Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 6, the SEC Director of the Division of Enforcement, Gurbir Grewal, discussed the agency’s mission to maintain market integrity and improve public confidence in the securities market. While Grewal noted that enforcement actions taken over the past few years have helped to significantly animate the idea that the SEC “will pursue potential violations by any market participant,” he stressed the need for joint coordination to promote better conduct among market participants. According to Grewal, this includes firms examining ways their specific business models and products interact with both emerging risks and enforcement priorities and tailoring compliance practices and policies accordingly. He stressed that market participants should take “proactive” compliance measures, including enhancing recordkeeping requirements, and anticipate emerging challenges instead of waiting for an enforcement action to implement the appropriate policies and procedures. Grewal also discussed the key role market participants play in identifying and addressing emerging risks. This could include ensuring proactive compliance efforts continue even after violative conduct has occurred, cooperating with SEC investigations, and voluntarily self-reporting potential violations “before the violation is about to be publicly announced." Grewal also noted that the SEC is currently evaluating its approach to enforcement action penalties to better assess whether past penalties have sufficiently deterred misconduct.
On September 30, the CFPB issued an analysis of recent rules that ensure mortgage servicers provide options to potentially vulnerable borrowers exiting forbearance. The analysis points out that there are approximately 1.6 million borrowers exiting mortgage forbearance programs and that many may be vulnerable to a greater risk of harm due to a variety of circumstances, which may have been exacerbated by the effects of the Covid-19 pandemic. As previously covered by a Buckley Special Alert, the Bureau issued a final rule earlier this year, which took effect August 31, obligating servicers to continue specifying, with substantial detail, any loss mitigation options that may help borrowers resolve their delinquencies. In April, the CFPB also urged mortgage servicers “to take all necessary steps now to prevent a wave of avoidable foreclosures this fall.” Citing the millions of homeowners in forbearance due to the Covid-19 pandemic, the Bureau’s April compliance bulletin warned servicers that consumers would need assistance when pandemic-related federal emergency mortgage protections expire (covered by InfoBytes here). In addition, in August the Bureau released an overview report of Covid-19 pandemic responses from 16 large mortgage servicers, finding that, among other things: (i) most servicers reported abandonment rates of less than 5 percent during the reporting period, while others’ rates exceeded 20 percent, with one servicer as high as 34 percent; (ii) most servicers saw increased rates of borrowers who were delinquent upon exiting pandemic hardship forbearance programs in March and April 2021 compared to previous months; and (iii) delinquency rates ranged from about 1 percent to 26 percent for federally-backed and private loans (covered by InfoBytes here). According to the September analysis, the Bureau “encourages servicers to enhance their communication capabilities and outreach efforts to educate and assist all borrowers in resolving delinquency and enrolling in widely available assistance and loss mitigation options.” The Bureau further encourages servicers to ensure that their compliance management systems include robust measures and warns against one-size-fits-all practices that may harm vulnerable consumers.
On September 23, the OCC released its lineup of free, virtual workshops for boards of directors of community national banks and federal savings associations. Included as part of the workshops to be held this fall and winter is a risk management series focusing on risk governance, credit risk, operational risk, and compliance risk. Another workshop will present guidance for directors and senior managers on building blocks for success. A schedule of the upcoming workshops is available here.
On September 20, the OCC announced a cease and desist order issued against a bank for alleged “unsafe or unsound practices” related to “technology and operational risk management,” in addition to the bank’s noncompliance with the OCC’s Interagency Guidelines Establishing Information Security Standards contained in Appendix B to 12 CFR Part 30. Without admitting to or denying the claims, the bank is required by the order to improve information technology and operational risk governance, technology risk assessments, internal controls, and staffing deficiencies. Specifically, the bank must develop an acceptable, written action plan outlining the remedial actions necessary to achieve compliance with the order by addressing the alleged unsafe or unsound practices and noncompliance, which must specify, among other things, a description of the corrective actions, reasonable and well-supported timelines, and those responsible for completing the actions. The order provides that the bank must also establish a Compliance Committee to quarterly submit: (i) “a description of the corrective actions needed to achieve compliance with each Article of the order”; (ii) the specific corrective actions undertaken to comply with each Article of the Order”; and (iii) “the results and status of the corrective actions.”
On September 15, the FTC warned health apps and connected devices collecting or using consumers’ health information that they must comply with the FTC’s Health Breach Notification Rule (Rule). The Rule requires companies to notify consumers and others if consumers’ health data is breached, and ensures that entities not covered by HIPPA are held accountable in the event of a security breach. Companies that fail to comply with the Rule may be subject to monetary penalties of up to $43,792 per violation per day. The FTC’s policy statement (approved by a 3-2 vote) clarifies the Rule’s scope and puts companies on notice of their reporting obligations. According to the FTC, health apps that are increasingly collecting sensitive and personal data from consumers have a responsibility to ensure the collected data is secured from unauthorized access. However, the FTC expressed concern that there are still few applicable privacy protections. “While this Rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” FTC Chair Lina M. Khan stated. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk.”
On August 31, NYDFS issued new guidance to regulated mortgage lenders for developing and implementing programs to comply with the state’s fair lending law, which “prohibits discrimination in, among other things, the granting, withholding, extending, or renewing, or in the fixing of the rates, terms, or conditions of any form of credit on the basis of sexual orientation.” According to an analysis conducted by NYDFS of mortgage loan applications and mortgage loan terms (between 2016 and 2018) from four non-depository lenders and one bank, “in all but two of the fifteen data sets reviewed, same-sex pairs of applicants were denied mortgage loans at higher rates than opposite-sex pairs of applicants.” Additionally, the analysis found that “in six of the data sets, same-sex pairs received between 9 and 17 basis points higher average annual percentage rates than opposite-sex pairs.” NYDFS emphasized that a “same-sex pair” does not necessarily involve LGBTQI individuals, but could also be a mortgage loan application from a father and son or two business partners of the same sex, among other pairings. As such, NYDFS acknowledged that it was “unable to determine with certainty whether discrimination based on sexual orientation occurred as to any particular same-sex pair within the data set.”
