InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
VA proposes amendments to IRRRL requirements
On November 1, the Department of Veterans Affairs (VA) published a proposed rule in the Federal Register, which would amend the agency’s rules on VA-backed interest rate reduction refinancing loans (IRRRLs). Specifically, the proposed amendments would update existing VA IRRRL regulations to meet current statutory requirements for determining whether the agency can guarantee or insure a refinance loan. The amendments would modify current regulations to reflect requirements related to, among other things, net tangible benefit, recoupment, and seasoning standards. Additionally, due to confusion among program participants, VA is proposing clarifications to minimize the risk of lender noncompliance, thereby safeguarding veterans, easing lender concerns, reducing potential instability in the secondary loan market, and insulating taxpayers from unnecessary financial risk. Comments on the proposed rule are due January 3, 2023.
Chopra says CFPB is examining industry standard settings
On November 2, CFPB Director Rohit Chopra delivered prepared remarks before a public meeting of the Bureau’s Consumer Advisory Board briefly touching upon on several topics related to the Buy Now Pay Later market, big tech and data collection, peer-to-peer payment platforms, and Section 1033 rulemaking concerning consumers’ rights to their personal financial data. Notably, Chopra raised an area of discussion concerning industry standard-setting organizations and providers of critical infrastructure. Recognizing that private organizations play a major role in setting standards across sectors of the economy, Chopra emphasized that “[d]ecentralized, open banking will likely rely on fair standard-setting, through an amalgam of legally binding rules and industry developed standards.” He warned though that it “can be difficult to achieve fair standard-setting, since incumbents will have a strong economic interest when it comes to protecting their turf.” Chopra pointed to the telecommunications and health care industries as areas where private organizations “are not neutral, but are instead owned or governed by certain market participants” and where other players may also integrate a function akin to a lobbying or trade association. Explaining that the Bureau has been devoting a lot of time to this space, Chopra said the agency is gathering insights into other countries’ experiences, such as the UK’s Open Banking Implementation Entity (which was established to provide critical services and infrastructure), as well as domestic developments. He stated the Bureau will develop rulemaking with a practical mindset of how requirements would be operationalized in the market.
SEC proposes new requirements for advisors that outsource services to third parties
On October 26, the SEC proposed new oversight requirements for outsourced investment advisory services. The proposed rule, issued under the Investment Advisers Act of 1940, would prohibit registered investment advisers from outsourcing certain services and functions without conducting due diligence prior to engaging a third-party service provider. The proposed rule would apply to advisors that outsource certain “covered functions,” including services or functions necessary for providing advisory services in compliance with federal securities laws that—if not performed or negligently performed—would result in material harm to clients. Under the proposed rule, advisors would also be required to periodically monitor a third party’s performance and reassess whether it is appropriate to continue to outsource its services and functions. Additionally, the SEC is proposing corresponding amendments so that it may collect “census-type information” about third-party service providers, as well as amendments that would require advisors to maintain books and records related to the proposed rule’s oversight obligations.
SEC Chairman Gary Gensler released a statement supporting the proposed amendments. “[T]hese rules, if adopted, would better protect investors by requiring that investment advisers take steps to continue to meet their fiduciary and other legal obligations regardless of whether they are providing services in-house or through outsourcing, whether through third parties or affiliates,” Gensler said, explaining that the increased use of third-party service providers “has led staff to make several recommendations to ensure advisers that use them continue to meet their obligations to the investing public. When an investment adviser outsources work to third parties, it may lower the adviser’s costs, but it does not change an adviser’s core obligations to its clients.”
Commissioner Hester M. Peirce criticized the proposed rule, with Peirce claiming the proposal “may end up abrogating fiduciary duty and replacing it with [a] predefined approach to best interest—one not responsive to unique facts and circumstances.” She also expressed concerns related to the proposal’s potential impact on smaller advisors that may face disproportionate competitive challenges. Commissioner Mark T. Uyeda also dissented, expressing concerns over whether “there is any observable problem related to investment advisers’ oversight of service providers that necessitates the blanket imposition of specified oversight requirements.”
CISA releases new cybersecurity performance goals
Recently, the Cybersecurity and Infrastructure Security Agency (CISA) released a new report outlining baseline cross-sector cybersecurity performance goals (CPGs) for all critical infrastructure sectors. The report follows a July 2021 national security memorandum issued by President Biden, which required CISA to coordinate with the National Institute of Standards and Technology (NIST) and the interagency community to create fundamental cybersecurity practices for critical infrastructure, primarily to help small- and medium-sized organizations improve their cybersecurity efforts. The CPGs were informed by existing cybersecurity frameworks and guidance, as well as real-world threats and adversary tactics, techniques, and procedures observed by the agency and its partners. CISA noted in the report that the CPGs are not comprehensive but instead “represent a minimum baseline of cybersecurity practices with known risk-reduction value broadly applicable across all sectors, and will be followed by sector-specific goals that dive deeper into the unique constraints, threats, and maturity of each sector where applicable.” Organizations may choose to voluntarily adopt the CPGs in conjunction with broader frameworks like the NIST Cybersecurity Framework. “The CPGs are a prioritized subset of IT and operational technology (OT) cybersecurity practices that critical infrastructure owners and operators can implement to meaningfully reduce the likelihood and impact of known risks and adversary techniques,” CISA said in its announcement.
