actions, including actions by other financial regulators, which may impact the financial regulatory environment and, in turn, the Bureau’s policy strategies.
Cross-Bureau Priorities:
With its “cross-functional, cross-Bureau approach,” the CFPB intends to address a number of outcomes for households and communities, “many of which reference the concept of equity.” To achieve the outcomes below, the Bureau will “embed a racial equity lens and focus [its] attention on these communities, recognizing that work to protect and empower underserved people benefits all people.”
- Equitable recovery from the COVID-19 pandemic: Continuing monitoring of pandemic recovery, with a focus on minority and traditionally underserved communities, including rising housing insecurity.
- Equitable access to and engagement with consumer finance infrastructure: Addressing obstacles that restrict access to credit or push consumers to higher cost products, in addition to “promoting transformation of financial marketplaces to serve all people.”
- Equitable wealth creation from home and small business ownership: Promoting equitable wealth creation in housing and small business markets, with a focus on minority and underserved communities. Specifically, the Bureau notes that (i) home ownership as a “key building block of wealth,” has become out of reach for young people and underserved communities due to record high home prices and tightened credit underwriting during the pandemic; and (ii) small businesses, especially women- and minority-owned, have faced more serve economic consequences from the pandemic.
- Fair, transparent, and competitive markets for consumer financial products and services: Promoting competition for the benefit of consumers and businesses, where “[t]he personal touch previously provided by local financial institutions has, in many instances, been replaced with institutions that take advantage of consumers without concern for their well-being.” The Bureau identified weakened competition in many markets as a contributing factor in the widening of racial, income, and wealth inequality, and noted that consolidations over the last several decades have “denied consumers the benefits of an open economy.”
- Privacy, access, and fairness in a new data-driven economy: Prioritizing its work to ensure consumer privacy and security remains at the forefront of the evolving data economy. The Bureau expressed specific concern with how consumer financial account data is accessed, transmitted, and stored, in addition to the potential racial equity impact from the increased use of algorithms in the decision-making process.
The Strategic Goals:
The Bureau identified four strategic goals, which are articulated by specific function within the agency:
- “Implement and enforce the law to ensure consumers have access to fair, transparent, and competitive markets that serve consumers’ needs and protect consumers from unfair, deceptive, and abusive practices, and from discrimination.” Objectives include issuing rules and guidance, supervising institutions, and enforcing federal consumer financial laws.
- “Empower consumers to live better financial lives, focusing on traditionally underserved people.” Objectives include engaging with consumers, creating and offering educational resources, handling complaints, and expanding relationships with stakeholders and government partners.
- “Inform public policy with data-driven analysis on consumers’ experiences with financial institutions, products, and services.” Objectives include monitoring markets and producing research reports.
- “Foster operational excellence and further commitment to workforce equity to advance the CFPB’s mission.” Objectives include cultivating a workforce aligned with the Bureau’s mission, implementing a forward-leaning workplace model, and utilizing innovative and optimized operational support.
The Bureau is requesting comments by January 3, 2022.
Agencies discuss crypto-asset next steps
On November 23, the FDIC, OCC, and Federal Reserve Board issued a joint statement summarizing a recent series of interagency “policy sprints” focused on crypto-assets. During the policy sprints, the agencies conducted preliminary analysis on issues related to banking organizations’ potential involvement in crypto-asset-related activities, and identified and assessed key risks related to safety and soundness, consumer protection and compliance. The agencies also, among other things, analyzed the applicability of existing regulations and guidance on this space and identified several areas where additional public clarity is needed. Throughout 2022, the agencies intend to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible. The agencies also plan to expand upon their safety and soundness expectations related to: (i) crypto-asset safekeeping and traditional custody services; (ii) ancillary custody services; (iii) facilitation of customer purchases and the sale of crypto-assets; (iv) loans collateralized by crypto-assets; (v) issuance and distribution of “stablecoins”; and (vi) activities involving a bank’s holding of crypto-assets on its balance sheet. The joint statement, which does not alter any current regulations, also states that the agencies plan to “evaluate the application of bank capital and liquidity standards to crypto-assets for activities involving U.S. banking organizations” and that the agencies will continue to monitor developments in this space as the market evolves.
OCC reminds banks of venture capital prohibitions
On November 23, the OCC sent banks a reminder that they are generally prohibited from making most equity investments in venture capital funds. The bulletin warned that simply because an investment in a fund qualifies for the venture capital fund exclusion under the Volcker Rule, it does not mean the fund is a permissible investment for a national bank, federal savings association, or federal branch and agency of a foreign bank. Prior to investing in a venture capital fund, banks must make a determination as to whether the investment is permissible and appropriate for the bank. The OCC reminded banks that engaging in impermissible and inappropriate investments may expose a bank and its institution-affiliated parties to enforcement actions and civil money penalties. Additionally, national bank directors may be held personally liable for losses attributed to impermissible investments. The OCC noted, however, that equity investments in venture capital funds may be allowed provided they are public welfare investments or investments in small business investment companies.
FDIC updates brokered deposit FAQs
On November 22, the FDIC released an update to the Questions and Answers Related to the Brokered Deposits Rule. The FDIC clarified in a new FAQ in conjunction with the updated Brokered Deposit framework that, with respect to the “facilitation” definition’s first prong, a “third party that has legal authority, contractual or otherwise, to direct another entity (e.g., custodial agent) to move a depositor’s funds or close a depositor’s account would meet the first prong of the ‘facilitation’ definition.” The FAQ specified, however, that such third parties would not meet this first prong if the third party directs another entity to move depositor funds or close a depositor’s account “based only upon either instructions or an approval received from the depositor for each occurrence and specific to each deposit account.” The FAQ further noted that third parties recommending the placement of funds in a particular deposit account may meet the second and/or third prong of the “facilitation” definition depending on various facts and circumstances.
CFPB issues FDCPA reminder on text messaging
On November 18, the CFPB issued a reminder that “debt collectors who adopt and follow certain procedures can obtain a bona fide error defense from civil liability for unintentional violations of the prohibition against third-party communications when communicating by email or text message,” as determined by the Bureau’s debt collection rule. As previously covered by InfoBytes, in October 2020 the CFPB issued its final rule amending Regulation F, which implements the FDCPA, addressing debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. The reminder emphasizes that for text message communications, a provision in the rule includes utilizing a “complete and accurate database” to ensure that a consumer’s telephone number has not been re-assigned. Additionally, the reminder notes that the rule’s commentary identifies the FCC’s Reassigned Numbers Database as a “complete and accurate database,” which the FCC has published.
New rule gives banks 36 hours to disclose cybersecurity incidents
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.
CFPB seeks input on HMDA
On November 16, the CFPB issued a notice and request for comments regarding the rules for implementing the Home Mortgage Disclosure Act (HMDA). The Request for Information (RFI) solicits public comments on its plans to assess the effectiveness of the HMDA Rule, focusing on, among other things: (i) institutional and transactional coverage; (ii) data points; (iii) benefits of the new data and disclosure requirements; and (iv) operational and compliance costs. According to the CFPB, the RFI follows a 2021 HMDA report, which found that mortgage lenders deny credit and charge higher interest rates to Black and Hispanic applicants more often than white applicants, and a July 2021 report that analyzed 2020 HMDA loan data and examined the differences in mortgage characteristics across Asian American and Pacific Islander subgroups. (Covered previously by InfoBytes here and here.) Additionally, the RFI notes that the Bureau expects to issue a report on the findings of its assessment of the HMDA Rule by January 1, 2023. The Bureau also notes that it “plans to review recent changes to the rule and evaluate their effectiveness,” and that the assessment “will strengthen the CFPB’s ability to maintain a fair, competitive, and non-discriminatory mortgage market.” The deadline for submitting comments on the RFI is 60 days after the notice is published in the Federal Register.
Dept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.
SEC approves PCAOB Rule under the Holding Foreign Companies Accountable Act
On November 5, the SEC announced it approved the Public Company Accounting Oversight Board’s (PCAOB) Rule 6100, Board Determinations Under the Holding Foreign Companies Accountable Act, which establishes a framework for the PCAOB’s determinations under that act “that the PCAOB is unable to inspect or investigate completely registered public accounting firms located in a foreign jurisdiction because of a position taken by an authority in that jurisdiction.” According to the Commission order, PCAOB Rule 6100 establishes, among other things: (i) the factors the PCAOB will evaluate and the information the PCAOB will consider when assessing if a determination is warranted; (ii) the form, public availability, effective date, and duration of such determinations; and (iii) the process by which the board will reaffirm, modify, or vacate any such determinations. According to a statement released by SEC Chair Gary Gensler, the rule is an “important step to protect U.S. investors,“ and it is “critical that the Commission and the PCAOB work together to ensure that the auditors of foreign companies accessing U.S. capital markets play by the same rules.”
Agencies adopt standardized approach for counterparty credit risk Call Report
On November 9, the FDIC, Federal Reserve Board, and the OCC announced the publication of final regulatory reporting changes in the Federal Register applicable to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051). In July, the agencies proposed to revise and extend the Call Report for three years, and requested public comments on proposed changes to clarify instructions for reporting of deferred tax assets (DTAs) and to add a new item related to the standardized approach for counterparty credit risk (SA–CCR). (See FIL-53-2021.) Following the comment period, the agencies are proceeding with the proposed SA-CCR-related reporting change to the Call Report, which will take effect with the December 31, 2021 report date, subject to approval by the Office of Management and Budget. However, proposed instruction revisions related to DTAs are not final as the agencies continue to consider comments received on the proposed rule on tax allocation agreements. (See FIL-29-2021.) Supervised financial institutions are encouraged to review the proposed regulatory change. Redline copies of the Call Report and related draft reporting instructions are available on the FFIEC’s webpage here.