Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Special Alert: Banks no longer required to file SARs for hemp-related businesses

    Agency Rule-Making & Guidance

    Federal and state banking regulators confirmed in a December 3 joint statement that banks are no longer required to file a suspicious activity report on customers solely because they are “engaged in the growth or cultivation of hemp in accordance with applicable laws and regulations.”

    * * *

    Click here to read the full special alert.

    For questions about the alert and related issues, please visit our Bank Secrecy Act/Anti-Money Laundering practice page, or contact a Buckley attorney with whom you have worked in the past.

    Agency Rule-Making & Guidance Federal Reserve FDIC FinCEN OCC CSBS Department of Agriculture Bank Secrecy Act SARs Hemp Businesses Special Alerts

  • Special Alert: OCC and FDIC propose rules to override Madden

    Agency Rule-Making & Guidance

    On November 18, 2019 the Office of the Comptroller of the Currency (“OCC”) issued a proposed rule to clarify that when a national bank or savings association sells, assigns, or otherwise transfers a loan, the interest permissible prior to the transfer continues to be permissible following the transfer. The very next day, the Federal Deposit Insurance Corporation (“FDIC”) followed suit with respect to state chartered banks. The proposals are intended to address problems created by the U.S. Court of Appeals for the Second Circuit in Madden v. Midland Funding, LLC, a decision that cast doubt, at least in the Second Circuit states, about the effect of a transfer or assignment on a bank loan’s stated interest rate that was nonusurious when made. Comments on these proposals are due 60 days following publication in the Federal Register, and as noted below, the case for robust banking industry comment is more compelling than is typically the case.

    * * *

    Click here to read the full special alert.

    If you have any questions about the alert or other related issues, please visit our Fintech practice page or contact a Buckley attorney with whom you have worked in the past.

    Agency Rule-Making & Guidance OCC FDIC Fintech Usury Madden Interest Rate Special Alerts

  • FFIEC issues revised Business Continuity Management booklet

    Agency Rule-Making & Guidance

    On November 14, the Federal Financial Institutions Examination Council (FFIEC) issued a revised Business Continuity Management booklet, one of a series of booklets that make up the FFIEC Information Technology Examination Handbook. The revised booklet replaces the 2015 version, and provides enterprise-wise guidance for examiners on the principles of business continuity management and approaches toward business continuity planning and resilience, including those designed to “achieve safety and soundness, consumer financial protection, and compliance with applicable laws, regulations, and rules.” It also provides examination procedures intended to help examiners assess the effectiveness of business continuity and resilience frameworks for entities including depository financial institutions, nonbank financial institutions, bank holding companies, and third-party service providers.

    The same day, the OCC also issued Bulletin 2019-57 to note that the revised booklet rescinds Bulletin 2015-9, “FFIEC Information Technology Examination Handbook: Strengthening the Resilience of Outsourced Technology Services, New Appendix for Business Continuity Planning Booklet.”

    Agency Rule-Making & Guidance FFIEC Examination OCC

  • Buckley Insights: Leveraging open source intelligence for cyber threat modeling

    Privacy, Cyber Risk & Data Security

    The FTC Safeguards Rule, FFIEC Cybersecurity and IT Guidance, and other OCC guidelines (here and here) emphasize the need for cyber threat intelligence (CIT) and threat identification to inform an organization’s overall cyber risk identification, assessment, and mitigation program. Indeed, to successfully implement a risk-based information security program, an organization must be aware of both general cybersecurity risks across all industries, as well as both business-sector risks and organizational risks unique to the organization. Furthermore, proposed revisions to the FTC Safeguards Rule (previously covered by InfoBytes here) emphasize the need for a “through and complete risk assessment” that is informed by “possible vectors through which the security, confidentiality, and integrity of that information could be threatened.”