DOE announces final rules for targeted debt relief programs
On October 31, the Department of Education (DOE) announced final rules to streamline and improve targeted debt relief programs. (See DOE fact sheet here.) The final rules implement several changes to protect student borrowers, including:
- Borrower defense to repayment and arbitration. The final rules establish a strong framework for borrowers to raise a defense to repayment if their post-secondary institution misleads or manipulates them. Claims pending on or received on or after July 1, 2023, can be decided individually or as a group, and may be based on one of the following categories of actionable circumstances: substantial misrepresentation, substantial omission of fact, breach of contract, aggressive and deceptive recruitment, or judgments or final secretarial actions. The final rules will only provide full relief (partial discharges will not be considered), with approved claims requiring “that the institution committed an act or omission which caused the borrower detriment of such a nature and degree that warrant full relief” based upon a preponderance of the evidence. Additionally, the final rules establish certain recoupment processes for DOE to pursue institutions for the cost of approved claims, and will allow borrowers to litigate their case “by preventing institutions that participate in the Direct Loan program from requiring borrowers to engage in pre-dispute arbitration or sign class action waivers.”
- Closed school discharges. The final rules provide an automatic discharge of a borrower’s loan “one year after a college’s closure date for borrowers who were enrolled at the time of closure or left 180 days before closure and who do not accept an approved teach-out agreement or a continuation of the program at another location of the school.” Borrowers who accept but do not complete a teach-out agreement or program continuation will receive a discharge one year after the last date of attendance.
- Total and permanent disability discharge. The final rules include new options for borrowers who have had a total and permanent disability to receive a discharge, including borrowers (i) who receive additional types of disability review codes from the Social Security Administration (SSA); (ii) who later aged into retirement benefits and are no longer classified by one of SSA’s codes; (iii) who have an established disability onset date determined by SSA to be at least 5 years in the past; and (iv) whose first continuing disability review is scheduled at three years. The final rules also eliminate a three-year income monitoring requirement.
- Interest capitalization. Under the final rules, “interest will no longer be added to a borrower’s principal balance the first time a borrower enters repayment, upon exiting a forbearance, and leaving any income-driven repayment plan besides Income-Based Repayment.” Specifically, the final rules eliminate all instances where interest capitalization—which occurs when a borrower has outstanding unpaid interest added to the principal balance—is not required by law.
- Public Service Loan Forgiveness. As previously covered by InfoBytes, the final rules will provide benefits for borrowers seeking Public Service Loan Forgiveness, including providing credit toward the program for borrowers who have qualifying employment.
- False certification. The final rules will provide borrowers with an easier path to discharge when a college falsely certifies a borrower’s eligibility for a student loan. This includes expanding allowable documentation, clarifying applicable discharge dates, and allowing for the consideration of group discharges.
The final rules are effective July 1, 2023.
DOE expands support for veterans/servicemembers and incarcerated individuals
On October 27, the Department of Education (DOE) announced final rules cracking down on deceptive practices affecting veterans and servicemembers and expanding college access to incarcerated students. (See DOE fact sheet here.) The final rules, among other things, (i) implement a change to the “90/10 rule” made by the American Rescue Plan in 2021, which closed a loophole in the Higher Education Act that previously incentivized some for-profit colleges to aggressively recruit veterans and servicemembers in order to receive more DOE funding (going forward, these institutions may no longer count money from veteran and service member benefits toward a 10 percent revenue requirement); (ii) expand access to DOE’s Second Chance Pell Experimental Sites Initiative to allow incarcerated individuals in nearly all states to participate; (iii) provide incarcerated individuals with access to the FSA’s Fresh Start initiative, which will help borrowers with defaulted loans access income-driven low monthly payments as well as with access to Pell Grants; and (iv) clarify requirements and processes for post-secondary institutions when changing ownership, which may require institutions to provide additional financial protection or impose other conditions to protect against risks arising from the transaction.
