InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB announces meetings for small business lending data reporting
On August 8, the CFPB announced that it is hosting two events to discuss the technical implementation required to prepare for the Bureau’s Small Business Lending Data Collection Rulemaking, which is a requirement under Section 1071 of the Dodd-Frank Act. According to the Bureau, the meetings will be geared toward in-house bank technologists or providers that provide compliance software to banks. Among other things, the meetings will: (i) share how the Bureau builds regulatory compliance technology systems; (ii) discuss possible approaches to authentication and application programming interfaces; and (iii) review technical data submission standards, edits and validations. The Bureau stated that the meetings “will not discuss or seek input on the merits or potential outcome of any ongoing rulemakings or take questions pertaining to the substance of such rulemakings.” According to the CFPB’s spring rulemaking agenda that was released earlier this summer, a final rule is expected in March 2023 (covered by InfoBytes here).
Fed announces individual capital requirements for all large banks
On August 4, the Federal Reserve Board announced the individual capital requirements for all large banks, which are in part determined by the Board’s stress test results that provide a risk-sensitive and forward-looking assessment of capital needs. According to the Fed, the total common equity tier 1 (CETI) capital requirement for each bank is made up of several components, including a minimum CET1 capital requirement for all banks of 4.5 percent; a stress capital buffer that is determined from the supervisory stress test results and is at least 2.5 percent; and, if applicable, a capital surcharge for global systemically important banks (G-SIB) of at least 1 percent. The requirements are effective October 1.
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
Biden signs bills providing 10-year SOL on PPP and EIDL fraud
On August 5, President Biden signed the Paycheck Protection Program and Bank Fraud Enforcement Harmonization Act (see H.R. 7352) and the COVID-19 Economic Injury Disaster Loan Fraud Statute of Limitations Act (see H.R. 7334). H.R. 7352 provides a 10-year statute of limitations for fraud by borrowers under the SBA’s Paycheck Protection Program, while H.R. 7334 establishes a 10-year statute of limitations for fraud by borrowers under the SBA’s Covid-19 Economic Injury Disaster Loan programs.
CFPB receives rulemaking petition seeking validation of credit score models for credit unions
Recently, the CFPB received a rulemaking petition seeking validation of credit score models for credit unions. The petition, which seeks “a rule governing the requirement to periodically validate credit scores for all lending or financing entities,” argues that validation is necessary to measure the effectiveness of credit scores being used to measure credit risk. Claiming that general letters of compliance from credit reporting agencies are inadequate, the petitioner explains that these letters do not “address the misapplication of credit scores by banks, credit card issuers, auto financing groups or individual credit unions that are the primary cause of errors and financial exclusion.” According to the petitioner, “[o]nly a statistically valid empirically derived study based on funded and declined loans will resolve many of the issues in consumer lending today.” The petitioner points out that validation reports “provide the information necessary to measure the efficiency of the credit score being used to measure credit risk,” and that “[d]emographic comparisons of funded and declined applicants can also be used to identify if the underwriting guidelines used in the application of credit scores result in acceptable percentages of financial inclusion for minorities or protected consumer groups.”
CFPB highlights risks associated with BNPL products
On August 4, the CFPB released a report highlighting risks associated with new product offerings that the agency claimed blur the line between payments and commerce. The report examined the development of new capabilities—like “super apps,” buy now, pay later (BNPL), and embedded commerce—that have the potential to streamline payments, facilitate commerce, and enhance user experience, but may also create opportunities for companies to aggregate and monetize consumer financial data. With respect to “super apps,” the Bureau warned that these services have “morphed” into a “bank in an app” model, providing a “wide array of financial, payment and commerce functions within a single app.” These financial services super apps may seem to be more convenient than having multiple relationships with different organizations, the Bureau said, but cautioned that using these products may limit consumer product and service choice. “While consumers can opt to use a payment offering outside an app, such super apps create the potential for providers to steer consumers to specific solutions and/or limit access to some products.”
The report also raised concerns about tech firms offering their own lending or BNPL products. The Bureau pointed out that BNPL options, which provide unsecured short-term credit allowing consumers to split purchases into four equal interest-free payments at the point of sale, have “soared in recent years” as a popular alternative to credit cards. The Bureau noted it is “carefully focused on the shift toward real-time payments in the United States,” and is “seeking to mitigate the potential consequences of large technology firms moving into this space.”