    Threat modeling is generally understood as a formal process by which an organization identifies specific cyber threats to an organization’s information systems and sensitive information, which provides the management insight regarding the defenses needed; the critical risk areas within and across an information system, network, or business process; and the best allocation of scarce resources to address the critical risks. Even today, generally an accepted threat modeling process involves comprehensive system, application, and network mapping and data flow diagrams. Many threat modeling tools are available free to the public, such as Microsoft’s Threat Modeling Tool, which provides diagramming and analytical resources for network and data flow diagrams, utilizing the STRIDE model (spoofing, tampering, repudiation, information disclosure, denial of service, and escalation of privilege) to inform the user of general cyber-attack vectors that each organization should consider. Generally, between cybersecurity frameworks, such as the NIST Cybersecurity Framework (for risk-based analytical approaches), and threat modeling tools identifying generic cyber threats such as STRIDE (for general or sector-specific cyber risks), an organization can achieve a risk-informed information security program.

    However, with the increasing amount of large-scale data breaches occurring and with the evolving complexity of cybersecurity threats, many regulatory agencies and other industry-based standards institutions have called for a need to go one step further and understand the techniques, tactics, and procedures (TTPs) utilized by hackers using CIT. By using CIT and other threat-based models, organizations can gain insight into potential attack vectors through red-teaming and penetration testing by simulating each phase of a hypothetical attack into the organization’s information system and determine potential countermeasures that can be employed at each step of the kill chain. For instance, Lockheed Martin’s formal kill chain model involves seven steps (reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective) and proposes six potential defensive measures at each step (detect, deny, disrupt, degrade, deceive, and contain). Consequently, an organization can layer its defenses along each step in the kill chain to increase the probability of detection or prevention of the attack. Kill Chain was used as part of a U.S. Senate investigation into the data breach of a major corporation in 2013, identifying several stages along the chain where the attack could have been prevented or detected.

    This threat identification process requires greater detail on adversarial TTPs. Fortunately, MITRE has provided for public consumption its ATT&CK (adversarial tactics, techniques, and common knowledge) platform. ATT&CK collects and streamlines adversarial TTPs in specific detail and provides information on each technique and potential mitigating procedures, including commonly used attack patterns for each. For instance, one tactic identified by ATT&CK is to encrypt data being exfiltrated to avoid detection by data loss prevention (DLP) tools or other network anomaly detection tools and identifies more than forty known techniques and tools that have been used to achieve encrypted transmission. ATT&CK also identifies potential detection and mitigation options, such as scanning unencrypted channels for encrypted files using DLP or intrusion detection software. Thus, instead of a generic data breach risk analysis, organizations can understand specific TTPs that may make data breach detection and analysis more difficult, and possibly take measures to prevent it.

    By leveraging open-source CIT from tools such as ATT&CK and other reports from third-party sources such as government and industry alerts, organizations can begin the process of designing proactive defenses against cyber threats. It is important to note, however, that ATT&CK can only inform an organization’s threat modeling, and is not a threat model itself; additionally, ATT&CK focuses on penetration and hacking TTPs and, therefore, does not examine other threats that organizations may face, including distributed denial of services (DDoS) attacks that threaten the availability of its systems. Such threats will still need to be accounted for in any financial organization’s risk assessment, particularly if such DDoS prevent its clients from accessing their financial accounts and ultimately, their money.

    Privacy/Cyber Risk & Data Security Data Breach FTC OCC FFIEC

  • FDIC, OCC approve final rule revising Volcker Rule

    Agency Rule-Making & Guidance

    On November 14, the OCC, FDIC, Federal Reserve Board, CFTC, and SEC published a final rule, which will amend the Volcker Rule to simplify and tailor compliance with Section 13 of the Bank Holding Company Act’s restrictions on a bank’s ability to engage in proprietary trading and own certain funds. As previously covered by InfoBytes, the five financial regulators released a joint notice of proposed rulemaking in July 2018 designed to reduce compliance costs for banks and tailor Volcker Rule requirements to better align with a bank’s size and level of trading activity and risks. The final rule clarifies prohibited activities and simplifies compliance burdens by tailoring compliance obligations to reflect the size and scope of a bank’s trading activities, with more stringent requirements imposed on entities with greater activity. The final rule also addresses the activities of foreign banking entities outside of the United States.