SEC says exchanges must have policies on incentive compensation given in error
On October 27, the SEC announced final rules requiring securities exchanges to adopt listing standards that require issuers to develop and implement policies providing for the recovery of erroneously awarded incentive-based compensation received by executive officers. The final rules require a listed issuer to file the policy as an exhibit to its annual report and to include disclosures related to its recovery policy and recovery analysis where a recovery is triggered. The SEC first proposed new rules for executive compensation disclosure in 2015, but they were not finalized. The SEC reopened consideration of the rules last year, and in August, adopted a new requirement that a reporting company’s proxy statement and other disclosures include a table showing executive compensation and financial performance measures.
According a statement released by SEC Chairman Gary Gensler, the new rules will “strengthen the transparency and quality of corporate financial statements, investor confidence in those statements, and the accountability of corporate executives to investors.” Commissioner Hester M. Peirce also released a statement, where she noted that implementing the statutory clawbacks mandate is “commendable,” but “doing it—expansively, inflexibly, and impractically—is not.” Peirce noted that the final rule “does not permit company boards, guided by their fiduciary duty, to determine when clawing back compensation makes sense,” and that “[s]uch an approach would have served shareholders by ensuring that companies claw back erroneously awarded compensation when doing so yields a net benefit to shareholders.” The final rules will become effective 60 days after publication in the Federal Register. Exchanges will be required to file proposed listing standards no later than 90 days following publication of the release in the Federal Register, with listing standards effective no later than one year following such publication.
NYDFS revises state CRA regulations
On October 26, NYDFS released revisions to its proposed state Community Reinvestment Act regulation, which would allow the Department to obtain the necessary data to evaluate the extent to which New York-regulated banking institutions are serving minority- and women-owned businesses in their communities. The revised proposed regulation addresses comments received during a prior 60-day comment period that began last November (covered by InfoBytes here), and is intended to minimize compliance burdens by making sure the regulation’s proposed language complements requirements in the CFPB’s proposed rulemaking for collecting data on credit access for small and minority- and women-owned businesses. Among other things, the revised proposed regulation would require regulated entities to inquire as to whether a business applying for a loan or credit is minority- or women-owned or both, and submit a report to the Department providing application details, such as the date, type of credit applied for and the amount, whether the application was approved or denied, and the size and location of the business. Additionally, the revised proposed regulation (i) establishes processes for regulated entities when soliciting, collecting, storing, and reporting information related to their provision of credit to minority- and women-owned businesses, including when requests for information should be made, and notifications informing applicants of their right to refuse to offer information in response to a request and that the provided information may not be used for any discriminatory purpose; (ii) provides that, to the extent feasible, underwriters should not be able to access information provided by an applicant; (iii) stipulates how long a regulated entity is required to preserve gathered information; and (iv) provides a sample data collection form that regulated entities may choose to use. According to NYDFS, the revisions are designed to make sure regulated entities abide by fair lending laws when collecting and submitting the necessary data. Comments will be accepted for 45 days following publication in the State Register.
CFPB launches rulemaking on consumers’ rights to their data
On October 27, the CFPB released a 71-page outline of proposals and alternatives under consideration related to the Bureau’s Dodd-Frank Section 1033 rulemaking efforts. The outline describes proposals under consideration that “would specify rules requiring certain covered persons that are data providers to make consumer financial information available to a consumer directly and to those third parties the consumer authorizes to access such information on the consumer’s behalf, such as a data aggregator or data recipient (authorized third parties).” Emphasizing that “[c]lear data rights for consumers have the potential to give individuals more bargaining leverage,” the Bureau claimed that companies compiling vast amounts of personal data, including information about consumers’ use of financial products and services, are able to monopolize the use of this data, thereby blocking competition and stifling the development of competitors’ products and services.
Highlights from the outline include a series of discussion questions for small businesses and a list of topics, including:
- Data providers subject to the proposals under consideration. The proposals, if finalized, would impact data providers, including “depository and non-depository financial institutions that provide consumer funds-holding accounts or that otherwise meet the Regulation E definition of financial institution, as well as depository and non-depository institutions that provide credit cards or otherwise meet the Regulation Z definition of card issuer.” Notably, “a financial institution would be a covered provider if it issues an ‘access device’ (as the term is defined in Regulation E § 1005.2(a)(1)), such as a digital credential storage wallet, and provides EFT services, even if it does not hold consumer accounts.” Additionally, “a card issuer would be a covered data provider if it issues a ‘credit card’ (as the term is defined in Regulation Z § 1026.2(a)(15)(i)), such as by issuing digital credential storage wallets, even if it does not hold consumer credit accounts.” The outline also defines covered accounts and states the Bureau is considering potential exemptions for certain data providers.
