Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • NYDFS encourages New York state chartered financial institutions to establish relationships with medical marijuana businesses

    State Issues

    On July 3, the New York Department of Financial Services (NYDFS), at the direction of Governor Andrew Cuomo, released guidance encouraging New York state chartered banks and credit unions to consider establishing relationships with regulated and compliant medical marijuana and industrial hemp-related businesses operating in New York. According to the guidance, these businesses often rely solely on cash to conduct transactions, because of a lack of access to traditional financial services. The press release announcing the guidance cites to the New York Compassionate Care Act, enacted in 2014, which provides medical patients suffering from “debilitating symptoms and diseases” access to, under strict requirements, medical marijuana. NYDFS is encouraging New York financial institutions to form appropriate banking relationships with these business, because “[p]roviding access to regulated banking services is an essential part of taking the legal cannabis industry out of the shadows and establishing it as a transparent, regulated, tax-paying part of our economy, and a necessary part of fulfilling the goal of relieving the suffering of seriously ill patients.”

    NYDFS will not impose any regulatory action on a New York financial institution that establishes a business relationship with legal medical marijuana and industrial hemp-related businesses, as long as the institution also complies with other applicable guidance and regulations, such as the Financial Crimes Enforcement Network’s 2014 guidance—which clarifies expectations under the Bank Secrecy Act (BSA) for financial institutions providing services to these businesses. 

    State Issues NYDFS Compliance Bank Secrecy Act FinCEN Medical Marijuana

    Share page with AddThis
  • Comptroller Otting discusses regulatory priorities during congressional testimonies

    Federal Issues

    On June 13 and 14, Comptroller of Currency Joseph Otting appeared before the House Financial Services Committee and the Senate Committee on Banking, Housing, and Urban Affairs to discuss his priorities as Comptroller. As highlighted in the identical press releases for both House and Senate hearings, Otting testified about the OCC’s achievements and efforts since being sworn in as Comptroller in November 2017. Among other things, Otting discussed the agency’s efforts to (i) modernize the Community Reinvestment Act (CRA); (ii) promote compliance with the Bank Secrecy Act and anti-money laundering regulations (BSA/AML); and (iii) simplify the Volcker Rule, particularly for small and mid-size banks. Otting emphasized in his written testimony that his priority is to reduce the regulatory burden on financial institutions, specifying that the CRA requirements have become "too complex, outdated, cumbersome, and subjective." To that end, Otting stated that the OCC, in coordination with other federal agencies, is preparing an advance notice of proposed rulemaking to gather information on potential CRA updates, which, in Otting’s view, should include (i) expanding the types of activities that are eligible for CRA credit; (ii) changing assessment areas so they are not based solely on where the bank has a physical presence; and (iii) providing clearer metrics. As for BSA/AML, Otting noted this was his “number two issue” behind reforming the CRA and the working group—the OCC, FinCEN, the FDIC, the Federal Reserve, and NCUA— will likely address key issues like de-risking and improvement of transparency over the next three to six months. Otting noted his pleasure with the Volcker Rule changes in the Economic Growth, Regulatory Relief, and Consumer Protection Act (S.2155/ P.L. 115-174) but cautioned that fine-tuning may be necessary as the OCC proceeds with implementation.

    Federal Issues OCC Bank Supervision Compliance Volcker Rule CRA Bank Secrecy Act Anti-Money Laundering

    Share page with AddThis
  • NYDFS updates cybersecurity regulation FAQs

    Privacy, Cyber Risk & Data Security

    On March 23, the New York Department of Financial Services (NYDFS) provided a second update to its answers to FAQs relating to 23 NYCRR Part 500, which took effect March 1, 2017 and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. The original promulgation of the FAQs was covered in InfoBytes, as was the last update in February. The new update to the FAQs adds the following guidance:

    • An individual filing a Certificate of Compliance for his or her own individual license with no Board of Directors is acting as a Senior Officer as defined by 23 NYCRR 500 and should complete the filing process in that manner; and
    • Entity ID is defined as an entity’s state-issued unique license or charter number. Specific information is provided for insurance companies and mortgage loan originators in the FAQs.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Compliance

    Share page with AddThis
  • GAO encourages increased collaboration in fintech regulation

    Fintech

    In March, the Government Accountability Office ("GAO") issued a report addressing aspects of the fintech marketplace, including the benefits and risks for consumers; current regulatory oversight and challenges; and recommendations for federal action. The report notes that fintech products – such as payments, lending, wealth management, and distributed ledger technologies, among others – generally produce benefits to consumers in the form of lower costs and easier access. Nonetheless, fintech innovation comes with associated risks as certain products may not be covered by existing consumer protection laws, and the extent to which fintech providers are subject to federal and state oversight varies. According to the GAO, fintech providers note that complying with the “fragmented” federal and state requirements is “costly and time consuming.” The report emphasizes the need for regulators to increase collaboration to address key concerns in the fintech market, such as financial account aggregation. The GAO also highlights the efforts other jurisdictions have taken to increase fintech innovation and recommends U.S. federal agencies consider successful foreign regulatory approaches, such as “regulatory sandboxes,” which allow fintech companies to offer products on a limited scale with certain regulatory relief.

