InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases December enforcement actions
On January 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include formal agreements, prohibition orders, and terminations of existing enforcement actions against individuals and banks. Included among the actions is a formal agreement issued against an Illinois-based bank on December 18 for alleged unsafe or unsound practices relating to, among other things, consumer compliance. The agreement requires the bank to (i) establish a compliance committee to monitor the bank’s progress in complying with the agreement’s provisions; (ii) report such progress to the bank’s board on a quarterly basis; and (iii) implement a written consumer compliance program. This program must also include a policies and procedures manual that covers all consumer protection laws, rules, and regulations to which the bank should adhere, an independent audit program, and training of bank personnel in the consumer protection laws, rules, and regulations as appropriate.
FDIC, OCC issue joint notice of heightened cybersecurity risk
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
FHFA seeks comments on PACE loans
On January 16, the FHFA issued a notice requesting public comment on prospective policy changes to its residential energy retrofitting programs, or Property Assessed Clean Energy (PACE) programs. According to the request for comment, PACE programs are “financed through special state legislation enabling a ‘super-priority lien’ over existing and subsequent first mortgages.” Because the loans are only recorded in tax rolls and not in land records, they do not show up in title searches. This may potentially cause problems for prospective buyers and mortgage lenders. Additionally, the programs are not uniform across states and the GSEs cannot buy properties encumbered by PACE loans.
Comments must be received by March 16.
Special Alert: NYDFS accelerates Libor transition planning
On December 23, 2019, the New York Department of Financial Services issued an “Industry Letter” requesting that each NYDFS-regulated institution submit the institution’s plan for addressing the transition away from Libor-based credit, derivative, and securities exposures. The NYDFS letter has spurred additional focus by financial institutions in the issue, and not only by those regulated by NYDFS. This Client Alert summarizes the current state of play in Libor transition, and outlines some key considerations for developing a Libor transition plan.
* * *
Click here to read the full special alert.
If you have any Libor-related questions please contact a Buckley attorney with whom you have worked in the past.Fed provides FAQs for tailoring rules
On January 13, the Federal Reserve Board (Fed) issued SR 20-2, “Frequently Asked Questions on the Tailoring Rules” (FAQs) applicable to bank holding companies, savings and loan companies, U.S. intermediate holding companies with $100 billion or more in total assets, and certain depository institutions. In October, as previously covered by InfoBytes, the Fed and the OCC released a jointly developed framework that set out four categories to be used to classify these banking entities for the purposes of determining regulatory capital and liquidity requirements based on risk. The FAQs provide guidance on the tailoring rules, including answers to questions about Liquidity Coverage Ratio (LCR) requirements, recognition of Accumulated Other Comprehensive Income, compliance requirements for foreign banking organizations with less than $100 billion in U.S. assets, and the interpretation of “quarterly” in relation to stress testing frequency.
Data breach settlement of $380.5 million approved in consumer reporting agency class action
On January 13, the U.S. District Court for the Northern District of Virginia issued a final order and judgment in a class action settlement between a class of consumers (plaintiffs) and a large consumer reporting agency (company) to resolve allegations arising from a 2017 cyberattack causing a data breach of the company. After the company announced the breach, many consumers filed suit and were eventually joined into a proposed settlement class. As previously covered by InfoBytes, the plaintiffs alleged that the company (i) failed to provide appropriate security to protect stored personal consumer information; (ii) misled consumers regarding the effectiveness and capacity of its security; and (iii) failed to take proper action when vulnerabilities in their security system became known. The company and the plaintiffs later submitted a proposed settlement order to the court.
According to the final order and judgment, the court certified the settlement class of the approximately 147 million affected consumers, finding the class was adequately represented, and approved the “distribution and allocation plan” as fair and reasonable. In the order granting final approval of the settlement the company agreed to, among other things, pay $380.5 million into a settlement fund and potentially up to $125 million more to cover “certain out-of-pocket losses,” $77.5 million for attorneys’ fees, and approximately $1.4 million for reimbursement of expenses. Class members are eligible for additional benefits including up to 10 years of credit monitoring and identity theft protection services or cash compensation if they already have those services, as well as identity restoration services for seven years. The company also agreed to spend at least $1 billion on data security and technology in the next five years.
NYDFS appoints Leandra English to executive team
On January 14, NYDFS Superintendent Linda Lacewell announced that former Deputy Director of the CFPB, Leandra English, will serve as Special Policy Advisor to the Department. In her role, English will report directly to Lacewell and will manage and develop NYDFS’ policy initiatives involving consumers, financial services, and other issues. English will also be responsible for spearheading NYDFS’ policy development and analysis process, and assisting in the identification of common regulatory trends and risks across industries.
