Federal Reserve Issues Proposed Rule on Modernizing CRA Regulations
On September 21, the Federal Reserve released an Advance Notice of Proposed Rulemaking (ANPR) soliciting public comment on its approach to modernizing regulations that implement the CRA. The ANPR seeks comment on the Federal Reserve’s proposals to meet low-to-moderate income banking needs by addressing changes in the banking industry and inequities in financial services and credit access. The ANPR includes proposals to promote financial inclusion in Indian Country and other underserved areas, including investments in Minority Depository Institutions and Community Development Financial Institutions. In addition, the ANPR identifies proposed changes to performance evaluation standards, including proposals to tailor performance tests and assessments to account for differences in bank sizes and business models, specifically addresses the needs of small banks and those in rural areas, and clarifies and expands eligible CRA activities. The ANPR also proposes a new framework in which banks could rely on existing data collection and reporting requirements, deviating from the OCC's plan to request new data points for CRA scoring. The ANPR also includes key tests that consumer advocates had criticized the OCC for eliminating, such as a stand-alone community development test with separate financing and service subtests. Comments responding to the ANPR must be received no later than 120 days after it is published in the Federal Register.
State Regulators Roll Out One Company, One Exam for Nationwide Payments Firms
On September 15, CSBS announced a new initiative: MSB Networked Supervision. This initiative will allow the nation’s largest payments and cryptocurrency companies that currently meet the 40-state threshold, including nationwide payments firms and money transmitters, to undergo only one comprehensive examination in 2021, led by one state overseeing a group of examiners sourced from across the country. Building on years of multistate coordination, this initiative seeks to streamline state examinations, satisfy all state examination requirements, fine-tune a risk-based approach to each company’s operations, and enhance states’ ability to follow up on compliance issues throughout the year.
FinCEN Seeks Comments on Enhancing the Effectiveness of Anti-Money Laundering Programs
On September 16, FinCEN issued an Advanced Notice of Proposed Rulemaking to solicit comments on questions pertaining to potential regulatory amendments under the Bank Secrecy Act (BSA), which would require financial institutions to maintain “effective and reasonably designed” anti-money laundering programs. The amendments are intended to modernize the regulatory regime and provide financial institutions with greater flexibility in the allocation of resources to enhance the effectiveness and efficiency of AML programs. These regulatory amendments would seek to clearly define that an “effective and reasonably designed” AML program should (i) identify, assess and reasonably mitigate the risks resulting from illicit financial activity, (ii) assure and monitor compliance with recordkeeping and reporting requirements of the BSA, and (iii) provide information with a high degree of usefulness to government authorities. FinCEN is seeking comments on whether the regulatory amendments as proposed make clear that the program is intended to create an “effective and reasonably designed” AML program and whether the core elements as proposed are appropriate for such goal. Comments must be submitted within 60 days of publication in the Federal Register.
OCIE Issues Risk Alert Regarding “Credential Stuffing” Cyber Attacks
On September 15, the OCIE issued a Risk Alert regarding a recent uptick in “credential stuffing” cyber-attacks against SEC-registered entities. “Credential stuffing” is a process whereby hackers use compromised client or staff login credentials to gain access to client accounts or, in the case of a staff member, the firm’s system. Hackers typically obtain lists of compromised usernames and passwords from the dark web and then use automated scripts to attempt to use those credentials on other websites. By eliminating the guesswork of “brute force” attacks, whereby hackers simply attempt to guess passwords through various combinations, credential stuffing is becoming a much more effective and formidable form of cyber-attack.
In the Risk Alert, the OCIE recommended various steps firms can take to strengthen their security controls and protect against future attacks. Recommendations included: (i) updating password policies to ensure that their strength, length, type, and change of password practices are consistent with industry standards; (ii) upgrading Multi-Factor Authentication (MFA) which uses multiple factors, such as mobile phone text messages, to authenticate the identity of the user logging into the account; (iii) implementing Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHA) to protect against automated scripts or bots; (iv) monitoring accounts for higher-than-usual number of login attempts over a short period of time to identify potential attacks and use Web Application Firewall (WAF) to provide an extra layer of protection from these attacks; and (v) periodically surveilling the dark web to determine whether any user IDs have been leaked. By employing these strategies, the OCIE suggests that firms can proactively protect themselves and their clients from this new wave of cyber-attacks and reduce the risk that client or staff accounts will be compromised.
