Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republican lawmakers ask about risks of customers’ digital assets on balance sheets
On March 2, Senator Cynthia M. Lummis (R-WY) and Representative Patrick McHenry (R-NC) sent a letter to the Federal Reserve Board, FDIC, OCC, and NCUA requesting input on SEC guidance issued last year that directs cryptocurrency firms to account for customers’ digital assets on their balance sheets. Last April, the SEC issued Staff Accounting Bulletin No. 121 (SAB 121), covering obligations for safeguarding crypto-assets held by entities for platform users. Among other things, SAB 121 clarified that entities should track customer assets as a liability on their balance sheets. “[A]s long as Entity A is responsible for safeguarding the crypto-assets held for its platform users, including maintaining the cryptographic key information necessary to access the crypto-assets, the staff believes that Entity A should present a liability on its balance sheet to reflect its obligation to safeguard the crypto-assets held for its platform users,” SAB 121 explained.
Claiming that SAB 121 “purports to require banks, credit unions and other financial institutions to effectively place digital assets on their balance sheets,” the lawmakers argued that this “would trigger a massive capital charge,” and in turn would likely prevent regulated entities from engaging in digital asset custody. Rather, regulators should encourage regulated financial institutions to offer digital asset services, since they are subject to the highest level of oversight, the letter said. Among other things, the letter asked the regulators whether the SEC contacted them prior to issuing the guidance, and if they have directed regulated financial institutions to comply with SAB 121. The lawmakers also inquired whether the regulators “agree that SAB 121 potentially weakens consumer protection by preventing well-regulated banks, credit unions, and other financial institutions from providing custodial services for digital assets[.]” The letter pointed to the bankruptcy case of a now-defunct crypto lender, which classified all customers as unsecured creditors, as an example of the legal risk of requiring customer custodial assets be placed on an entity’s balance sheet. “SAB 121 places customer assets at greater risk of loss if a custodian becomes insolvent or enters receivership, violating the SEC’s fundamental mission to protect customers,” the lawmakers wrote.
NCUA approves final cyber incident reporting rule
On February 16, the NCUA approved a final rule that requires federally-insured credit unions (FICUs) to notify the agency as soon as possible (and no later than 72 hours) after a FICU “reasonably believes that a reportable cyber incident has occurred.” Specifically, the rule requires FICUs to report cyber incidents that lead “to a substantial loss of confidentiality, integrity, or availability of a network or member information system as a result of the exposure of sensitive data, disruption of vital member services, or that has a serious impact on the safety and resiliency of operational systems and processes.” Under the rule, FICUs must report any cyberattacks that disrupt their business operations, vital member services, or a member information system within 72 hours of the FICU’s “reasonable belief that it has experienced a cyberattack.” The NCUA explained that the 72-hour notification requirement provides an early alert to the agency but that the rule does not require the submission of a detailed incident assessment within this time frame. The final rule takes effect September 1. Additional reporting guidance will be provided prior to the effective date.
“Through these high-level early warning notifications, the NCUA will be able to work with other agencies and the private sector to respond to cyber threats before they become systemic and threaten the broader financial services sector,” NCUA Chairman Todd M. Harper said. Harper further explained that “[t]his final rule will also align the NCUA’s reporting requirements with those of the federal banking agencies and the Cyber Incident Reporting for Critical Infrastructure Act.”
Agencies reiterate illegality of appraisal discrimination
On February 14, CFPB Fair Lending Director Patrice Ficklin joined senior leaders from the FDIC, HUD, NCUA, Federal Reserve Board, DOJ, OCC, and FHFA in submitting a joint letter to The Appraisal Foundation (TAF) urging the organization to further revise its draft Ethics Rule for appraisers to include a detailed statement of federal prohibitions against discrimination under the Fair Housing Act (FHA) and ECOA.
This is the second time the agencies have raised concerns with TAF. As previously covered by InfoBytes, last February, the agencies sent a joint letter in response to a request for comments on proposed changes to the 2023 Appraisal Standards Board Ethics Rule and Advisory Opinion 16, in which they noted that while provisions prohibit an appraiser from relying on “unsupported conclusions relating to characteristics such as race, color, religion, national origin, sex, sexual orientation, gender, marital status, familial status, age, receipt of public assistance income, disability, or an unsupported conclusion that homogeneity of such characteristics is necessary to maximize value,” the “provisions do not prohibit an appraiser from relying on ‘supported conclusions’ based on such characteristics and, therefore, suggest that such reliance may be permissible.” The letter noted that the federal ban on discrimination under the FHA and ECOA is not limited only to “unsupported” conclusions, and that any discussions related to potential appraisal bias should be consistent with all applicable nondiscrimination laws.