- Recipients of information. To be considered an authorized third party under the proposals, a third party must: (i) provide an “authorization disclosure” informing consumers of key terms of access; (ii) obtain consumers’ informed, express consent to the key terms of access contained within the authorization disclosure; and (iii) certify to consumers that it will abide by certain obligations related to the collection, use, and retention of a consumer’s information. The Bureau is considering proposals that would address “a covered data provider’s obligation to make information available upon request directly to a consumer (direct access) and to authorized third parties (third-party access).”
- Types of information covered data providers would need to make available. The outline proposes six categories of information data providers would have to make available with respect to covered accounts, including (i) periodic statement information; (ii) information on certain types of prior transactions and deposits that have not-yet-settled; (iii) information regarding prior transactions not typically shown on periodic statements or online account portals; (iv) online banking transactions that have not yet occurred; (v) account identity information; and (vi) other information, such as consumer reports, fees, bonuses, discounts, incentives, and security breaches that exposed a consumer’s identity or financial information.
- Exceptions to the requirement to make information available. The outline provides four exceptions to the requirement for making information available: (i) confidential commercial information; (ii) information obtained to prevent fraud, money laundering, or other unlawful conduct; (iii) information that is required to be kept confidential; and (iv) information a “data provider cannot retrieve in the ordinary course of business.”
- How and when information would need to be made available. The outline states the Bureau is considering ways to define the methods and the circumstances in which a data provider would need to make information available with respect to both direct access and third-party access.
- Third party obligations. The Bureau is examining proposals to limit authorized third parties’ collection, use, and retention of consumer information to that which “is reasonably necessary to provide the product or service the consumer has requested.” This includes (i) limiting duration, frequency, and retention periods; (ii) providing consumers a simple way to revoke authorization; (iii) limiting a third party’s secondary use of consumer-authorized information; (iv) requiring third parties to implement data security standards and policies and procedures to ensure data accuracy and dispute resolution; and (v) requiring third parties to comply with certain disclosure obligations, including a mechanism for consumers to request information about the extent and purposes of a third party’s access to their data.
- Record retention obligations. Proposals under consideration would establish requirements for data providers and third parties to demonstrate compliance with their obligations under the rule.
- Implementation period. The Bureau is seeking feedback on time frames to ensure consumers are able to benefit from a final rule, while also considering implementation factors for data providers and third parties.
An appendix to the highlights provides examples of ways the proposals would apply to hypothetical transactions involving consumer-authorized data access to an authorized third party.
The Bureau’s rulemaking process will include panel convenings, as mandated under the Small Business Regulatory Enforcement Fairness Act of 1996, after which the panel will prepare a report for the Bureau to consider as it develops the proposed rule. “Dominant firms shouldn’t be able to hoard our personal data and appropriate the value to themselves,” CFPB Director Rohit Chopra said in announcing the rulemaking outline. Chopra further elaborated on the rulemaking’s purposes during an industry event earlier in the week (covered by InfoBytes here) where he said the Bureau plans to propose requiring financial institutions that offer deposit accounts, credit cards, digital wallets, prepaid cards, and other transaction accounts to set up secure methods for data sharing as a way to “facilitate new approaches to underwriting, payment services, personal financial management, income verification, account switching, and comparison shopping.”
CFPB issues guidance on “junk fees”
On October 26, President Biden discussed guidance issued by the CFPB to help banks avoid charging illegal “junk fees” on deposit accounts. The Bureau’s Circular 2022-06 noted that overdraft fees can be considered an “unfair” practice and violate the Consumer Financial Protection Act (CFPA) even if such fees are in compliance with other laws and regulations. Specifically, the Circular noted that “overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair.” The guidance further stated that unanticipated overdraft fees are likely to impose substantial injury on consumers that they cannot reasonably avoid and that are not outweighed by countervailing benefits to consumers or competition. The Bureau’s compliance bulletin on surprise depositor fees explained that a returned deposited item is a check that a consumer deposits into their checking account that is returned to the consumer because the check could not be processed against the check originator’s account. The bulletin stated that “blanket policies of charging returned deposited item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair under the [CFPA].” The Bureau further explained that indiscriminately charging depositor fees, regardless of circumstances, are likely illegal and noted that the bulletin is intended to put regulated entities on notice regarding how the agency plans to exercise its enforcement and supervisory authorities in the context of deposit fees. The bulletin urged financial institutions to charge depositor fees only in situations where a depositor could have avoided the fee, such as when a depositor repeatedly deposits bad checks from the same originator. The Bureau emphasized the guidance as part of its Junk Fee Initiative, noting that since it launched the initiative in January 2022, the CFPB has taken action to constrain “pay-to-pay” fees (covered by InfoBytes here), and has announced an advance notice of proposed rulemaking soliciting information from credit card issuers, consumer groups, and the public regarding late payments, credit card late fees, and card issuers’ revenue and expenses (covered by InfoBytes here).