InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC letter illustrates climate-change disclosures
Recently, the SEC’s Division of Corporation Finance issued guidance to companies that may be required to include information concerning climate change risks and opportunities in “disclosures related to a company’s description of business, legal proceedings, risk factors, and management’s discussion and analysis of financial condition and results of operations.” Such disclosures, as discussed in the SEC’s 2010 Climate Change Guidance, address the following: (i) the effect of pending or existing legislation, regulations, and international agreements related to climate change; (ii) the indirect impact of regulations or the direction of business trends; and (iii) the physical effects of climate change. An illustrative letter provided by the Division outlines “sample comments that the Division may issue to companies regarding their climate-related disclosure or the absence of such disclosure.” The Division clarified that the letter does not provide an exhaustive list of issues that companies should consider, and that any comments issued “would be appropriately tailored to the specific company and industry, and would take into consideration the disclosure that a company has provided in Commission filings.”
Democratic senators ask FTC to reconsider privacy rulemaking
On September 20, nine Democratic Senators sent a letter to FTC Chair Lina M. Khan requesting that the FTC draft new rules that better protect consumers’ personal data and privacy. The Senators argued that ongoing data breaches and privacy violations have “shown the limits of the FTC's general prohibition on unfair and deceptive practices.” Among other things, the Senators urged the agency to consider a rulemaking process that has “strong protections for the data of members of marginalized communities, prohibitions on certain practices (such as the exploitative targeting of children and teens), opt-in consent rules on use of personal data, and global opt-out standards.” The Senators also pointed out that the FTC has substantial expertise in the legal process regarding enforcement and privacy authorities, such as those under the Children’s Online Privacy Protection Act and the Fair Credit Reporting Act. Therefore, a rulemaking initiative led by the FTC would advance congressional efforts in developing federal privacy legislation through “research, public comment record, and dialogue.”
OCC updates earnings and regulatory Comptroller’s Handbook
On September 22, the OCC issued Bulletin 2021-44 announcing versions 1.0 of the “Earnings” and “Regulatory Reporting” booklets of the Comptroller’s Handbook. The new booklets apply to national banks, federal savings associations, and federal branches and agencies of foreign banking organizations, as well as the OCC’s supervision of community banks. The revised “Earnings” booklet rescinds the “Analytical Review of Income and Expense” booklet issued in March 1990 (with examination procedures issued in March 1998). The revised “Regulatory Reporting” booklet rescinds the “Review of Regulatory Reports” booklet, which was also issued in March 1990. The “Earnings” booklet, among other things, “supplements the earnings core assessments and provides examiners with expanded procedures to use when reviewing earnings for a specific line of business or the bank as a whole.” The “Regulatory Reporting” booklet, among other things: (i) pertains to call reports and similar financial reports but not, for instance, annual reports or those concerning nonfinancial activities; (ii) highlights sound risk management principles regarding regulatory reporting; and (iii) provides examiners procedures regarding assessing activities for a bank’s regulatory reporting. Although the rating system for federal branches does not include an earnings rating, examiners perform an earnings review, tailored to the activities of the federal branch, and, as such, the “Earnings” booklet is helpful guidance.
CFPB requests comments on credit card data collections
On September 21, the CFPB published a notice and request for comments in the Federal Register seeking input on revisions to an existing, currently approved information collection, related to reporting terms of credit card plans and consumer and college credit card agreements. The notice relates to credit card data collected by the Bureau as required under TILA regarding agreements between issuers and consumers under a credit card account for open-end consumer credit plans, as well as “any college credit card agreements to which the issuer is a party and certain additional information regarding those agreements.” The data collections will enable the Bureau to provide “a centralized and searchable repository for consumer and college credit card agreements and information regarding the arrangements between financial institutions and institutions of higher education.” Comments must be received by October 21.
CFPB addresses IT examinations in updated Supervision and Examination Manual
Recently, the CFPB updated its Supervision and Examinations Manual to include a new section, Compliance Management Review – Information Technology, to assist examiners when assessing an institution and its service providers’ IT controls as part of a compliance management systems (CMS) review. All institutions under the Bureau’s supervision and enforcement authority are required to have a CMS adapted to its business strategy and operations. Among other things, the new CMS-IT examination manual outlines the following five modules: (i) Module 1: Board and Management Oversight; (ii) Module 2: Compliance Program; (iii) Module 3: Service Provider Oversight; (iv) Module 4: Violations of Law and Consumer Harm; and (v) Module 5: Examiner Conclusions and Wrap-Up. Each module addresses the examination objectives of the relevant policies and procedures, including those related to the oversight and commitment to an institution’s CMS, change management, risk management, self-identification and corrective action, and consumer complaint responses. The modules also discuss appropriate training, monitoring, and auditing of the various stages of an effective CMS program.