However, because NYDFS concluded that its findings raised enough concerns over the potential for discrimination against LGBTQI mortgage applicants, NYDFS advised mortgage lenders to take the following actions, among others, to mitigate discrimination: (i) vest responsibility in senior management to develop a fair lending plan and ensure mortgage lending practices comply; (ii) monitor the implementation of the fair lending plan and “continually address application and underwriting processes as well as pricing policies”; (iii) implement a training program and semi-annually provide updates on fair lending issues; (iv) “[e]nsure automatic and timely review by a higher-level supervisor of all rejected or withdrawn applications for loans from same-sex pairs who indicated that they would live together in the mortgaged property; (v) extend (in writing) a fair lending plan’s principles to a mortgage lender’s refinancing and collection practices; and (vi) periodically review and update fair lending compliance programs and fair lending plans to ensure they remain current. Mortgage lenders are also advised to utilize rate sheets and exception logs to document applications from same-sex pairs, document approved loans for such applicants that received less favorable terms, and conduct statistical and regression analysis of loan data.
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”
On August 16, the OCC released an annual update to its Bank Accounting Advisory Series (BAAS). Intended to address a variety of accounting topics and promote consistent application of accounting standards and regulatory reporting among OCC-supervised banks, the BAAS reflects updates to accounting standards issued by the Financial Accounting Standards Board through March 31, 2021, related to, among other things, (i) the amortization of premiums on callable debt securities; and (ii) evaluating goodwill impairment triggering events for private companies. The 2021 edition also includes answers to frequently asked questions from industry and bank examiners. Additionally, the OCC notes that the BAAS does not represent OCC rules or regulations but rather “represents the Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance based on the facts and circumstances presented.”
On July 26, the Georgia Department of Banking and Finance (Department) announced that the Superior Court of DeKalb County entered an order granting default judgment against defendants for unauthorized banking activities and the unapproved use of the word “bank.” Under Georgia law, it is unlawful to conduct, advertise, or be affiliated with a banking business in the state without a bank charter. Georgia law also prohibits the use of the words “bank” and/or “trust” in any entity’s name without permission from the Department. In 2020, the Department issued a cease and desist order against the defendants after the Department determined that it had no records of the entity and had not approved it or the individual defendant to organize a bank and/or conduct a banking business in or from Georgia. Nor had the Department granted the entity defendant the ability to use the word “bank” in its name. The Department later discovered that the defendants violated the cease and desist order by continuing to engage in unauthorized banking activities and continuing to advertise using the word “bank” without approval. The court ordered the defendants to comply with the cease and desist order and permanently enjoined them from, among other things, using bank nomenclature and advertising or providing financial products or services from within Georgia without written authorization from the Department.
Recently, the Massachusetts Division of Banks published guidance related to the conduct of debt collectors, student loan servicers, and third-party loan servicers. 209 CMR 18.00 defines unfair or deceptive acts or practices for entities servicing loans or collecting debts within the commonwealth, and provides licensing, registration, and supervision procedures. Those provisions of the regulation that govern fair debt collection and third party loan servicing practices apply both to licensed entities, and entities exempt from licensure. Additionally, the regulation specifies that licensed debt collectors are not required to register as third party loan servicers but must still comply with all relevant state and federal laws and regulations that govern third party loan servicers when acting in that capacity. Student loan servicers engaged in third party loan servicing activities or debt collection activities within the scope of student loan servicing activities described within Massachusetts’ law are also required to comply with all applicable state and federal laws and regulations governing third party loan servicers and debt collectors when acting in such capacity. Additionally, 209 CMR 18.00 outlines, among other things, (i) licensing application requirements; (ii) licensing standards; (iii) registration procedures and standards; (iv) notice, reporting, and recordkeeping requirements; (v) collection practices and consumer communication restrictions; (vi) prohibitions related to harassment or abuse, false or misleading representations, and unfair, deceptive, or unconscionable practices; (vii) debt validation requirements; (viii) mortgage loan servicing practices; (ix) student loan servicing practices; and (x) confidentiality provisions. The regulation took effect July 1.
- Daniel R. Alonso to moderate an interactive roundtable at the Latin Lawyer and GIR Connect: Anti-Corruption & Investigations Conference
- APPROVED Checkpoint Webcast: You have license renewal questions, we have answers
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jeffrey P. Naimon to discuss "Truth in lending” at the American Bar Association National Institute on Consumer Financial Services Basics
- Daniel R. Alonso to discuss anti-money-laundering at FELABAN Spanish-language webinar “Perspective for banks: LAFT, FINCEN, OFAC, Cryptocurrency”
- Daniel R. Alonso to discuss "What’s new in BSA/AML compliance?" at the Institute of International Bankers Regulatory Compliance Seminar
- Jon David D. Langlois to discuss "Regulatory update: What you need to know under the new boss; It won’t be the same as the old boss" at the IMN Residential Mortgage Service Rights Forum (East)
- Benjamin B. Klubes to discuss “Creating a Fantastic Workplace Culture”
- John R. Coleman and Amanda R. Lawrence to discuss “Consumer financial services government enforcement actions – The CFPB and beyond” at the Government Investigations & Civil Litigation Institute Annual Meeting
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek