InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies to modify Volcker Rule’s “covered funds” requirements
On January 30, the OCC, Federal Reserve Board, FDIC, SEC, and CFTC issued a notice of proposed rulemaking to modify and streamline the “covered funds” requirements under Section 13 of the Bank Holding Company Act, commonly known as the Volcker Rule (Rule). As previously covered by InfoBytes, last fall the regulators signed off on final revisions to the Rule to simplify and tailor its restrictions on a banking entity’s ability to engage in proprietary trading and own certain funds. Specifically, the proposed amendments would modify the restrictions for banking entities investing in, sponsoring, or having certain relationships with covered funds, including simplifying provisions related to foreign public funds, loan securitizations, and small business investment companies. The amendments would also, among other things, (i) limit the extraterritorial impact of the Rule on certain foreign funds offered by foreign banks to foreign investors; (ii) modify and propose several existing exclusions to allow banking entities to invest in or sponsor certain types of funds—subject to certain safeguards—such as credit funds, venture capital funds, family wealth management vehicles, and customer facilitation funds; and (iii) permit intraday extensions of credit, payment, clearing, and settlement transactions between a banking entity and covered funds the banking entity advises or sponsors, or with which the banking entity has certain other relationships. Comments will be accepted through April 1.
FDIC finalizes securitization safe harbor
On January 30, the FDIC adopted the Final Rule to Revise Securitization Safe Harbor Rule (rule) as recommended by FDIC staff in a memorandum dated January 23. In July, as previously covered by InfoBytes, the FDIC approved a proposal to remove the requirement that, for safe harbor treatment, “the documents governing a securitization issuance require compliance with Regulation AB” of the SEC Regulation AB, “in circumstances where Regulation AB is not, by its terms, applicable to that transaction.” The proposal suggested that “it is no longer clear that compliance with the public disclosure requirements of Regulation AB in a private placement or in an issuance not otherwise required to be registered is needed to achieve the policy objective of preventing a buildup of opaque and potentially risky securitizations such as occurred during the pre-crisis years, particularly where the imposition of such a requirement may serve to restrict overall liquidity.” The final rule—which is unchanged from the proposal—eliminates the “significant disclosure requirements” to no longer mandate that private placements of securitization obligations provide Regulation AB disclosures. With the adoption of the final rule, only those transactions that are subject to Regulation AB are required to make the disclosures. The rule is expected to increase the securitization of residential mortgages and will become effective 30-60 days after it is published in the Federal Register.
Otting defends OCC’s CRA proposal
On January 29, OCC Comptroller Joseph Otting testified at a hearing held by the House Financial Services Committee to discuss the OCC’s Community Reinvestment Act (CRA) modernization proposal. (See Buckley Special Alert covering the joint notice of proposed rulemaking issued last December by the OCC and FDIC.) Committee Chairwoman Maxine Waters (D-CA) expressed concerns with the NPR, arguing that the proposal “runs contrary to the purpose of the CRA and would lead to widespread bank disinvestment from low- and moderate-communities throughout the country.” Waters cited additional concerns with the NPR, including what she believes are efforts by the OCC “to deregulate megabanks” and “greenlight rent-a-bank schemes that allow lenders to skirt state usury caps.”
In his written testimony, Otting reiterated that the NPR is intended to strengthen and modernize CRA regulations and that the proposal does not permit redlining. “Nothing in this proposal changes the agencies’ authority to enforce fair lending laws to prevent discrimination and redlining. The regulations implementing the Fair Housing Act and the Equal Credit Opportunity Act prohibit discrimination and redlining,” Otting stressed in his oral statement. “These regulations are not changed in any way by this proposal.” (Emphasis in the original.) Otting also defended several of the proposed amendments that would, among other things, (i) remove uncertainty that discourages investments; (ii) focus on a bank’s sustained commitment to meeting a community’s credit needs and rewarding long-term investment; and (iii) accommodate banks of different sizes and business models by allowing small banks with less than $500 million in total assets to choose between the existing and the proposed revised framework for their evaluations. During the hearing, Otting also refuted the perception that the NPR employs the use of a single metric to determine a bank’s CRA rating, stating “there is no one ratio in this proposal. . .the average regional bank will have 502 measurement points so every community would be measured by units and dollars and at the top of the house it would be dollars.”