In their second letter, the agencies said that the fourth draft removed a detailed, unambiguous summary covering nondiscrimination standards under the FHA and ECOA, and instead substituted “a distinction between unethical discrimination and unlawful discrimination.” The letter expressed concerns that the term “unethical discrimination” is not well established in current law or practice, and could lead to confusion in the appraisal industry. Moreover, the letter noted that “the term ‘ethical’ discrimination, and reference to the possibility of a protected characteristic being ‘essential to the assignment and necessary for credible assignment results,’ appears to resemble the concept of ‘supported’ discrimination that the agencies previously disfavored and whose removal and replacement with a summary of the relevant law significantly improved the draft Ethics Rule.” The agencies further cautioned that “[s]uggesting that appraisers avoid ‘bias, prejudice, or stereotype’ as general norms” would grant individual appraisers wide discretion in applying these norms and likely yield inconsistent results. The agencies advised TAF to provide a thorough explanation of these legal distinctions.
NCUA will maintain loan interest rate ceiling at 18%
On January 27, the NCUA board unanimously voted to maintain the current temporary 18 percent interest rate ceiling for loans made by federal credit unions (FCUs) for another 18 months. The extension starts after the current period ends March 10. According to the announcement, the National Association of Federally-Insured Credit Unions (NAFCU) urged the NCUA to immediately raise the interest rate ceiling to 21 percent in order to help mitigate interest rate-related risks facing FCUs. Recognizing that the NAFCU “has consistently advocated for a floating permissible interest rate ceiling to address constraints of the 15 percent ceiling set by the FCU Act,” NCUA Chairman Todd Harper said the agency is conducting an analysis of a floating interest rate ceiling that should be completed by the April board meeting.
NCUA proposal looks to promote CU-fintech partnerships
On December 15, the NCUA issued a proposed rule seeking input on amendments to the agency’s regulations on the purchase of loan participations and the purchase, sale, and pledge of eligible obligations and other loans, including notes of liquidating credit unions. Among other things, the proposed rule would remove certain prescriptive limitations and other qualifying requirements to provide federal credit unions with additional flexibility to purchase eligible obligations of their members and engage with advanced technologies and other opportunities presented by fintechs. Improved flexibility and individual autonomy will allow federal credit unions “to establish their own risk tolerance limits and governance policies for these activities, while codifying due diligence, risk assessment, compliance and other management processes that are consistent with the Board’s long-standing expectations for safe, sound, fair and affordable lending practices,” the NCUA said. Comments on the proposed rule are due 60 days after publication in the Federal Register.
“As I have emphasized before, credit unions should recognize and harness the potential opportunities fintechs may offer them,” NCUA Chairman Todd Harper said. “However, we must also acknowledge the potential risks they pose to credit unions, their members, and the system and develop appropriate guardrails. This proposed rule strikes that balance. It provides flexibility, safety, and tailored relief to credit unions while fostering greater innovation.”
Senate Banking grills regulators on crypto
On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.
Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.
Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.
Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”
The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help  examiners focus on the controls  found to be most effective in defending against these attacks.”
The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
Agencies seek comment on CRE loan statement
On August 2, the FDIC, OCC, and NCUA (collectively, “the agencies”) issued a notice in the Federal Register soliciting public comment on an updated policy statement regarding accommodations and workouts for commercial real estate (CRE) loans whose borrowers are experiencing financial difficulty. In 2009, the Policy Statement on Prudent Commercial Real Estate Loan Workouts was issued by the FFIEC, which the agencies view “as being useful for both agency staff and financial institutions in understanding risk management and accounting practices for  CRE loan workouts.” Among other things, the statement would include (i) a new section on short-term loan accommodations; (ii) information about changes in accounting principles since 2009; and (iii) revisions and additions to examples of CRE loan workouts. The new updated statement would also “address relevant accounting changes on estimating loan losses and provide updated examples of how to classify and account for loans modified or affected by loan accommodations or loan workout activity.” Specifically, the agencies seek input on how the document reflects sound practices in CRE loan accommodation and what additional information can be included to optimize the guidance of managing CRE loan portfolios.