The Bureau further stressed it is “carefully monitoring the payments ecosystem as part of a multifaceted effort to promote fair, transparent, and competitive markets for consumer financial services,” and said it is currently working on Dodd-Frank Act rules that would give consumers more control over the personal financial data that they choose to share with finance and payment apps. The Bureau also stated that it is “assessing new models of lending integrated with payments and ecommerce, such as BNPL,” and plans to issue a report on its findings and make a determination as to whether any regulatory interventions are appropriate. Last year, the Bureau issued a series of orders to five companies seeking information regarding the risks and benefits of the BNPL credit model (covered by InfoBytes here).
FDIC issues 2022 Supervisory Insights
On August 3, the FDIC released its summer 2022 issue of Supervisory Insights, which contains an article discussing financial performance and examination observations about commercial real estate (CRE) lending risk management practices and an article describing the application of capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt. The article, Commercial Real Estate: An Update on Bank Lending Amid the Evolving Pandemic Backdrop, discusses the financial performance of banks concentrated in CRE lending as well as examination observations about CRE lending risk management practices. The article also describes the FDIC’s forward-looking supervisory focus for banks with significant exposure in this sector. The FDIC noted that inflation, rising interest rates, and supply chain challenges are possible determinants of increased risk. The article, Subordinated Debt: Issuance and Investment Considerations, “is intended to help financial institutions better understand the applicable capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt.” According to the FDIC, a key takeaway of Subordinated Debt Investments is that “[i]nstitutions may generally only purchase investment grade subordinated debt securities that are permissible investments for national banks.”
FDIC, OCC announce disaster relief
On August 3, the FDIC issued FIL-38-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Kentucky affected by severe storms, flooding, landslides and mudslides that began July 26 and is ongoing. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” The FDIC noted that institutions may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The agency will also consider relief from certain reporting and publishing requirements.
The same week the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Kentucky “for as long as deemed necessary for bank operation or public safety.” The proclamation directed institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Trade groups petition CFPB to supervise data aggregators
On August 2, several bank and credit union trade groups petitioned the CFPB asking the Bureau to create regulations that would allow the agency to conduct routine exams and supervise data aggregators and their customers. While the Bureau is currently considering rulemaking under Section 1033 of the Dodd-Frank Act with respect to consumer access to financial records and has “affirmed its commitment to ‘monitoring the aggregation services market and ensuring consumer protection and safety,’” the petition argued that there is a “supervisory imbalance” between banks and nonbanks in terms of data oversight. “[A]mong the participants in the market for aggregation services, typically, data holders, such as banks and credit unions, are regularly supervised and examined by the CFPB, whereas nondepository institutions such as data aggregators and data users are not examined by the CFPB,” the petition stated, adding that this “creates both an unsustainable model as the aggregation services market grows and the risk that the laws applicable to the activities of those larger participants in this market will be enforced inconsistently.” As a result, the petition warned that potential consumer harm attributed to data aggregator and data user activity may not be identified and remedied in a timely manner. The trade groups called for the Bureau to create a rule that would add a definition for “larger participants of a market” for aggregation services, as well as define the term “aggregation services” to mean a “financial product or service” under Title X of Dodd-Frank. Doing so would ensure that “all providers of comparable financial products and services” are subject to similar levels of accountability, the petition said.
Hsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu called for collaboration among public and private sector stakeholders to safeguard the financial services sector. Hsu noted that the financial services sector has done “a good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks,” but warned that “we cannot be complacent.” He noted that the OCC has recently observed increases in cyberattack frequency and severity against financial institutions and service providers, and that cyberattacks, such as ransomware, have risks beyond financial loss. Hsu added that “disruption to financial services can significantly impact banks’ abilities to deliver critical services to their customers and has the potential to affect the broader economy.” He also stressed that banks “need to assess both the potential impact cyber incidents may have on their own institution and the impact a cyber disruption may have on the broader financial system.” He also stated that cybersecurity breaches have been caused or intensified by the failure to have effective controls in three areas: (i) authentication; (ii) systems configuration and patch management; and (iii) cyber response and resilience capabilities. Hsu concluded by emphasizing the OCC’s commitment “to working with CISA, our financial sector counterparts, and other sectors to ensure that we have strong partnerships across the government.”