- Supreme Court Strikes Down Extension of CDC Moratorium on Evictions
- FFIEC Releases New Cybersecurity Guidance on Access and Authentication Protocols
- Federal Banking Agencies Publish New Guide to Due Diligence on Fintech Companies
- Federal Reserve Publishes New LIBOR Transition Guidance on Regulatory Capital
- Other Developments: FDIC Examinations and SBA Lending
1. Supreme Court Strikes Down Extension of CDC Moratorium on Evictions
The U.S. Supreme Court has issued a ruling that blocks the extension of the moratorium on evictions ordered by the Centers for Disease Control and Prevention (CDC) under the Public Health Service Act that prevented evictions in parts of the United States that are experiencing “substantial” and “high” spread of the coronavirus, which covered most counties in the U.S. By a 6-3 majority, the Court’s August 26 decision allows landlords to move forward with evictions of residential tenants that would have been prevented by the CDC’s order. However, the Court’s decision does not prevent states, counties, municipalities, or other government entities from imposing or maintaining their own eviction moratoria or other renters’ protections under state or municipal laws or regulations. For example, the law signed by Massachusetts Governor Charlie Baker in June that extended certain pandemic-related policies prevents evictions in cases where renters in Massachusetts have applied for rental assistance. Click here for a copy of the Supreme Court’s Decision.
Nutter Notes: The federal Coronavirus Aid, Relief, and Economic Security Act (CARES Act) enacted in March 2020 imposed a 120-day eviction moratorium that applied to properties that participated in federal assistance programs or were subject to federally related loans. When the eviction moratorium under the CARES Act expired in July 2020, Congress did not renew it. The CDC determined that the eviction moratorium was an effective public health measure because it facilitated “self-isolation and self-quarantine by people who become ill or who are at risk of transmitting COVID-19.” The CDC’s original eviction moratorium was issued in September 2020, and was originally set to expire on December 31, 2020; however, it was extended several times. In its decision, the Supreme Court said that circumstances had shifted since the original eviction moratorium was imposed such that the continued burden on landlords is no longer merited. As examples, the Court noted that vaccine distribution and the availability of rental-assistance have increased. The U.S. Treasury Department also announced new policies on August 25 that are meant to encourage state and local governments to expedite the distribution of tens of billions of dollars of rental assistance available under the 2021 Consolidated Appropriations Act, which was enacted on December 27, 2020, and the American Rescue Plan Act of 2021, which was enacted on March 11, 2021.
2. FFIEC Releases New Cybersecurity Guidance on Access and Authentication Protocols
The FFIEC has issued new cybersecurity guidance to provide banks with examples of effective authentication and access risk management principles and practices that address business and consumer customers, employees, and third parties who access digital banking services and bank information systems. The guidance published on August 11, titled “Authentication and Access to Financial Institution Services and Systems,” replaces the FFIEC’s 2005 guidance, “Authentication in an Internet Banking Environment,” and the 2011 “Supplement to Authentication in an Internet Banking Environment.” According to the new FFIEC guidance, certain authentication controls—particularly single-factor authentication, such as passwords—either alone or even in combination with layered security, are no longer effective defenses against “evolving and increasingly sophisticated methods” of attacking a bank’s information systems. The new FFIEC guidance recommends that banks use multi-factor authentication (MFA) as part of layered security when risk assessments indicate that single-factor authentication is inadequate. The new guidance also discusses a number of factors that banks should consider when evaluating or implementing MFA. For example, for digital banking customers engaged in high-risk transactions, the guidance suggests that MFA solutions and other layered security should vary depending upon the types of risks presented by services and customer segments, such as business or consumer customers. Click here for a copy of the FFIEC’s new guidance.
Nutter Notes: The FFIEC’s new cybersecurity guidance also emphasizes a number of different risk assessment practices. Examples of effective risk assessment practices given in the new guidance include creating an inventory of all information systems and their components, such as the hardware, operating systems, applications, infrastructure devices, application program interfaces, data, and other assets that require authentication and access controls. Another effective risk assessment practice discussed in the guidance is identifying digital banking customers who engage in high-risk transactions for which enhanced authentication controls are warranted. According to the guidance, elements considered in identifying high-risk transactions may include the dollar amount and volume of transactions, the sensitivity and amount of information accessed by the customer, whether the transaction is irrevocable, and the likelihood and impact of fraud. Finally, the guidance recommends that banks’ risk assessment practices include initial and periodic assessment of the design and effectiveness of access and authentication controls, including the availability of more advanced security options and configurations.
