Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On October 11, the CFPB issued a consent order to a Virginia-based federal credit union to resolve allegations that its debt collection activities were unfair and deceptive in violation of the Dodd-Frank Wall Street Reform and Consumer Protection Act. According to the CFPB’s consent order, the credit union failed to implement adequate compliance controls and employee training on debt collection communications. The credit union’s actions involved employees who sent letters to “hundreds of thousands” of consumers containing various misrepresentations regarding the handling of consumer debt. The consent order alleged that these debt collection letters falsely threatened legal action, wage garnishment, and contacting servicemembers’ commanding officers for failure to remit payments. The consent order also noted that the same threats were made via telephone. The CFPB further contends that the credit union (i) sent approximately 68,000 letters misrepresenting the credit consequences of falling behind on a loan, alleging that members would “find it difficult, if not impossible, to obtain additional credit because of [their] present unsatisfactory credit rating” (internal quotations omitted); and (ii) restricted consumers’ electronic account access and electronic accounts services – without providing adequate notice – once their accounts became delinquent. Pursuant to the consent order, the credit union must (i) pay $23 million in consumer redress; (ii) pay a $5.5 million civil money penalty; and (iii) establish a comprehensive compliance plan regarding its policies and procedures on consumer debt collection communications and electronic account restrictions.
On October 12, the CFPB issued an updated version of its small entity compliance guide on the Know Before You Owe TILA-RESPA Integrated Disclosure (TRID) Rule. The updated TRID compliance guide incorporates guidance from CFPB webinars on various topics, including (i) record retention; (ii) Loan Estimate and Closing Disclosure requirements, including format and delivery; (iii) good faith standards and determinations; (iv) disclosures related to seller-paid costs; and (v) construction loans. The newly released TRID compliance guide replaces the CFPB’s July 2015 guide. The CFPB also issued a separate revised guide for completing the Loan Estimate and Disclosure forms.
On October 13, the CFPB announced various senior leadership changes. John Coleman will now serve as the CFPB’s Deputy General Counsel for Litigation and Oversight in the Legal Division. Coleman joined the CFPB in November 2010 and has since served as Assistant General Counsel for Litigation and as Senior Litigation Counsel. Additional leadership changes include Stacy Canan serving as Assistant Director for the Office for Older Americans, and Sonya White serving as Deputy General Counsel for General Law and Ethics in the Legal Division.
Federal Reserve Board Member Recognizes Blockchain Technology's Potential; Warns of Associated Risks
On October 7, at the Institute of International Finance Annual Meeting Panel on Blockchain, Federal Reserve Board member Lael Brainard delivered a speech titled “Distributed Ledger Technology: Implications for Payments, Clearing, and Settlement.” Brainard acknowledged blockchain technology as possibly the “most significant development in many years in payments, clearing, and settlement” and outlined its potential “to transform the way financial market participants transfer, store, and maintain ownership records of digitized assets.” Brainard highlighted payment technology changes as a particular regulatory focus and emphasized the Federal Reserve’s “responsibilities for promoting the safety and efficiency of the payments and settlements systems; supervising financial institutions engaged in payments, clearing and settlement; and safeguarding financial stability.” The following potential benefits of blockchain technology are among those discussed in Brainard’s speech: (i) faster processing and reduced costs in cross-border payments and trade finance; (ii) transparency, reduced costs, and faster settlements within securities markets; and (iii) cryptography as a secure way of transmitting and storing data. Brainard cautioned that, notwithstanding the technology’s promise, certain risks associated with financial technological developments and innovation remain, particularly in the areas of settlement, operations, cybersecurity, money laundering, and terrorist financing. Brainard concluded by highlighting the Federal Reserve’s commitment to industry engagement as blockchain technology evolves, noting that stakeholders “will work together to foster socially beneficial innovation, while insisting that risks are thoroughly understood, managed, and controlled.”
OFAC Publishes Fact Sheet and FAQ Related to Termination of Burma Sanctions Program; Updates SDN List
On October 7, OFAC published a Fact Sheet and Frequently Asked Question (FAQ) number 481 regarding the implementation of the President’s Executive Order entitled “Termination of Emergency with Respect to the Actions and Policies of the Government of Burma.” OFAC’s fact sheet explains that all OFAC-administered restrictions and authorizations under the Burma sanctions program pertaining to banking with Burma, including 2012 and 2013 OFAC general licenses that authorized certain correspondent account activity with Burmese banks, are terminated pursuant to the Executive Order. FAQ 481 clarifies that “[p]ending OFAC enforcement matters will proceed irrespective of the termination of OFAC-administered sanctions on Burma, and OFAC will continue to review apparent violations of the [Burmese Sanctions Regulations], whether [such violations] came to the agency’s attention before or after the Burma sanctions program was terminated.” In connection with terminating the Burma-related sanctions program, OFAC made several deletions to its SDN List.
On October 7, OFAC updated its Frequently Asked Questions (FAQs) relating to the Listing of Certain U.S. Sanctions under the Joint Comprehensive Plan of Action (JCPOA). In addition to adding three FAQs related to due diligence (see M.10 through M.12), OFAC amended two FAQs (C.7 and C.15) regarding Financial and Banking Measures and one FAQ (K.19) related to Foreign Entities Owned or Controlled by U.S. Persons. FAQ M.10 clarifies that while “[i]t is not necessarily sanctionable for a non-U.S. person to engage in transactions with an entity that is not on the SDN List but that is minority owned, or that is controlled in whole or in part, by an Iranian or Iran-related person on the SDN List,” it is recommended that persons engaging in such transactions exercise caution to ensure that they do not involve Iranian or Iran-related persons on the SDN List. FAQs M.11 and M.12, respectively, address (i) due diligence expectations related to the screening of potential Iranian counterparties; and (ii) the circumstances under which OFAC expects a non-U.S. financial institution to repeat the due diligence their customers have already performed on an Iranian customer.
On October 11, the U.S. Department of the Treasury announced that the Group of Seven (G-7) countries – comprised of the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom – issued fundamental elements to “help address cyber risks facing the financial sector from both entity-specific and system-wide perspectives.” In Fundamental Elements of Cybersecurity for the Financial Sector, G-7 outlines eight elements for private and public entities within the financial sector to use as “building blocks” for confronting cyber-related issues, the first of which is to establish and implement tailored cybersecurity strategies and operational frameworks that should be tailored to an entity’s nature, size, complexity, risk profile, and culture. G-7’s remaining seven elements are as follows: (i) define and facilitate effective governance structures to ensure accountability; (ii) identify cyber risks and implement control assessments, including systems, policies, procedures, and training; (iii) “establish systematic monitoring processes to rapidly detect cyber incidents and periodically evaluate the effectiveness of identified controls, including through network monitoring, testing, audits, and exercises”; (iv) ensure that incident response policies are effective and guarantee timeliness; (v) establish and test contingency plans that help to ensure effective recovery of critical functions and operations; (vi) share cybersecurity information with internal and external stakeholders, including threat indicators, vulnerabilities, and incidents; and (vii) develop a review process that addresses, among other things, evolving cyber risks. In support of the G-7 elements, Federal Reserve Vice Chairman Stanley Fischer stated that they are “a crucial step in furthering hardening each link in the chain of our global financial system.”
On October 7, following the Federal Reserve’s and the CFPB’s leads, the OCC released Bulletin 2016-33 advising financial institutions of updated interagency examination procedures for compliance with the Department of Defense’s (DoD) Military Lending Act (MLA) July 2015 final rule. As previously summarized in BuckleySandler’s Special Alert, the DoD issued an interpretive rule regarding the amendments to the regulations implementing the MLA on August 26, 2016. The 2015 final rule went into effect for consumer credit products other than credit cards on October 3, 2016. The requirements will take effect for credit card accounts one year later, on October 3, 2017. The OCC plans to include the updated interagency examination procedures in the Comptroller’s Handbook.
CFPB Releases Final Rule on Prepaid Financial Products; Chamber of Digital Commerce Comments on Scope of the Rule
On October 5, the CFPB released its final rule on prepaid financial products, including traditional prepaid cards, mobile wallets, person-to-person payment products, and other electronic accounts with the ability to store funds. The rule is intended to provide consumers with additional federal protections under the Electronic Fund Transfer Act analogous to the protections checking account consumers receive. The following federal protections are included in the new rule: (i) financial institutions will be required to provide certain account information for free via telephone, online, and in writing upon request, unless periodic statements are provided; (ii) financial institutions must work with consumers who find errors on their accounts, including unauthorized or fraudulent charges, timely investigate and resolve these incidents, and restore missing funds when appropriate; and (iii) consumers will be protected against unauthorized transactions, such as withdrawals or purchases, if their prepaid cards are lost or stolen. The rule contains new “Know Before You Owe” prepaid disclosures similar to those used for mortgages and student financial aid offers. In addition to requiring two (one short, the other long) disclosure forms, the new rule requires that prepaid account issuers post agreement offers made available to the general public on their websites, submit all agreements to the CFPB, and make agreements that are not required to be posted on their website available to relevant consumers. The new rule also includes credit protections stemming primarily from the Truth in Lending Act and the Credit Card Accountability Responsibility and Disclosure Act, including providing consumers with monthly credit billing statements, giving consumers reasonable time – at least 21 days – to repay their debt before incurring late fees, ensuring that consumers are able to repay the debt before making a credit offer, and limiting the fee and interest charges to 25% of the total credit limit during the first year an account is open. The rule, which has not yet been published in the Federal Register, has a general compliance date of October 1, 2017, but includes certain accommodations, one of which is an October 2018 effective date for the requirement that agreements be submitted to the CFPB.
The Chamber of Digital Commerce submitted comments to the CFPB in December advocating that virtual currency products and services should fall outside the scope of the prepaid rule. Pursuant to the final rule, the CFPB found that “application of Regulation E and this final rule to such products and services is outside the scope of this rulemaking.”
- Sherry-Maria Safchuk to discuss UDAAP at an American Bar Association webinar
- Jeffrey P. Naimon to discuss "What to expect: The new administration and regulatory changes" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “The future of fair lending” at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Steven R. vonBerg to discuss "LO comp challenges" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss “The False Claims Act today” at the Federal Bar Association Qui Tam Section Roundtable