    Specifically, the final rule focuses on the following areas:

    • Compliance program requirements and thresholds. The final rule includes a three-tiered approach to compliance program requirements, based on the level of a banking entity’s trading assets and liabilities. Banks with total consolidated trading assets and liabilities of at least $20 billion will be considered to have “significant” trading activities and will be subject to a six-pillar compliance program. Banks with “moderate” trading activities (total consolidated trading assets and liabilities between $1 billion and $20 billion) will be subject to a simplified compliance program. Finally, banks with “limited” trading activities (less than $1 billion in total consolidated trading assets and liabilities) will be subject to a rebuttable presumption of compliance with the final rule.
    • Proprietary trading. Among other changes, the final rule (i) retains a modified version of the short-term intent prong; (ii) eliminates the agencies’ rebuttable presumption that financial instruments held for fewer than 60 days are within the short-term intent prong of the trading account; and (iii) adds a rebuttable presumption that financial instruments held for 60 days or longer are not within the short-term intent prong of the trading account. Additionally, banks subject to the market risk capital prong will be exempt from the short-term intent prong.
    • Proprietary trading exclusions. The final rule modifies the liquidity management exclusion to allow banks to use a broader range of financial instruments to manage liquidity. In addition, exclusions have been added for error trades, certain customer-driven swaps, hedges of mortgage servicing rights, and certain purchases or sales of instruments that do not meet the definition of “trading assets and liabilities.”
    • Proprietary trading exemptions. The final rule includes changes from the proposed rule related to the exemptions for underwriting and market making-related activities, risk-mitigating hedging, and trading by foreign entities outside the U.S.
    • Covered funds. Among other things, the final rule incorporates proposed changes to the covered funds provision concerning permitted underwriting and market making and risk-mitigating hedging with respect to such funds, as well as investments in and sponsorships of covered funds by foreign banking entities located solely outside the U.S.
    • Application to foreign banks. The final rule aligns the methodologies for calculating the “limited” and “significant” compliance thresholds for foreign banking organizations by basing both thresholds on the trading assets and liabilities of the firm’s U.S. operations. The final rule includes changes to the exemptions from the prohibitions for underwriting and market making-related activities, risk mitigating hedging, and trading by foreign banking entities solely outside the U.S. Additionally, the final rule also includes changes to the covered funds provisions, including with respect to permitted underwriting and market making and risk-mitigating hedging with respect to a covered fund, as well as investment in or sponsorship of covered funds by foreign banking entities solely outside the U.S. and the exemption for prime brokerage transactions.

    FDIC board member Martin J. Gruenberg voted against the rule, stating the “final rule before the FDIC Board today would effectively undo the Volcker Rule prohibition on proprietary trading by severely narrowing the scope of financial instruments subject to the Volcker Rule. It would thereby allow the largest, most systemically important banks and bank holding companies to engage in speculative proprietary trading funded with FDIC-insured deposits.” Gruenberg emphasized that the final rule “includes within the definition of trading account only one of these categories of fair valued financial instruments—those reported on the bank’s balance sheet as trading assets and liabilities. This significantly narrows the scope of financial instruments subject to the Volcker Rule.”

    The final rule will take effect January 1, 2020, with banks having until January 1, 2021, to comply. Prior to the compliance date, the 2013 rule will remain in effect. Alternatively, banking entities may elect to voluntarily comply, in whole or in part, with the final rule’s amendments prior to January 1, 2021, provided the agencies have implemented necessary technological changes.

    Agency Rule-Making & Guidance FDIC Federal Reserve OCC CFTC SEC Bank Holding Company Act Volcker Rule Of Interest to Non-US Persons

  • OCC says banks near California wildfires can close

    Federal Issues

    On October 30, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by the California wildfires “for as long as deemed necessary for bank operation or public safety.” The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.

    Find continuing InfoBytes coverage on disaster relief here.
     