OCC’s Hsu discusses priorities for safeguarding trust in banking
On September 15, acting Comptroller of the Currency Michael J. Hsu spoke before the Exchequer Club to discuss several agency priorities relating to reducing inequality, adapting to digitization, acting on climate change, and guarding against complacency. In prepared remarks, Hsu stressed the importance of safeguarding trust in banking. While he acknowledged the value of strong rules and regulations, Hsu cautioned that rules “are not adaptive to emerging risks” and “cannot perceive and respond to trends and developments that may erode or threaten trust.” He further emphasized that regulators must coordinate efforts to ensure stability and fairness, and pointed to the growth of cryptocurrency and decentralized finance as areas where it is imperative that regulators work together to ensure activities taking place within the banking system or those that are facilitated by banks are trustworthy. “Innovation is important, but safeguarding trust is paramount,” Hsu stressed. Additionally, Hsu noted that “coordination among all financial regulators will also be needed in the future to ensure a level playing field and limit regulatory arbitrage and to keep shadow banking at a safe distance from the regulated financial system. These goals cannot be achieved if the financial regulatory agencies, including state banking supervisors, do not work together. Public trust in bank regulators will rise or fall depending on our ability to do so.”
FHFA seeks comments on regulatory capital framework
On September 15, FHFA issued a notice requesting public comment on a proposed rule that would amend the regulatory capital framework for Fannie Mae and Freddie Mac (collectively, “GSEs”). The proposed rule would amend the prescribed leverage buffer amount (PLBA) and the capital treatment of credit risk transfers (CRT) to encourage more distribution of credit risk between the GSEs and private investors. Specifically, FHFA is proposing to: (i) change the fixed PLBA equal to 1.5 percent of a GSE’s adjusted total assets to a dynamic PLBA of 50 percent of the GSE’s stability capital buffer; (ii) “replace the prudential floor of 10 percent on the risk weight assigned to any retained CRT exposure with a prudential floor of 5 percent on the risk weight assigned to any retained CRT exposure”; and (iii) eliminate the requirement that a GSE is required to apply an overall effectiveness adjustment to its retained CRT exposures in line with the framework’s securitization framework. Comments on the proposal must be submitted within 60 days of publication in the Federal Register.
FTC reveals rulemaking petition process
On September 15, the FTC announced significant changes in the agency’s rulemaking process that represent “a significant step to increase public participation and accountability around the work of the FTC.” According to the announcement, the Commission approved changes to the FTC’s “Rules of Practice,” which are “designed to make it easier for members of the public to petition the agency for new rules or changes to existing rules that are administered by the FTC.” The changes, which are a key part in the opening of the FTC’s regulatory processes to public input and scrutiny, is a departure from the previous practice where the Commission did not have an obligation to address petitions for agency action. The updates clarify the information that is required for petition submissions and notes the data that the Commission finds helpful in its review. In addition, the changes require that the Commission publish petitions for rulemaking in the Federal Register and solicit public comment for the same. Finally, under the new rules, the Commission must provide petitioners with a specific point of contact in the agency and must respond to petitioners to communicate its decision regarding the petition. The new changes will also apply to requests by certain parties for special exemption from FTC rules, as well as petitions related to industry guidance issued by the Commission.
FTC says health apps must comply with Health Breach Notification Rule
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPAA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
Agencies extend comment period on proposed third-party relationship risk management guidance
On September 10, the OCC, Federal Reserve Board, and FDIC extended the comment period on the regulators’ proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. The deadline has been extended to October 18 and interested parties may submit comments until the deadline.
As previously covered by InfoBytes, the proposed guidance addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Coupled with the release of a Federal Reserve Board paper describing community bank and fintech partnerships, as well as interagency guidance to help community banks evaluate fintech relationships (covered by InfoBytes here), the federal bank regulators are demonstrating continued and increased focus on third-party risk management issues.