InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Chopra discusses SIFI risks
On November 9, CFPB Director and FDIC Board Member Rohit Chopra delivered remarks before the FDIC Systemic Resolution Advisory Committee to discuss challenges facing systemically important financial institutions. Chopra began by raising concerns related to domestic systemically important banks (DSIBs) and the potentially disruptive impact facing consumers and small businesses should one of these bank fail. Chopra explained that, because DSIBs are heavily involved in retail banking with large consumer businesses and carry relatively high levels of uninsured deposits, “DSIB resolutions could pose serious technical challenges for the FDIC” that would necessitate serious consideration. Chopra also pointed out concerns raised by many experts that a large number of nonbank systemically important financial institutions (which have not yet been formally designated by the Financial Stability Oversight Council) pose systemic risk to the financial system. “Absent a designation, these institutions are not required to file a resolution plan,” Chopra said, noting that “[r]esolving these institutions without a plan would be an enormous challenge.” He also emphasized the importance of finding ways to eliminate bailout risks for global systemically important banks.
FDIC’s Gruenberg discusses CRA rulemaking
On November 2, FDIC acting Chairman Martin J. Gruenberg delivered remarks before the National Association of Affordable Housing Lenders to address ongoing Community Reinvestment Act (CRA) rulemaking, the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households, and challenges from nonbank payment services. In his remarks, Gruenberg referenced the pending notice of proposed rulemaking (NPR) on the CRA issued in May by the FDIC, OCC, and the Federal Reserve Board (collectively, “agencies”). As previously covered by InfoBytes, the NPR would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Gruenberg stated that the agencies are committed to strengthening the law’s impact and “increasing transparency and predictability in its application,” and said the FDIC is currently reviewing approximately 1,000 unique comments received in response to the NPR. Gruenberg also discussed the results of the FDIC’s most recent National Survey of Unbanked and Underbanked Households. According to the biennial survey, an estimated 4.5 percent of U.S. households (representing 5.9 million households) lack a bank or credit union account, the lowest national unbanked rate since the FDIC survey began in 2009 (covered by InfoBytes here). Gruenberg noted that the survey found that the rate of unbanked households decreased consistently over the past decade, from 8.2 percent in 2011 to 4.5 percent in 2021. He also said that the survey indicated that 14.1 percent of households were underbanked, although demand for several nonbank products and services decreased. Gruenberg further commented that the survey revealed regulatory challenges in light of the array of options available to consumers, specifically nonbank online payment services. He explained that though “banked households were significantly more likely to use nonbank online payments services than unbanked households, the most common use cases were quite different between the two groups. Banked households most commonly reported that they used these services primarily to send or receive money from family or friends and to make online purchases, as a complement to a bank account. In contrast, the most common use cases among unbanked households revealed that they were using these services as they might otherwise have used bank accounts: paying bills, receiving income and as a vehicle to save or keep money safe.”
Chopra highlights CFPB efforts on competitive consumer financial markets
On September 21, CFPB Director Rohit Chopra discussed Bureau efforts to ensure markets for consumer financial products and services are “fair, transparent, and competitive.” Speaking during the Exchequer Club Fireside Chat, Chopra explained that the agency’s authorizing statute specifically directs the Bureau to promote competition by consistently enforcing the law regardless of whether an entity takes deposits. He clarified that there should not be different standards for assessing when a firm violates the law, and highlighted several ways that the Bureau is working to fulfill its mandate to ensure competitive markets. One example Chopra provided relates to reshaping the Bureau’s approach to promoting new products and offerings, especially as they relate to refinancing options. He pointed to Bureau efforts to ensure both banks and nonbanks could launch products to save private student loan borrowers money as an example of making sure all potential market entrants could benefit. Chopra stated that the Bureau is also requesting feedback from investors, lenders, and the public on topics related to improving mortgage refinancing options (covered by InfoBytes here), and is working on ways to stimulate more credit card and auto loan refinancing. Additionally, Chopra touched on other areas of focus, including consumer finance offerings that rely on emerging technologies such as banking in augmented reality and the metaverse, nonbank supervision and oversight, bright-line regulatory approaches, competitive pricing and back-end fees, regulatory arbitrage, and personal financial data rights.