Federal Reserve Releases Scenarios for Second Round of Bank Stress Tests
On September 17, the Federal Reserve released two hypothetical scenarios for a second round of bank stress tests. Earlier this year, the Federal Reserve had performed a first round of stress tests that found large banks were well-capitalized under a range of hypothetical events. A second round of stress testing is being conducted due to uncertainty resulting from the COVID-19 pandemic. The Federal Reserve will test large banks against two scenarios featuring severe recessions. The first scenario is referred to as "severely adverse” and features the unemployment rate peaking at 12.5% at the end of 2021 and then declining to about 7.5% by the end of the scenario’s timeframe. In the “severely adverse” scenario, gross domestic product declines about 3% from the third quarter of 2020 through the fourth quarter of 2021. This scenario also features a sharp slowdown abroad. The second scenario is referred to as "alternative severe" and features an unemployment rate that peaks at 11% by the end of 2020 but stays elevated and only declines to 9% by the end of the scenario’s timeframe. In the “alternative severe” scenario, gross domestic product declines about 2.5% from the third to the fourth quarter of 2020. Both scenarios also include a global market shock component for banks with large trading operations. These banks, as well as certain banks with substantial processing operations, will also be required to incorporate the default of their largest counterparty. Each scenario includes 28 variables covering domestic and international economic activity. The Federal Reserve will release the results of the banks' performance under both scenarios by the end of this year.
OCC Clarifies That Federally Chartered Banks and Thrifts May Engage in Certain Stablecoin Activities
On September 21, the Office of the Comptroller of the Currency (OCC) published an interpretive letter clarifying the authority of national banks and federal savings associations to hold “reserves” on behalf of customers who issue certain stablecoins (cryptocurrency backed by an asset such as a fiat currency, including U.S. dollars or other foreign currency). The letter concludes that national banks and federal savings associations may hold “reserves” on behalf of customers who issue stablecoins, in situations where the coins are held in hosted wallets. The letter addresses the use of stablecoins backed by a single fiat currency on a one-to-one basis where the bank verifies at least daily that reserve account balances meet or exceed the number of the issuer's outstanding stablecoins.
Wyoming Grants First SPDI Charter
On September 16, the Wyoming Division of Banking granted its first special purpose depository institution (SPDI) charter to a subsidiary of Kraken, the cryptocurrency exchange. A SPDI is a type of Wyoming-chartered depository institution specifically designed to provide banking services to blockchain innovators. SPDIs are not required to obtain federal deposit insurance, and they are limited in their ability to accept deposits and make loans. SPDIs may conduct other activities usual or incidental to the business of banking, such as providing custody services and exercising fiduciary powers. These capabilities make SPDI charters attractive options for digital asset service providers wishing to decrease their reliance on third parties for services critical to their platforms without themselves necessarily becoming “banks” for purposes of the Bank Holding Company Act of 1956.
SEC Issues CD&I On Disclosure of Benefits Provided to Executive Officers Because of the COVID-19 Pandemic
The staff of the SEC’s Division of Corporation Finance has issued a new compliance and disclosure interpretation under the Regulation S-K Compliance & Disclosure Interpretations (C&DIs) to provide guidance on whether benefits provided to executive officers because of the COVID-19 pandemic are perquisites or personal benefits under Item 402(c)(2)(ix)(A) of Regulation S-K. This question, which may be relevant for many companies this year, can affect determinations of disclosable executive compensation and determinations of which executive officers are “named executive officers” under Item 402. The C&DI states that the two-step analysis contained in Release 33-8732A, which will depend on the specific facts involved, applies to these determinations:
- An item that is “integrally and directly” related to performance of an executive’s duties is not a perquisite or personal benefit.
- An item that provides a direct or indirect benefit to the executive and has a personal aspect is a perquisite or personal benefit, even if it has a business purpose or was provided for the company’s convenience, unless the item is generally available to all employees on a non-discriminatory basis.
Federal Reserve Revises FAQs on Main Street Lending Program
On September 18, the Federal Reserve updated its frequently asked questions (FAQ) to clarify expectations regarding lender underwriting for the Main Street Lending Program (MSLP). The revised FAQ emphasize that lenders should consider both a borrower's pre-pandemic condition and post-pandemic prospects during the underwriting process. Importantly, the FAQ also clarified that “supervisors will not criticize eligible lenders for originating Main Street loans in accordance with the program’s requirements, including cases where such loans are considered non-pass at the time of origination, provided these weaknesses stem from the pandemic and are expected to be temporary or if such loans are part of a bank’s prudent risk mitigation strategy for an existing borrower.”
California Legislature Passes Bill Expanding Consumer Financial Protection Oversight
On August 31, the California Legislature passed Assembly Bill No. 1864 (AB-1864) and sent the bill to California Governor Gavin Newsom for his expected approval. For an overview of some of AB-1864’s key provisions, read the LenderLaw Watch blog.
LITIGATION AND ENFORCEMENT
NYSDFS Files Charges Against Debt Collector for Failing to Substantiate Debts
On September 16, the New York State Department of Financial Services announced that it had filed a statement of charges against a debt collector over the debt collector’s alleged failure to comply with New York State’s Debt Collection Regulation, Part 1 of Title 23 of the New York Codes, Rules, and Regulations. Read the Consumer Finance Enforcement Watch blog to learn more.