InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California court orders CFPB to issue Section 1071 NPRM by September 30
On July 16, the U.S. District Court for the Northern District of California issued an order setting September 30 as the deadline for the CFPB to issue a notice of proposed rulemaking (NPRM) on small business lending data. As previously covered by InfoBytes, the Bureau is obligated to issue an NPRM for implementing Section 1071 of the Dodd-Frank Act, which requires the agency to collect and disclose data on lending to women and minority-owned small businesses. The requirement was reached as part of a stipulated settlement reached in 2020 with a group of plaintiffs, including the California Reinvestment Coalition (CRC), that argued that the Bureau’s failure to implement Section 1071 violated two provisions of the Administrative Procedures Act, and has harmed the CRC’s ability to advocate for access to credit, advise organizations working with women and minority-owned small businesses, and work with lenders to arrange investment in low-income and communities of color (covered by InfoBytes here).
Find continuing Section 1071 coverage here.
Federal agencies seek comments on third-party relationships
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
CFPB and FDIC release enhancements to financial education program for seniors
On July 14, the CFPB and FDIC announced enhancements to Money Smart for Older Adults, the agencies’ financial education program geared toward preventing elder financial exploitation. The enhanced version includes sections to help people avoid romance scams, which, according to data from the FTC, led to $304 million in losses in 2020. In addition, the agencies are also releasing an informational brochure on Covid-19 related scams. FDIC training materials and other resources for older adults are available from the CFPB here.
Biden orders federal agencies to evaluate banking, consumer protections
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry.
- CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” As previously covered by InfoBytes, last October, the Bureau issued an advanced notice of proposed rulemaking on Section 1033, seeking comments on questions related to consumers’ access to their financial records. The E.O. also instructs the Bureau to enforce Section 1031 of Dodd-Frank, which prohibits unfair, deceptive, or abusive acts or practices in consumer financial products or services, “to ensure that actors engaged in unlawful activities do not distort the proper functioning of the competitive process or obtain an unfair advantage over competitors who follow the law.”
- Treasury Department. The E.O. calls on Treasury to submit a report within 270 days on the effects on competition of large technology and other non-bank companies’ entry into the financial services space.
- FTC. The E.O. tasks the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” The FTC already commenced that process on July 1, when it approved changes to its Rules of Practice to amend and simplify the agency’s procedures for initiating rulemaking proceedings. According to Commissioner Rebecca Kelly Slaughter, “[s]treamlined procedures for Section 18 rulemaking means that the Commission will have the ability to issue timely rules on issues ranging from data abuses to dark patterns to other unfair and deceptive practices widespread in our economy.”
- Bank Mergers. The E.O. encourages the Attorney General, in consultation with the Federal Reserve Board, FDIC, and OCC, to “review current practices and adopt a plan, not later than 180 days after the date of this order, for the revitalization of merger oversight under the Bank Merger Act and the Bank Holding Company Act of 1956.”
Fed to launch CECL tool for community banks
On July 1, the Federal Reserve Board announced plans to launch a new tool to assist community banks with assets of less than $1 billion implement the Current Expected Credit Losses (CECL) accounting standard. The new spreadsheet-based tool, known as the “Scaled CECL Allowance for Losses Estimator” (or SCALE) will use publicly available regulatory and industry data and is intended to simplify CECL compliance for community banks. The SCALE tool will be launched during an “Ask the Fed” webinar on July 15.
Biden signs repeal of OCC’s “true lender” rule
On June 30, President Biden signed S.J. Res. 15, repealing the OCC’s “true lender” rule pursuant to the Congressional Review Act. Issued last year, the final rule amended 12 CFR Part 7 to state that a bank makes a loan when, as of the date of origination, it either (i) is named as the lender in the loan agreement, or (ii) funds the loan. The final rule also provided that if “one bank is named as the lender in the loan agreement and another bank funds the loan, the bank that is named as the lender in the loan agreement makes the loan.” (Covered by InfoBytes here.)
NYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”
FFIEC releases “Architecture, Infrastructure, and Operations” booklet
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
FinCEN plans to undertake future no-action letter rulemaking
On June 30, the Financial Crimes Enforcement Network (FinCEN) announced the completion of a report on whether to establish a process for issuing no-action letters in response to inquiries concerning the application of the Bank Secrecy Act (BSA) and other anti-money laundering and countering the financing of terrorism laws to specific conduct, “including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action with respect to such conduct.” As required pursuant to Section 6305 the Anti-Money Laundering Act of 2020 (included as part of the National Defense Authorization Act for Fiscal Year 2021 and covered by InfoBytes here), FinCEN submitted its no-action letter assessment to Congress. The assessment involved consultation with the Attorney General and other entities including the federal functional regulators, state bank and credit union supervisors, and other federal agencies.
The agency analyzed various issues when conducting its assessment, including “whether a formal no-action process would help to mitigate or accentuate illicit finance risks in the United States.” Among other things, the report concluded that the majority of the consulting parties agreed that FinCEN should implement a no-action letter policy. “The primary benefits identified by those in favor of a no-action letter process are that it could promote a robust and productive dialogue with the public, spur innovation among financial institutions, and enhance the culture of compliance and transparency in the application and enforcement of the BSA,” FinCEN stated. According to FinCEN acting Director Michael Mosier, the agency concluded “that a no-action letter process would be a useful complement to its current forms of regulatory guidance and relief.” The agency stated it intends to undertake a future rulemaking “subject to resource limitations and competing priorities” to establish a process for issuing no-action letters that will supplement its current forms of regulatory guidance and relief. However, FinCEN noted that the no-action letter process would be most effective and workable if it were limited to the agency’s exercise of its own enforcement authority, instead of also addressing other regulators’ exercise of their own enforcement authorities.
FinCEN issues first government-wide AML/CFT priorities
On June 30, the Financial Crimes Enforcement Network (FinCEN) issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy (AML/CFT Priorities) pursuant to the Anti-Money Laundering Act of 2020 (AML Act). The AML/CFT Priorities were established in consultation with the Treasury Department’s Office of Foreign Assets Control, SEC, CFTC, IRS, state financial regulators, law enforcement, and national security agencies, and highlight key threat trends as well as informational resources to assist covered institutions manage their risks and meet their obligations under laws and regulations designed to combat money laundering and counter terrorist financing. According to the AML/CFT Priorities, the most significant AML/CFT threats currently facing the U.S. (in no particular order) are corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organization activity, drug trafficking organization activity, human trafficking and human smuggling, and proliferation financing. FinCEN further noted it will update the AML/CFT Priorities to highlight new or evolving threats at least once every four years as required under the AML Act, and issued a separate statement providing additional clarification for covered institutions.
Separately, the Federal Reserve Board, FDIC, NCUA, OCC, state bank and credit union regulators, and FinCEN also issued a joint statement providing clarity for banks on the AML/CFT Priorities. The statement emphasized that the publication of the AML/CFT Priorities “does not create an immediate change to Bank Secrecy Act (BSA) requirements or supervisory expectations for banks.” Rather, within 180 days of the establishment of the AML/CFT Priorities, FinCEN will promulgate regulations, as appropriate, in consultation with the federal functional regulators and relevant state financial regulators. The federal banking agencies noted that they intend to revise their BSA regulations as needed to address how the AML/CFT priorities will be incorporated into BSA requirements for banks, adding that banks will not be required to incorporate the AML/CFT Priorities into their risk-based BSA compliance programs until the effective date of the final revised regulations. However, banks may choose to begin considering how they intend to incorporate the AML/CFT Priorities, “such as by assessing the potential related risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate.” Moreover, the statement confirmed that federal and state examiners will not examine banks for the incorporation of the AML/CFT Priorities into their risk-based BSA programs until the final revised regulations take effect.