Republicans take issue with CFPB agenda
On September 12, several Republican senators sent a letter to CFPB Director Rohit Chopra expressing concerns that the Bureau is again pursuing “a radical and highly-politicized agenda unbounded by statutory limits.” In particular, the letter took issue with recent Bureau reports on the use of overdraft fees (covered by InfoBytes here and here), calling the agency’s actions a “relentless smear campaign” against banks. “Charging fees that customers chose to pay should not be disturbing or illegal, and yet, the CFPB appears to have developed a particular disdain for banks charging their customers for services, pejoratively calling overdraft protection ‘junk fees,’” the letter stated. Additionally, the letter claimed that the Bureau is changing its rules in order to publish previously confidential information about financial institutions to make it easier to threaten them with reputational harm (covered by InfoBytes here), without affording the financial institution the similar ability to, for example, disclose the existence of a CFPB examination. Among other things, the new procedural rule establishes a disclosure mechanism intended to increase transparency of the Bureau’s risk-determination process that will exempt final decisions and orders by the CFPB director from being considered confidential supervisory information, allowing the Bureau to publish the decisions on their website. According to the senators, the rule requires nonbanks to keep confidential information relating to a decision issued by the Bureau, including facts that could question the decision or raise procedural concerns. “The one-sided nature of the CFPB’s rule change gives the agency the ability to publicly tarnish an institution’s name without affording the firm the power to defend itself,” the letter said. The letter also decries a recent change to the agency’s rules of adjudication to make it more difficult for companies to defend themselves against novel enforcement theories by bypassing an administrative law judge and permitting the director to rule directly on the validity of the legal basis for the enforcement action.
CFPB: Financial services companies must safeguard consumer data
On August 11, the CFPB released Circular 2022-04 to reiterate that financial services companies may violate the CFPA’s prohibition on unfair acts or practices if they fail to safeguard consumer data. The Circular explained that, in addition to other federal laws governing data security for financial institutions, such as the Safeguards Rules issued under the Gramm-Leach-Bliley Act (which was updated in 2021 and covered by InfoBytes here), “covered persons” and “service providers” are required to comply with the prohibition on unfair acts or practices in the CFPA. Examples of when firms can be held liable for lax data security protocols are provided within the Circular, as are examples of widely implemented data security practices. The Bureau explained that inadequate data security measures may cause significant harm to a few consumers who become victims of targeted identity theft as a result, or may harm potentially millions of consumers if a large customer-base-wide data breach occurs. The Bureau reiterated that actual injury is not required to satisfy the unfairness prong in every case. “A significant risk of harm is also sufficient,” the Bureau said, noting that the “prong of unfairness is met even in the absence of a data breach. Practices that ‘are likely to cause’ substantial injury, including inadequate data security measures that have not yet resulted in a breach, nonetheless satisfy this prong of unfairness.”
While the circular does not suggest that any of the outlined security practices are specifically required under the CFPA, it does provide examples of situations where the failure to implement certain data security measures might increase the risk of legal liability. Measures include: (i) using multi-factor authentication; (ii) ensuring adequate password management; and (iii) implementing timely software updates. “Financial firms that cut corners on data security put their customers at risk of identity theft, fraud, and abuse,” CFPB Director Rohit Chopra said in the announcement. “While many nonbank companies and financial technology providers have not been subject to careful oversight over their data security, they risk legal liability when they fail to take commonsense steps to protect personal financial data.”
CSBS releases nonbank cybersecurity examination tools
On August 9, the Conference of State Bank Supervisors (CSBS) released two new tools used by state examiners to assess nonbank financial services companies’ cyber preparedness. Developed by a multi-state team of cybersecurity examination experts, the Baseline Nonbank Cybersecurity Exam Program and the Enhanced Nonbank Cybersecurity Exam Program provide nonbanks the opportunity to improve their cybersecurity posture and better prepare for cybersecurity exams conducted by state examiners. The “Baseline” program is geared toward exams of “smaller, noncomplex, low-risk institutions,” and “is targeted for use by examiners with or without specialized IT and cybersecurity knowledge.” The “Enhanced” program includes all of the Baseline procedures as well as additional procedures to provide a “more in-depth review for larger, more complex institutions or for those where concerns are raised during exams.” The program is intended for use by examiners with specialized IT and cybersecurity knowledge.
“Supervisory clarity is essential to increasing industry awareness and making our financial system more resilient to cyber-attacks,” CSBS Senior Vice President of Nonbank Supervision Chuck Cross said in the announcement. “The Nonbank Cybersecurity Exam Procedures released today provide nonbank institutions additional optional tools to guard against cyber-attacks, data breaches or lapses in management oversight in this crucial area.”
CSBS announced that it intends to provide additional tools tailored to the needs of smaller nonbank financial institutions in the coming months.
