U.S. Financial Regulators Propose Rule that Supervisory Guidance Does Not Equal Law

Pillsbury - Global Sourcing Practice

Pillsbury - Global Sourcing Practice

On October 20, 2020, a consortium of U.S. federal financial regulators (Regulators)[1], issued a proposed rule (Proposed Rule) that, if enacted, would codify that mere supervisory guidance that is not the product of notice and comment rulemaking—e.g., interagency statements, advisories, bulletins, policy statements, and FAQs—does not have the force of law. The Proposed Rule would further clarify that the Regulators will not take enforcement actions (including less draconian supervisory actions, like issuing “matters requiring attention”) based on violations of, or non-compliance with, such guidance.

The subject of the Proposed Rule has surfaced before. In particular, the Regulators issued guidance in 2018 (2018 Guidance) seeking to clarify this same principle—that supervisory guidance does not have the force of law. In a twist of irony, though, because the 2018 Guidance was just that—guidance—the Regulators are following the Trump Administration’s general “de-regulatory” agenda by seeking to “hard code” this principle into law through notice and comment rulemaking.

In the outsourcing and vendor contracting space, many of the “requirements” with which U.S. regulated financial institutions are familiar (consider, for example, the FFIEC’s various IT Booklets) are often the result of this supervisory guidance, rather than regulatory requirements made through notice and comment rulemaking. Accordingly, if enacted, the Proposed Rule should essentially loosen the screws on such guidance, leaving regulated financial institutions with potentially more room to employ risk-based calculations in structuring their vendor contracting and procurement operations.

With that said, even if the Proposed Rule is enacted, all that supervisory guidance does not suddenly fly out the window.

Significantly, the Proposed Rule clarifies that supervisory guidance still provides examples of practices that the Regulators do deem to be compliant, as well as the Regulators’ “supervisory expectations or priorities and … general views regarding appropriate practices for a given subject area.” The Proposed Rule further states that in some situations, the Regulators may even reference supervisory guidance in writing to provide examples of compliant practices (e.g., in the context of an examination).

While the Proposed Rule notes that the Regulators may still use guidance as examples of compliant practices, it does not address whether a financial institution may rely on such guidance as a safe harbor from enforcement. It also remains to be seen how the Regulators will affirmatively address a financial institution’s observed lack of compliance with supervisory guidance. Query if the Regulators may still seek to leverage such instances of non-compliance as factual evidence to support alleged violations of other, hard-coded legal obligations. This may especially be the case, as many of the laws and regulations under which financial institutions have binding legal obligations are open-ended, and necessarily require detailed “filling in the blanks” from a factual standpoint. See, e.g., the Gramm Leach Bliley Act’s general requirement that financial institutions employ administrative, technical, and physical safeguards to protect consumer information—a law that has launched 1,000 proverbial ships (and even some formal rulemaking) [2] as financial institutions have tried to ascertain what, exactly, this open-ended requirement demands.


The comment period for the Proposed Rule will be open for 60 days from when the Proposed Rule is published in the Federal Register. (We anticipate that should be any day now.) The Regulators have asked for feedback on the Proposed Rule, generally, including whether they should expressly state that a particular issuance is mere supervisory guidance, and to what extent they should even cite supervisory guidance in demonstrating what compliant practices look like. As it will be much more difficult to influence these issues once an official rule is codified, regulated financial institutions should carefully review the Proposed Rule and submit their comments during the comment period.

[1] The Regulators include the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Association (NCUA), and the Bureau of Consumer Financial Protection (CFPB).

[2] See e.g., The Interagency Guidelines Establishing Standards for Safety and Soundness (12 CFR part 30, Appendix A and 12 CFR part. 208, Appendix D-1). The Regulators state in the preamble to the Proposed Rule that such Interagency Guidelines may be the basis for enforcement actions as it was the product of notice and comment rulemaking.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury - Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury - Global Sourcing Practice

Pillsbury - Global Sourcing Practice on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.