    Of note, Arizona recently became the first U.S. state to introduce a “regulatory sandbox” for fintech products marketed and sold to Arizona consumers. See InfoBytes summary here

    Fintech GAO Compliance Regulation

    Share page with AddThis
  • NYDFS issues cybersecurity compliance certificate reminder

    Privacy, Cyber Risk & Data Security

    On March 5, the New York Department of Financial Services (NYDFS) published FAQs for regulated entities that have not yet filed cybersecurity certifications of compliance (Certification of Compliance) required under 23 NYCRR 500. The deadline to file was February 15 and notices recently were sent to regulated entities. Among other things, the FAQs state that a separate Certification of Compliance must be filed for each license an entity holds, and that entities who have failed to submit a Certification of Compliance must do so “as soon as possible.” Entities that received a reminder to certify their compliance but filed for an exemption under Section 500.19 are still required to file the Certificate of Compliance to “confirm that they are in compliance with those provisions of the regulation that apply.”

    Find continuing InfoBytes coverage on NYDFS’s cybersecurity regulation here.

    Privacy/Cyber Risk & Data Security State Issues NYDFS Compliance

    Share page with AddThis
  • 9th Circuit denies bank’s challenge to FDIC bank secrecy order

    Courts

    On March 12, the U.S. Court of Appeals for the 9th Circuit upheld a 2016 FDIC cease and desist order against a California bank arising out of alleged deficiencies in compliance management relating to the Bank Secrecy Act (BSA) and anti-money laundering laws. According to the opinion, FDIC examinations dating back to 2010 identified areas for BSA compliance improvement. While the bank made adjustments in response to the original findings, a 2012 FDIC examination found the bank’s BSA compliance program still was deficient, including because it did not “establish and maintain procedures designed to ensure adequate internal controls, independent testing, administration, and training”—known as the “four pillars”—and because the bank had not filed a necessary suspicious activity report. The bank argued that the BSA compliance standards were too vague, accused FDIC examiners of bias during the examination in a manner that violated its due process rights, and alleged that the decision was not supported by substantial evidence.

    The three-judge panel ruled that (i) there was no bias in the FDIC’s decision to assess a penalty against the bank because there was substantial evidence to support an administrative law judge’s findings that the bank’s failure to maintain adequate controls violated BSA regulations; and (ii) because the BSA and FDIC’s implementing regulations are “economic in nature and threaten no constitutionally protected rights,” vagueness is not an overriding concern. While the “four pillars” of BSA compliance are open to interpretation, the panel noted, the FDIC provides banks with a manual written by the Federal Financial Institutions Examination Council that sets forth a uniform compliance standard. Furthermore, FDIC Financial Institution Letter 17-2010 clarifies that the manual contains the FDIC’s BSA compliance supervisory expectations. “A BSA Officer at the Bank bearing the requisite ‘specialized knowledge’ would understand that compliance with the FFIEC Manual ensures compliance with the BSA. . . . The BSA and its implementing regulations are not unconstitutionally vague,” the panel stated. Therefore, the 9th Circuit held that the manual was entitled to Chevron deference and denied the bank’s petition for review.

    Courts Appellate Ninth Circuit Bank Secrecy Act Anti-Money Laundering Compliance FDIC FFIEC

    Share page with AddThis
  • Fed issues proposal to amend internal appeals process

    Federal Issues

    On February 27, the Federal Reserve Board (Board) published proposed amendments to its guidelines on the internal appeals process for institutions that receive an adverse material supervisory determination. According to the proposal, the goal of the amendments is to improve and expedite the appeals process, which was established in 1995 and applies to any material supervisory determination, including matters related to an examination or inspection, which does not have an alternative, independent appeals process. The current guidelines allow for an institution to file a written appeal, which will be reviewed by a panel selected by the Federal Reserve Bank (Bank). The panel is made up of persons who are not employed by the Bank and have no affiliation with the material supervisory determination in question. Institutions also have further appeal rights to the Bank’s president and then a member of the Board. Proposed changes to the process include:

    • reducing the number of appeal levels to two and providing a separate independent review at both appeal levels;
    • establishing an accelerated process for appeals that relate to institutions becoming “critically undercapitalized” under the Prompt Corrective Action (PCA) framework as a result of the material supervisory determination, in order to ensure the review occurs within the required PCA timeframe; and
    • instituting specific standards of review at both appeals stages. The first panel of review would be required to review the documentation “as if no determination had previously been made.” The final panel, made up primarily of Board staff, would review whether the initial appeals determination is “reasonable and supported by a preponderance of the evidence in the record,” and the decision of the final review panel would be made public.