3. Federal Banking Agencies Publish New Guide to Due Diligence on Fintech Companies
The federal banking agencies have jointly issued a new guide to help community banks conduct due diligence when considering relationships with financial technology (fintech) companies. The guide published on August 27, titled “Conducting Due Diligence on Financial Technology Companies; A Guide for Community Banks,” reminds community banks that due diligence is an important component of effective third-party risk management when a community bank considers entering into a business arrangement with a fintech company. The guide discusses six key areas of due diligence: business experience and qualifications, financial condition, legal and regulatory compliance, risk management and control processes, information security, and operational resilience. For example, the guide suggests that relevant considerations in connection with a community bank’s assessment of a fintech company’s business experience include its operational history, client references and complaints, and legal or regulatory actions against the fintech company. The guide also suggests that banks may consider supplementing their due diligence reviews with other resources, such as “industry utilities or consortiums that focus on third-party oversight.” Click here for a copy of the new guide.
Nutter Notes: The federal banking agencies noted that use of the new due diligence guide is voluntary, and that the guide does not anticipate all types of third-party relationships and risks. The agencies expect that a community bank will make its own determination about how to use information in the guide based on specific circumstances, the risks posed by each relationship with a particular fintech company, and the related products, services, or activities offered by the fintech company. The agencies also noted that the scope and depth of due diligence performed by a community bank will depend on the bank’s assessment of the risk posed by the nature and criticality of the products, services, or activities. The agencies said that, while the guide was designed for use by community banks when considering a prospective relationship with a fintech company, the due diligence concepts may be useful for larger banks and for evaluating other types of third-party service providers.
4. Federal Reserve Publishes New LIBOR Transition Guidance on Regulatory Capital
The Federal Reserve has issued new guidance, in the form of answers to frequently asked questions, on the transition away from LIBOR as a reference rate in regulatory capital instruments. The guidance issued on July 29 addresses the redemption or reissuance of regulatory capital instruments and regulatory capital instruments with changing distribution rates. The guidance clarifies that the Federal Reserve does not consider replacing or amending the terms of a capital instrument to transition from LIBOR to another reference rate or rate structure to be an issuance of a new instrument under the regulatory capital rules for purposes of the eligibility criteria for regulatory capital. This outcome assumes that changes in the terms of the replacement or amended capital instrument only relate to the adoption of a new reference rate or rate structure, and that there are no substantial differences from the original instrument, including the maturity of the original capital instrument. According to the guidance, a banking organization that replaces or amends the terms of a capital instrument to transition from LIBOR should support its determination that the replacement or amended instrument is not substantially different from the original instrument with an appropriate economic analysis. Click here for a copy of the new LIBOR transition guidance.
Nutter Notes: The new guidance on the LIBOR transition also clarifies that the Federal Reserve does not consider the replacement or amendment of a capital instrument to replace a reference rate linked to LIBOR with another reference rate or rate structure to constitute creating an incentive to redeem the capital instrument for purposes of the regulatory capital rules, provided that the replacement or amended instrument is not substantially different from the original instrument from an economic perspective. The guidance gives as an example the amendment of the credit spread to reflect the difference in basis between LIBOR and the replacement reference rate, where there is no adjustment for changes in the credit quality of the issuer. In such a case, the amendment of the capital instrument would not result in creating an incentive to redeem the instrument, according to the guidance. Again, the guidance recommends that the banking organization support its determination that the replacement or amended instrument is not substantially different from the original instrument with an appropriate economic analysis. According to the guidance, considerations for such a determination include, but are not limited to, whether the replacement or amended instrument has changed any terms other than those related to implementing the new reference rate or rate structure.
5. Other Developments: FDIC Examinations and SBA Lending
FDIC Requests Feedback on Approach to Examinations During the Pandemic
The FDIC issued a request on August 13 for comments from FDIC-supervised banks about the FDIC’s approach to examinations during the COVID-19 pandemic, including the impact of off-site examination activities on bank operations, the effectiveness of technology used to carry out off-site examination activities, and the effectiveness of communication methods used to support off-site examination activities. Comments are due by October 12, 2021. Click here for a copy of the request for comment.
Nutter Notes: In response the COVID-19 pandemic, the FDIC issued a mandatory telework order for all of its employees, that provided, among other things, that unless otherwise directed, all examination activity should be conducted off-site. The FDIC said that it is seeking comments on what worked well in the off-site examination context to inform plans for future examinations.
OCC Issues Guidance on Risk Management for SBA Lending Programs
The OCC published new guidance on August 2 for national banks and federal savings associations on risk management principles associated with making U.S. Small Business Administration (SBA) guaranteed loans. According to the guidance, OCC examiners expect that a bank’s SBA lending activities, including purchasing investments backed by SBA-guaranteed loans, will be consistent with the bank’s overall business plans, strategies, risk appetite, and sound risk management. Although the guidance applies to OCC-supervised institutions, FDIC and Federal Reserve examiners may consider similar risk management principles when evaluating a bank’s SBA lending program. Click here for a copy of the new guidance.
Nutter Notes: Separately, the SBA announced on July 28 that it will begin accepting Paycheck Protection Program (PPP) loan forgiveness applications directly from borrowers for loans of $150,000 or less. SBA participating lenders, including banks, must opt-in to the PPP direct forgiveness program. Click here to access the SBA’s announcement.