When Congressman Brad Sherman (D-CA) asked about the OCC’s recent request for bank-specific data to inform the NPR (previously covered by InfoBytes here) questioning why the agencies “want to adopt a rule on such a quick timetable when [they] still don’t have the information,” Otting responded that the additional information requested from the banks is meant to help validate the OCC’s analysis and conclusions. However, when the discussion turned to whether Congress could access the data and analysis used to create the NPR, Otting stated that he would be happy to discuss the data and analysis in person but that the information should not be publicly distributed. Waters stated Congress would subpoena the information if necessary. Otting also confirmed that the 60-day comment period of the NPR (which closes March 9) would not be extended, and that the goal would be to finalize the rule within 60 to 70 days after the comment period ends. With respect to the Federal Reserve’s decision not to join in the notice of proposed rulemaking, Otting said, “We have thousands of rules, regulations and guidance that differ amongst the agencies. So no…I do not see it as an impediment at all.” As previously covered by InfoBytes, earlier this month Federal Reserve Governor Lael Brainard discussed the Fed’s approach to the CRA modernization process and explained why the Fed chose not to join in the NPR.
FDIC encourages relief for Puerto Rico borrowers
On January 24, the FDIC issued Financial Institution Letter FIL-4-2020 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Puerto Rico affected by a recent series of earthquakes. In the letter, the FDIC encourages institutions to consider, among other things, (i) extending repayment terms; (ii) restructuring existing loans; or (iii) easing terms for new loans to borrowers affected by the earthquakes. Additionally, the FDIC notes that institutions may receive Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The FDIC states it will also consider regulatory relief from certain filing and publishing requirements.
Find continuing InfoBytes coverage on disaster relief guidance here.
FDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
FDIC extends deadline for comments on innovation pilot programs
On January 14, the FDIC again published a notice and request for comments in the Federal Register on innovation pilot programs. The FDIC first solicited comments on innovation pilot programs in November, with comments due by January 6. As no comments were submitted, the agency is once again requesting comments on the programs, which, as previously covered by InfoBytes, it hopes will spur collaboration “with innovators in the financial, non-financial, and technology sectors to, among other things, identify, develop, and promote technology-driven innovations among community and other banks in a manner that ensures the safety and soundness of FDIC-supervised and insured institutions.”
Comments must be received by February 13.
OCC seeks bank-specific data to inform CRA modernization
On January 10, the OCC issued a request for public input (RFI) to aid the OCC and the FDIC in determining how their joint notice of proposed rulemaking might be revised to ensure the final rule achieves the purpose of the Community Reinvestment Act (CRA). A previously covered by a Buckley Special Alert, the NPR generally focuses on expanding and delineating the activities that qualify for CRA consideration, providing benchmarks to determine what levels of activity are necessary to obtain a particular CRA rating, establishing additional assessment areas based on the location of a bank’s deposits, and increasing clarity, consistency, and transparency in reporting. The RFI “seeks bank-specific data and information to supplement currently-available data and to inform potential revisions to modernize and strengthen the CRA regulatory framework,” and specifically requests four types of bank data covering the past three years: (i) retail domestic deposit activities; (ii) total qualifying activity data; (iii) data on qualifying retail loans originated and sold within 90 days; and (iv) other retail loan data by census tract. Comments on the RFI are due March 10.
Representatives urge financial regulators to strengthen cyber infrastructures
On January 7, Representatives Emanuel Cleaver II (D-MO) and Gregory Meeks D-NY) sent a letter to nine federal financial regulators urging them to strengthen their financial infrastructures against possible cyber-attacks in the wake of recent threats against the U.S. from Iran and its allies following the killing of Iranian official Qasem Soleimani. The letter also requests that the regulators coordinate with law enforcement and regulated entities to increase information sharing surrounding cyber threats, and “communicate a strategy to further mitigate existing cyber vulnerabilities within [the U.S.] financial infrastructure by March.” The letter was sent to the Federal Reserve Board, Treasury Department, SEC, FDIC, CFPB, Federal Housing Finance Agency, Commodity Futures Trading Commission, National Credit Union Administration, and the OCC.