    The proposed amendments also contain changes to the Board’s Ombudsman policy, which, among other things would allow the Ombudsman—if requested by the institution or Federal Reserve personnel—to attend hearings or deliberations relating to the appeal as an observer. The proposal also would formalize many of the Ombudsman’s current activities, including receiving all complaints related to the Board’s supervisory process and facilitating informal resolution of institution’s concerns.

    Federal Issues Federal Reserve Bank Supervision Compliance

    Share page with AddThis
  • Seven state regulators agree to streamline money service licensing process for fintech companies

    Fintech

    On February 6, the Conference of State Bank Supervisors (CSBS) announced that financial regulators from seven states have agreed to a multi-state compact that will offer a streamlined licensing process for money services businesses (MSB), including fintech firms. The seven states initially participating in the MSB licensing agreement are Georgia, Illinois, Kansas, Massachusetts, Tennessee, Texas and Washington. The CSBS expects other states to join the compact. According to the CSBS, “[i]f one state reviews key elements of state licensing for a money transmitter—IT, cybersecurity, business plan, background check, and compliance with the federal Bank Secrecy Act—then other participating states agree to accept the findings.” CSBS noted that the agreement is the first step in efforts undertaken by state regulators to create an integrated system for licensing and supervising fintech companies across all 50 states.

    The announcement of the MSB licensing agreement follows a May 2017 CSBS policy statement, which established the 50-state goal, and—as previously covered by InfoBytes—is a part of previously announced “Vision 2020” initiatives designed to modernize and streamline the state regulatory system to be capable of supporting business innovation while still protecting the rights of consumers.

    Fintech State Issues State Regulators Licensing CSBS Money Service / Money Transmitters Compliance Bank Secrecy Act

    Share page with AddThis
  • Review procedures need enhancing according to GAO’s Regulatory Flexibility Act compliance report

    Federal Issues

    On January 30, the Government Accountability Office (GAO) released its annual report on federal financial regulators’ compliance with the Regulatory Flexibility Act (RFA).  Specifically, the report assessed whether certain regulators adhered to the RFA when drafting and implementing regulations that may affect small entities. Such regulators include the Federal Reserve, Commodity Futures Trading Commission, CFPB, FDIC, OCC, and SEC (collectively, the "agencies"). Under the RFA, the agencies must either (i) certify that a rule would not have a significant economic impact on a substantial number of small entities, or (ii) perform a regulatory flexibility analysis to assess the rule’s impact on small entities and “consider alternatives that may minimize any significant economic impact of the rule.” The report disclosed issues related to certifications. Examples included (i) providing incomplete disclosures of data sources or methodologies of economic analysis and impact; (ii) failing to provide definitions for criteria used to determine a “substantial number” or a “significant economic impact”; and (iii) relying on alternative and potentially outdated definitions of small entities. Additionally, GAO noted that many regulators were unable to provide supporting documentation for their analyses. GAO presented 10 recommendations for enhancing compliance procedures, and stressed that regulators should “develop and implement specific policies and procedures for consistently complying with RFA requirements and related guidance for conducting RFA analyses.” Specific recommendations for each agency are located here.

    Federal Issues GAO Compliance Federal Reserve CFTC CFPB FDIC OCC SEC

    Share page with AddThis
  • FTC report highlights 2017 privacy and data security enforcement work

    Privacy, Cyber Risk & Data Security

    On January 18, the FTC released its annual report on the agency’s privacy and data security work performed in 2017. Among other items, the report highlights consumer-related enforcement activities in 2017, including:

    • a settlement with a ride-sharing company over allegations that it violated the FTC Act by making deceptive claims about its privacy and data practices (previously covered by InfoBytes here);
    • the first EU-U.S. Privacy Shield action resulting in settlements with three companies over allegations that they falsely claimed they were certified to take part in the framework (previously covered by InfoBytes here); and
    • a joint settlement with the New Jersey Attorney General against a “smart” television manufacturer for claims that it secretly gathered users’ viewing data and sold it to third parties who used the data for targeted advertising (previously covered by InfoBytes here).

    The report also covers the FTC’s approval of TRUSTe’s proposed modifications to its safe harbor program under the Children’s Online Privacy Protection Act of 1998 (COPPA), previously covered by Infobytes here; and the agency’s actions related to the national “Do Not Call” Registry.

    Privacy/Cyber Risk & Data Security FTC Compliance Enforcement State Attorney General

    Share page with AddThis

Pages