Trade groups petition CFPB to supervise data aggregators
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.
FDIC issues advisory on crypto companies’ deposit insurance claims
On July 29, the FDIC announced an advisory addressing certain misrepresentations about FDIC deposit insurance made by some crypto companies. The advisory, among other things, reminded insured banks that they must be aware of how FDIC insurance operates as well as the need to assess, manage, and control risks arising from third-party relationships, including those with crypto companies. The advisory noted that recently “some crypto companies have suspended withdrawals or halted operations," and that in certain cases, "these companies have represented to their customers that their products are eligible for FDIC deposit insurance coverage, which may lead customers to believe, mistakenly, that their money or investments are safe.” In dealing with crypto companies, the agency cautioned that “FDIC-insured banks should confirm and monitor that these companies do not misrepresent the availability of deposit insurance.” The FDIC also issued a Fact Sheet reminding the public that the FDIC only insures deposits held in insured banks and savings associations and only in the event of an insured bank’s failure. The FDIC does not insure assets issued by non-bank entities, such as crypto companies.
OCC reports on key risks facing the federal banking system
On June 23, the OCC released its Semiannual Risk Perspective for Spring 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that as “banks continue to navigate the operational- and market-related impacts of the pandemic along with substantial government stimulus, current geopolitics have tightened financial conditions and increased downside risk to economic growth.” However, the OCC noted that banks’ financial conditions remain strong and that banks are well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates and increased inflation.”
The OCC highlighted operational, compliance, interest rate, and credit risks as key risk themes in the report. Observations include: (i) operational risk, including evolving cyber risk, is elevated, with an observed increase in attacks on the financial services industry given current geopolitical tensions; (ii) compliance risk remains heightened as banks navigate the current operational environment, regulatory changes, and policy initiatives; and (iii) credit risk remains moderate, with banks facing certain areas of weakness and potential longer-term implications resulting from the Covid-19 pandemic, inflation, and direct and indirect effects of the war in Ukraine. Staffing challenges among banks also present risks, with challenges posed by “strong competition” in the labor market.
The report also discussed the importance of appropriate due diligence of new digital asset products and services. The OCC said that it “continues to engage on an interagency basis to analyze various crypto-asset use cases,” and is looking to “provide further clarity on legal permissibility, as well as safety and soundness and compliance considerations related to crypto-assets” in the banking industry.
The OCC further stated it “will continue to monitor the development of climate-related financial risk management frameworks at large banks,” and reported that “OCC large-bank examination teams will integrate the examination of climate-related financial risk into supervision strategies and continue to engage with bank management to better understand the challenges banks face in this effort, including identifying and collecting appropriate data and developing scenario analysis capabilities and techniques.”
CFPB revising its rulemaking approach
On June 17, CFPB Director Rohit Chopra announced in a blog post that the agency plans to move away from overly complicated and tailored rules. “Complexity creates unintended loopholes, but it also gives companies the ability to claim there is a loophole with creative lawyering,” Chopra said. The Bureau’s plan to implement simple, durable bright-line guidance and rules will better communicate the agency’s expectations and will provide numerous other benefits, he added.
With regards to traditional rulemaking, the Bureau outlined several priorities, which include focusing on implementing longstanding Congressional directives related to consumer access to financial records, increased transparency in the small business lending marketplace, and quality control standards for automated valuation models under Sections 1033, 1071, and 1473(q) of the Dodd-Frank Act. Additionally, the Bureau stated it will assess whether it should use Congressional authority to register certain nonbank financial companies to identify potential violators of federal consumer financial laws.
Chopra also announced that the Bureau is reviewing a “host of rules” that it inherited from other agencies such as the FTC and the Federal Reserve. “Many of these rules have now been tested in the marketplace for many years and are in need of a fresh look,” Chopra said. Specifically, the Bureau will (i) review rules originated by the Fed under the 2009 Credit CARD Act (including areas related to “enforcement immunity and inflation provisions when imposing penalties on customers”); (ii) review rules inherited from the FTC for implementing the FCRA to identify possible enhancements and changes in business practices; and (iii) review its own Qualified Mortgage Rules to assess aspects of the “seasoning provisions” (covered by a Buckley Special Alert) and explore ways “to spur streamlined modification and refinancing in the mortgage market.”
The Bureau noted that it also plans to increase its interpretation of existing laws through its Advisory Opinion program and will continue to issue Consumer Financial Protection Circulars to provide additional clarity and encourage consistent enforcement of consumer financial laws among government agencies (covered by InfoBytes here and here).