InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB releases annual college credit card report
On October 13, the CFPB released its annual report to Congress on college credit card agreements. The report was prepared pursuant to the CARD Act, which requires card issuers to submit to the CFPB the terms and conditions of any agreements they make with colleges, as well as certain organizations affiliated with colleges. According to the Bureau, the report “raises questions about whether some marketing deals between colleges and financial institutions comply with Department of Education rules.” The report also highlighted the need for transparency in the arrangements schools have with financial institutions. In conjunction with the report, the DOE issued guidance clarifying colleges’ responsibility to ensure that campus financial products are consistent with students’ best financial interests, including by reviewing whether any fees assessed are consistent with or below prevailing market rates. The DOE’s guidance discussed overdraft and NSF fees, given that financial institutions in the general market have increasingly been reducing or eliminating certain fees. The Bureau’s report included data on 11 account providers, including non-bank financial service providers, banks, and credit unions offering more than 650,000 student accounts in partnership with 462 institutions of higher education during the 2020-2021 award year. Key findings of the report include, among other things: (i) financial services providers and their partner schools appear to offer and promote more costly products to students than are otherwise available in the market; (ii) one entity dominates the market for financial aid disbursements, providing nearly 70 percent of the accounts offered in partnership with schools; and (iii) nearly 30 percent of accounts in the Bureau’s sample were subject to arrangements in which the financial services provider made payments to the partner school.
SEC amends electronic recordkeeping requirements for security-based swap entities
On October 12, the SEC adopted final amendments to its rule governing the electronic recordkeeping requirements for security-based swap entities. (See SEC fact sheet here.) The updates are applicable to security-based swap dealers (SBSDs) and major security-based swap participants (MSBSPs), and are intended to make the rule adaptable to new technologies in electronic recordkeeping. The amendments will also facilitate examinations of broker-dealers, SBSDs, and MSBSPs by “designating broker-dealer examining authorities as Commission designees for purposes of certain provisions of the broker-dealer record maintenance and preservation rule,” the SEC said. Specifically, the amendments address requirements related to the maintenance and preservation of electronic records, the use of third-party recordkeeping services to hold records, and the prompt production of records. Under the SEC’s broker-dealer electronic recordkeeping rule, broker-dealers are required “to preserve electronic records exclusively in a non-rewriteable, non-erasable format,” known as the “write once, read many format.” The amendments now provide an audit-trail alternative under which broker-dealers “must preserve electronic records in a manner that permits the recreation of an original record if it is altered, over-written, or erased.” According to the SEC’s announcement, the audit-trail alternative is intended to provide broker-dealers greater flexibility when configuring their electronic recordkeeping systems so they more closely align with current electronic recordkeeping practices, while also ensuring that the authenticity and reliability of the original records are protected. The amendments are also applicable to nonbank SBSDs and MSBSPs.
The final amendments are effective 60 days after publication in the Federal Register.
Fed vice chair discusses regulating financial innovation
On October 12, Federal Reserve Vice Chair for Supervision Michael S. Barr delivered remarks at D.C. Fintech Week in a speech titled Managing the Promise and Risk of Financial Innovation. Barr’s remarks focused on financial innovation supported by new technologies, or fintech. Among other things, Barr discussed supporting innovation with appropriate regulation, striking the right balance for crypto-asset activity, regulating stablecoins, recognizing the risks of tokenizing bank liabilities, advancing customer autonomy, and providing public sector support for payment innovation. Barr noted that cryptoassets’ rapid growth, in market capitalization and activity outside and inside supervised banks requires oversight, including safeguards to ensure that crypto service providers are subject to similar regulations as other financial services providers. Barr stated that “[t]he same type of activity should be regulated in the same way,” and this remains the case “even when the activity may look different from the typical activities we regulate, or when it involves an exciting new technology or a new way to provide traditional financial services.” He also disclosed that there are additional types of crypto asset-related activities where the Fed may need to provide guidance to the banking sector in the future. Barr noted that since “crypto assets have proved to be so volatile, they are unlikely to grow into money substitutes and become a viable means to pay for transactions.” He also warned banks seeking to experiment with these new technologies that they should only do so "in a controlled and limited manner.” Regarding the risks of tokenizing bank liabilities, Barr expressed concerns, stating that banks’ crypto-asset-related activities pose “novel risks,” and said that stablecoins could eventually pose a risk to financial stability and that regulators need to put in guardrails before their adoption is more widespread. Barr also acknowledged that not all tokenization arrangements are the same. He stated that potential designs “range from issuance of tokens on private, controlled networks to facilitate payments within or among banks, to proposals that explore issuance of freely circulating tokens on open, permissionless networks.”
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
Biden outlines aggressive approach for strengthening U.S. cybersecurity
On October 11, President Biden outlined actions for strengthening and safeguarding the nation’s cybersecurity. In addition to stressing the importance of improving cybersecurity and resilience measures for critical infrastructure owners and operators, the Biden administration outlined additional priorities that focus on (i) strengthening the federal government’s cybersecurity requirements; (ii) countering ransomware attacks, including by making it more difficult for criminals to move illicit money; (iii) collaborating with allies and partners to build collective cybersecurity, develop coordinated responses, and develop cyber deterrence; (iv) imposing costs on and sanctioning malicious cyber actors; (v) implementing internationally-accepted cyber “rules of the road”; (vi) strengthening cyber-education efforts; (vii) developing quantum-resistant encryption algorithms to protect privacy in digital systems such as online banking; and (viii) establishing research centers and workforce development programs under the National Quantum Initiative to protect investments, companies, and intellectual property and prevent harm as technology in this space continues to develop.