Basis for invalidating CFPB is “remarkably weak,” says court-appointed defender
On January 15, Paul Clement, the lawyer selected by the U.S. Supreme Court to defend the leadership structure of the CFPB, filed a brief in Seila Law LLC v. CFPB arguing that Seila Law’s constitutionality arguments are “remarkably weak” and that “a contested removal is the proper context to address a dispute over the President’s removal authority.” First, Clement stated that “there is no ‘removal clause’ in the Constitution,” and that because the “constitutional text is simply silent on the removal of executive officers” it does not mean there is a “promising basis for invalidating an Act of Congress.” Moreover, the Constitution leaves it to Congress to decide “all manner of questions about the organization and structure of executive-branch departments and officers,” Clement wrote. Second, Clement disagreed with the argument that Congress cannot impose modest restrictions on the President’s ability to remove executive officers, so long as the President is the one exercising the removal powers. Third, Clement noted that in the past, the Court has repeatedly upheld the ability to place permissible restrictions on a President’s removal authority.
Clement further contended, among other things, that the dispute in Seila is “not just unripe, but entirely theoretical.” He referenced the Bureau’s brief filed last September (covered by InfoBytes here), in which the CFPB argued that the for-cause restriction on the President’s authority to remove the Bureau’s single director violates the Constitution’s separation of powers, and noted that “[w]hatever was true when this suit was first filed, the theory of the unitary executive appears alive and well in the Director’s office.” Rather, Clement stated, the Court should wait for an instance where a CFPB director has been fired for something short of the “inefficiency, neglect of duty, or malfeasance in office” threshold that Congress set for dismissing a CFPB director in Dodd-Frank before ruling on the question. Clement also emphasized that “text, first principles and precedent” all “strongly support” upholding the U.S. Court of Appeals for the Ninth Circuit’s decision from last May, which deemed the CFPB to be constitutionally structured and upheld a district court’s ruling enforcing Seila Law’s compliance with a 2017 civil investigative demand.
As previously covered by InfoBytes, the 9th Circuit held that the for-cause removal restriction of the CFPB’s single director is constitutionally permissible based on existing Supreme Court precedent. The panel agreed with the conclusion reached by the U.S. Court of Appeals for the D.C. Circuit majority in the 2018 en banc decision in PHH v. CFPB (covered by a Buckley Special Alert) stating, “if an agency’s leadership is protected by a for-cause removal restriction, the President can arguably exert more effective control over the agency if it is headed by a single individual rather an a multi-member body.”
The parties in Seila filed briefs last December. While both parties are in agreement on the CFPB’s single-director leadership structure, they differ on how the matter should be resolved. Seila Law argued that the Court should invalidate all of Title X of Dodd-Frank, whereas the Bureau contended that the for-cause removal provision should be severed from the rest of the law in accordance with Dodd-Frank’s express severability clause. Oral arguments are scheduled for March 3. (Previous InfoBytes coverage here.)
FDIC extends deadline for comments on innovation pilot programs
On January 14, the FDIC again published a notice and request for comments in the Federal Register on innovation pilot programs. The FDIC first solicited comments on innovation pilot programs in November, with comments due by January 6. As no comments were submitted, the agency is once again requesting comments on the programs, which, as previously covered by InfoBytes, it hopes will spur collaboration “with innovators in the financial, non-financial, and technology sectors to, among other things, identify, develop, and promote technology-driven innovations among community and other banks in a manner that ensures the safety and soundness of FDIC-supervised and insured institutions.”
Comments must be received by February 13.
Securities class action against bank pared down
On January 12, the U.S. District Court for the Northern District of California dismissed one of plaintiffs’ causes of action and concluded that only two of the 67 public statements the plaintiffs identified in support of their securities fraud causes of action against a large bank and its former CEO (defendants) related to the defendants “collateral protection insurance (CPI) … practices for auto loan customers” were actionable. The plaintiffs alleged that while, in July 2016, the defendants learned of irregularities with respect to the CPI and, by September 2016, discontinued the program, the defendants did not disclose information on the CPI program’s issues until July 2017, after which time, the defendants’ stock price dropped. The plaintiffs then filed suit based on 67 public statements made by the defendants prior to that time, which the plaintiffs alleged the defendants knew were “false or misleading” and resulted in the bank’s stockholders losing money.
Upon review, the court found that 65 of the 67 public statements, on which the plaintiffs’ causes of action were based were not actionable. The two statements that the court found may support the plaintiffs’ causes of action were those made by the defendants when they were specifically asked whether they knew about “potential misconduct outside of the already disclosed improper retail banking sales practices” and, each time, “failed to disclose the CPI issue….” With respect to the two statements, the court found that the plaintiffs had “met [their] burden under the PSLRA (private securities litigation reform act)” to show a “strong inference that the defendant acted with the required state of mind,” and that the plaintiffs “adequately pleaded loss causation.” According to the opinion, the defendants did not challenge the plaintiffs’ contentions about the two alleged misstatements’ connection to the purchase or sale of the defendants’ securities, or that the plaintiffs relied on the misstatements or omissions and experienced economic losses as a result.