    Federal Issues OCC Disaster Relief

  • Agencies increase threshold for appraisal exemption under TILA for HPMLs

    Agency Rule-Making & Guidance

    On October 30, the CFPB, OCC, and the Federal Reserve Board published a final rule in the Federal Register, which increases the smaller loan exemption threshold for the special appraisal requirements for higher-priced mortgage loans (HPMLs) under TILA. TILA requires creditors to obtain a written appraisal before making a HPML unless the loan amount is at or below the threshold exemption. Each year the threshold must be readjusted based on the annual percentage increase in the Consumer Price Index for Urban Wage Earners and Clerical Workers. The exemption threshold for 2020 is $27,200, up from $26,700 in 2019. The final rule will take effect January 1, 2020.

    Agency Rule-Making & Guidance CFPB OCC Federal Reserve Federal Register Mortgages Appraisal TILA

  • Agencies simplify capital calculation for community banks

    Agency Rule-Making & Guidance

    On October 29, the Federal Reserve Board, the FDIC, and the OCC (agencies) issued a final rule to simplify capital rule compliance requirements and reduce the regulatory burden for community banks in accordance with the Economic Growth, Regulatory Relief, and Consumer Protection Act. Among other things, the final rule allows qualifying community banks to adopt a simple community bank leverage ratio to measure capital adequacy, removing requirements for calculating and reporting risk-based capital ratios. Qualifying community banks must have less than $10 billion in total consolidated assets and meet additional criteria such as a leverage ratio greater than 9 percent. The agencies estimate that approximately 85 percent of community banks will qualify. The final rule also grants a community bank that temporarily fails to comply with the framework a two-quarter grace period to come back into full compliance, as long as its leverage ratio remains above 8 percent. According to the agencies, banking organizations will be permitted to use the community bank leverage ratio framework in their March 31, 2020 Call Report or Form FR Y-9C, as applicable. The final rule will take effect January 1, 2020.

    Agency Rule-Making & Guidance Federal Reserve FDIC OCC Community Banks EGRRCPA

  • Federal financial regulators join the Global Financial Innovation Network

    Federal Issues

    On October 24, the CFTC, FDIC, OCC, and SEC announced that they joined the Global Financial Innovation Network (GFIN). GFIN was created by the United Kingdom’s Financial Conduct Authority in 2018 and is an international network of 50 organizations, including the CFPB and other financial regulators. As previously covered by InfoBytes, GFIN members are committed to supporting financial innovation by (i) collaborating on innovation and providing accessible regulatory contact information for firms; (ii) providing a forum for joint regulation technology work; and (iii) providing firms with an environment in which to trial cross-border solutions. According to the FDIC’s announcement, “[p]articipation in the GFIN furthers these objectives and enhances the agencies’ abilities to encourage responsible innovation in the financial services industry in the United States and abroad.”

    Federal Issues FDIC OCC SEC CFTC Regulatory Sandbox Of Interest to Non-US Persons

  • Waters and Brown urge regulators to reconsider Volcker Rule changes

    Federal Issues

    On October 17, House Financial Services Committee Chairwoman Maxine Waters (D-Calif) and Senate Banking Committee Ranking Member Sherrod Brown (D-Ohio) wrote to the heads of the Federal Reserve Board, FDIC, OCC, SEC, and CFTC to oppose the federal financial regulators’ recent approval of changes to the Volcker Rule. (Previous InfoBytes coverage here.) According to Waters and Brown, the final revisions—which are designed to simplify and tailor compliance with Section 13 of the Bank Holding Company Act’s restrictions on a bank’s ability to engage in proprietary trading and own certain funds—“open the door to the very risky, speculative activities that Congress sought to prohibit.” Specifically, the letter addresses rollback concerns such as (i) narrowing the definition of a “trading account,” which would weaken the short-term intent prong; (ii) “eliminating metrics reporting”; (iii) “removing activity restrictions on non-U.S. banks”; and (iv) “expanding permitted activity related to covered funds.” Waters and Brown urged the regulators to reconsider their decision to adopt the revisions, and requested that they be provided with the data and metrics used by the regulators during their analysis, as well as the regulators’ justification for “eliminating or reducing the information and data reported by banking entities.”

    Federal Issues Volcker Rule House Financial Services Committee Senate Banking Committee Federal Reserve FDIC OCC SEC CFTC

Pages

Upcoming Events