Biden issues executive order on EU-U.S. privacy shield replacement
On October 7, President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. outlines commitments the U.S. will take under the EU-U.S. Data Privacy Framework, which was announced in March as a replacement for the invalidated EU-U.S. Privacy Shield. As previously covered by InfoBytes, the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR.
Among other things, the E.O. bolsters privacy and civil liberty safeguards for U.S. signals intelligence-gathering activities, and establishes an “independent and binding mechanism” to enable “qualifying states and regional economic integration organizations, as designated under the E.O., to seek redress if they believe their personal data was collected through U.S. signals intelligence in a manner that violated applicable U.S. law.” Specifically, the E.O. (i) creates further safeguards for how the U.S. signals intelligence community conducts data transfers; (ii) establishes requirements for handling personal information collected through signals intelligence activities and “extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance”; (iii) requires the U.S. signals intelligence community to make sure policies and procedures reflect the E.O.’s new privacy and civil liberty safeguards; (iv) establishes a multi-layer review and redress mechanism, under which the Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO) is granted the authority to investigate complaints of improper collection and handling of personal data and may issue binding decisions on whether improper conduct occurred and what the appropriate remediation should be; (v) directs the U.S. attorney general to establish a Data Protection Review Court (DPRC) to independently review CLPO decisions, thereby serving as the second level of the E.O.’s redress mechanism (see DOJ announcement here); and (vi) calls on the Privacy and Civil Liberties Oversight Board to review U.S. signals intelligence community policies and procedures to ensure they are consistent with the E.O.
Hsu says regulators should coordinate efforts to mitigate crypto risks
On October 11, acting Comptroller of the Currency Michael J. Hsu delivered remarks before DC Fintech Week 2022, discussing the importance of identifying and monitoring cryptocurrency risks to protect consumers and the financial system. Among other things, Hsu noted that crypto “is an immature industry based on an immature technology.” He added that the industry still needs to deal with “the unabating volume of scams, hacks, and fraud.” Hsu voiced his concerns about integrating crypto into the traditional financial system without a more “accurate and complete” view of the risks. He noted that “[t]he largest crypto players today want to provide an increasingly broad range of services seamlessly under one roof for their customers.” Hsu pointed out that even though commingling crypto activities could “offer convenience for consumers and cost savings for crypto firms, conflicts abound and the riskiest activity threatens the whole bundle.” He warned that banks looking “to engage in crypto activities may want to carefully consider the scope of what they want to do, start with what can be most readily risk managed, and impose gates, through limits and other controls, to prevent uncontrolled expansion and growth into higher-risk activities.”
Hsu also delivered remarks before the Harvard Law School and Program on International Financial Systems Roundtable on Institutional Investors and Crypto Asset, discussing the need for clarifying supervisory expectations related to crypto activities and the role of regulators to ensure safety and soundness while promoting responsible innovation. Hsu said that regulators should coordinate efforts to write rules that help mitigate risks associated with digital assets. He emphasized that the term “don’t chase” for financial regulators means “not lowering our standards when dealing with crypto.” He further pointed out that “[s]haring information with peer agencies and seeking a common understanding of the risks and opportunities in the space can help ensure that regulatory standards remain high and the playing field stays level.” Hsu concluded by reiterating that he is a “crypto skeptic,” stating that his “skepticism of crypto stems from a frustration that the most promising innovations have been crowded out by hype and a fixation on trading,” and said that “[p]rogrammability, composability, and tokenization hold promise.”
Fed to roll out new bank application filing system at the end of October
On October 6, the Federal Reserve Board announced that the current bank application filing system will be replaced with a new, upgraded cloud-based system known as FedEZFile later this month. The Fed stated that while the substantive requirements of the applications will remain the same, the new system will make the filing process more intuitive. Paper applications and communications will also be minimized. Under the system, applicants will be provided real-time status tracking, two-way messaging, and the ability to digitally sign documents. A webinar on the new system is forthcoming.
FINRA alerts firms about rising ACATS fraud
On October 6, FINRA issued Regulatory Notice 22-21, alerting member firms to the rising trend of fraudulent account transfers of customer accounts using the Automated Customer Account Transfer Service (ACATS)—an automated system that facilitates the transfer of customer account assets from one member firm to another. FINRA explained that “ACATS fraud is related to the growing threat of new accounts being opened online or through mobile applications using stolen or synthetic identities,” and may occur when the identity of a legitimate customer of a carrying member is stolen by a bad actor to open a brokerage account online or through a mobile app at a receiving member. Bad actors, FINRA warned, may open a new account using stolen information only or through a combination of stolen and false information, and will try to move the ill-gotten assets to an external account at a different financial institution. FINRA reminded members of regulatory obligations that may apply to ACATS fraud, including know-your-customer rules, Bank Secrecy Act/AML requirements, and the Identity Theft Red Flags Rule.
Treasury requests feedback on cyberinsurance
On October 7, the U.S. Treasury Department published its Annual Report on the Insurance Industry, as required by the Dodd-Frank Act. The report discussed the U.S. insurance industry’s financial performance and its financial condition for the year ending December 31, 2021, and provided a domestic outlook for the industry for 2022. The report also summarized the Federal Insurance Office’s (FIO) activities and addressed certain matters affecting the domestic and international insurance industry.
Earlier, Treasury issued a request for input in the Federal Register on a potential federal insurance response to catastrophic cyber incidents. According to Treasury, “the comments will inform FIO’s work in responding to a recommendation by the U.S. Government Accountability Office that FIO and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency jointly assess the extent to which the risks to U.S. critical infrastructure from catastrophic cyberattacks warrant a federal insurance response.” The request stated that cyber insurance is a significant risk transfer mechanism, and that the insurance industry has an important role to play in strengthening cyber hygiene and building resiliency. Comments are due November 14.