CFPB publishes rulemaking agenda
Recently, the Office of Information and Regulatory Affairs released the CFPB’s spring 2022 rulemaking agenda. According to the preamble, the information in the agenda is current as of April 1, 2022 and identifies regulatory matters that the Bureau “reasonably anticipates having under consideration during the period from June 1, 2022 to May 31, 2023.”
Key rulemaking initiatives include:
- Consumer Access to Financial Records. The Bureau notes that it is considering rulemaking to implement section 1033 of the Dodd-Frank Act to address the development and use of standardized formats for information made available to consumers. The Bureau will release materials in advance of convening a panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA), in conjunction with the Office of Management and Budget and the Small Business Administration’s Chief Counsel for Advocacy.
- Amendments to FIRREA Concerning Automated Valuation Models. The Bureau is participating in interagency rulemaking with the Fed, OCC, FDIC, NCUA, and FHFA to develop regulations to implement the amendments made by the Dodd-Frank Act to FIRREA concerning appraisal automated valuation models (AVMs). The FIRREA amendments require implementing regulations for quality control standards for AVMs. The Bureau released a SBREFA outline in February 2022 and estimates in the agenda that the agencies will issue an NPRM in December 2022 (covered by InfoBytes here).
- Property Assessed Clean Energy Financing. The Bureau issued an ANPR in March 2019 to extend TILA’s ability-to-repay requirements to PACE transactions (covered by InfoBytes here). The Bureau is working to develop a proposed rule to implement Economic Growth, Regulatory Relief, and Consumer Protection Act section 307 in May 2023.
- Small Business Lending Data Collection Under the Equal Credit Opportunity Act. Section 1071 of the Dodd-Frank Act amended ECOA to require financial institutions to report information concerning credit applications made by women-owned, minority-owned, and small businesses, and directed the Bureau to promulgate rules for this reporting. The Bureau issued an NPRM in August 2021, and the comment period ended January 6 (covered by InfoBytes here). The agenda indicates that the Bureau estimates issuance of a final rule in March 2023.
- Adverse Information in Cases of Human Trafficking Under the Debt Bondage Repair Act. The National Defense Authorization Act amended the FCRA to prohibit consumer reporting agencies from providing reports containing any adverse items of information resulting from human trafficking. In June 2022, the CFPB issued a final rule implementing amendments to the FCRA intended to assist victims of human trafficking (covered by InfoBytes here).
Agencies release customer relationship and due diligence guidance
On July 6, the FDIC, Federal Reserve Board, FinCEN, NCUA, and OCC issued a joint statement concerning banks’ risk-based approach for assessing customer relationships and conducting customer due diligence (CDD). Specifically, the joint statement reinforces the agencies’ “longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering (ML), terrorist financing (TF), or other illicit financial activity.” Banks are reminded that they must apply a risk-based approach to CDD and adopt appropriate risk-based procedures for conducting ongoing CDD when developing risk profiles of their customers. Because customer relationships present varying levels of ML, TF, and other illicit financial activity risks, the agencies advised banks to, among other things, (i) understand the nature and purpose of customer relationships; and (ii) “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
Additionally, banks that comply with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) legal and regulatory requirements and effectively manage and mitigate risks related to the unique characteristics of customer relationships, “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type,” the agencies said, adding that “as a general matter” they will not direct banks to open, close, or maintain specific accounts as they “recognize that banks choose whether to enter into or maintain business relationships based on their business objectives and other relevant factors, such as the products and services sought by the customer, the geographic locations where the customer will conduct or transact business, and banks’ ability to manage risks effectively.” Banks are encouraged “to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”
The joint statement is applicable to all customer types referenced in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, as well as to those not specifically addressed in the manual. These include “independent automated teller machine owners or operators, nonresident aliens and foreign individuals, charities and nonprofit organizations, professional service providers, cash intensive businesses, nonbank financial institutions, and customers the bank considers politically exposed persons.” The agencies reiterated that the joint statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. Moreover, the FFIEC BSA/AML Examination Manual does not establish requirements for banks, nor should the inclusion of sections on specific customer types be interpreted as a signal that certain customer types present uniformly higher risk.