As previously covered by InfoBytes, NYDFS separately issued an Industry Letter on January 4 warning regulated entities about the “heightened risk” of cyber-attacks by hackers affiliated with the Iranian government. The letter provides recommendations for ensuring quick responses to any suspected cyber incidents, and reminds entities they must inform NYDFS “as promptly as possible but in no event later than 72 hours’ after a material cybersecurity event.”
Federal Reserve governor proposes alternative approach to CRA modernization
On January 8, Federal Reserve Governor Lael Brainard discussed the Fed’s approach to the Community Reinvestment Act (CRA) modernization process, explaining why the agency chose not to join the notice of proposed rulemaking (NPR) issued in December by the OCC and the FDIC. As previously covered by a Buckley Special Alert, the NPR generally focuses on expanding and delineating the activities that qualify for CRA consideration, providing benchmarks to determine what levels of activity are necessary to obtain a particular CRA rating, establishing additional assessment areas based on the location of a bank’s deposits, and increasing clarity, consistency, and transparency in reporting. The NPR was published in the Federal Register on January 9, with comments due March 9.
According to Brainard, “it is more important to get the reforms done right than to do them quickly.” This includes, Brainard emphasized, “giving external stakeholders sufficient time and analysis to provide meaningful feedback on a range of options for modernizing the regulations.” Specifically, the Fed’s proposed approach for measuring banks’ CRA compliance uses “a set of tailored thresholds that are calibrated for local conditions” through the creation of two tests: (i) a retail test, applicable to all retail banks, that “would assess a bank’s record of providing retail loans and retail banking services in its assessment areas”; and (ii) a community development test, applicable to large banks, wholesale banks, and limited-purpose banks, “that would evaluate a bank’s record of providing community development loans, qualified investments, and services.” Banks would then be provided a dashboard related to its retail lending activity, as well as metrics concerning its community development performance.
Brainard also commented that separating evaluations into two different tests is important because “an approach that combines all activity together runs the risk of encouraging some institutions to meet expectations primarily through a few large community development loans or investments rather than meeting local needs.” She explained that having separate tests would ensure that performance metrics are tailored for banks of different sizes and business models, and would “provide greater scope to calibrate the evaluation metrics to the opportunities available in the market, which can differ for retail lending and community development financing.” Further, Brainard stated that using metrics based on a bank’s retail output on the number of loans rather than the dollar volume would help to measure how well a bank is serving the needs of both low- to moderate-income communities and “avoid inadvertent biases in favor of fewer, higher-dollar value loans.”
9th Circuit affirms no jurisdiction without exhaustion of administrative remedies
On December 27, the U.S. Court of Appeals for the Ninth Circuit affirmed the dismissal of a TILA case brought by a consumer against his mortgage lender, citing lack of subject matter jurisdiction under the provisions of FIRREA that require claims involving a bank that is in receivership to be presented to the FDIC before the borrower files suit. In 2009 the consumer filed an adversary proceeding in bankruptcy court against his lender for rescission of his mortgage loan under TILA. The consumer claimed that the lender’s notice of right to cancel was defective when the loan was signed, resulting in an extended rescission period under TILA, but his suit was dismissed for lack of jurisdiction. Once again, in 2012, the district court dismissed the consumer’s TILA suit after finding that the consumer had not exhausted his administrative remedies with the FDIC before filing suit.
On appeal, the three-judge panel rejected the consumer’s claim that his lender was not placed into receivership until after his loan was sold, and therefore he did not have to exhaust his administrative remedies before filing suit. The panel subscribed to the Fourth Circuit’s interpretation of the exhaustion requirement, stating that “even where an asset never passes through the FDIC’s receivership estate, the FDIC should assess the claim first.” According to the opinion, the FIRREA requirement that the consumer exhaust his remedies with the FDIC applied to this action because the panel determined that (i) the consumer’s claim was “susceptible of resolution under the FIRREA claims process”; (ii) the consumer’s claim was related to an act or omission of the lender; and (iii) the FDIC, which “was not required to have possessed the loan before determining a claim” had been appointed as receiver for that lender, stripping the appellate court of subject matter jurisdiction until after the FDIC determined his claim.