InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC updates BSA/AML examination manual
On August 2, the Federal Financial Institutions Examination Council (FFIEC) updated its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and adherence to BSA regulatory requirements. The revisions include updates to the following sections:
- Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity
- Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions
- Due Diligence Programs for Private Banking Accounts
- Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions
The FFIEC noted that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but rather are intended to “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.” In addition, the Manual itself does not establish requirements for financial institutions, which are found in applicable statutes and regulations but rather reinforce the agency’s risk-focused approach to BSA/AML examinations.
HUD and NAREB to educate consumers on appraisal bias
On August 2, HUD announced a partnership with the National Association of Real Estate Brokers to address appraisal bias and discrimination in the housing market. The collaboration, launching in October 2023, will include online training, roundtable discussions, and distribution of educational material designed to promote fairness in the housing market. HUD also referenced its involvement in the PAVE task force (covered by InfoBytes here), which is dedicated to ending bias in home valuation and has made critical progress since its launch in 2022.
Biden Administration to improve small business loan program
On August 1, the SBA announced implementation of additional policies aimed at expanding small business’ access to capital by modernizing SBA’s signature 7(a) and 504 Loan Programs. The new simplified guidelines for lenders include updated origination policies and procedures, lender participation requirements, and 7(a) loan servicing and liquidation requirements. SBA has also clarified affiliation standards to effectively communicate who qualifies for SBA loans, will use technology updates to bring eligibility determinations in-house, and will also use advanced data analytics and third-party data checks for fraud review on all loan programs before approval.
The following three SBA SOPs took effect on August 1, bringing many of the new policies into practice:
- SOP 50 10 7: Lender and Development Company Loan Programs: Contains SBA’s policies and procedures governing the 7(a) and 504 loan programs.
- SOP 50 56: Lender participation requirements: Contains the criteria for becoming an SBA Lender.
- SOP 50 57: 7(a) Loan Servicing and Liquidation: Contains the policies and procedures for 7(a) loan servicing and liquidation.
Finally, the SBA will begin accepting the Universal Purchase Package, a new feature that is expected to streamline the process for lenders to request SBA honor its loan guaranty. SBA will also introduce new features in E-TRAN, SBA’s online platform used by lenders to upload loan applications.
Biden Administration, agencies take action to protect renters
On July 27, the Biden administration released a fact sheet detailing new actions to develop the Blueprint for a Renters Bill of Rights, which was rolled out early this year (covered by InfoBytes here). The three new actions aim to support renters by (i) “ensuring all renters have an opportunity to address incorrect tenant screening reports”; (ii) “providing new funding to support tenant organizing efforts”; and (iii) “ensuring that renters are given fair notice in advance of eviction.” Additionally, the CFPB, USDA, FHFA, and HUD concurrently released statements aimed at landlords, reminding them of “best practices” and their obligation to inform tenants of their rights.
FHFA published Director Sandra L. Thompson’s statement on “best practices” for the delivery of adverse action notices to renters by GSE-backed multifamily housing borrowers. Referencing research showing that tenant screening reports often contain imprecise or inaccurate information, Director Thompson “strongly encouraged” borrowers who deny a rental application to provide written adverse action notices to the applicants and a copy of any consumer screening report that was relied upon. FHFA’s guidance is based on the FCRA’s requirement that landlords and property managers inform rental applicants of negative information from a consumer screening report that resulted in their rental application being rejected or another unfavorable outcome.
The CFPB posted a blog entry that emphasized landlords’ obligation under the FCRA adverse action notice requirement, which mandates that landlords who take any action against a current or prospective tenant based on a consumer report notify the tenant of the decision and how they can contact the company that created the report. The Bureau advised that renters have the right to review their rental background check report and to dispute information they believe to be inaccurate and encouraged tenants to obtain a free copy of the report from the company that compiled it and dispute any errors (covered by InfoBytes here).
In conjunction with the White House press release, HUD announced it is taking multiple actions to improve rental screening transparency and support renters. It is sending reminders to public housing agencies and property owners about their obligation to inform rejected applicants about reasons for their denial, which provides renters with the opportunity to correct any errors. Additionally, HUD is providing $10 million for tenant education and outreach in Section 8 program properties to assist tenants with “capacity building efforts” for engagement with property management. Furthermore, HUD will issue a proposed rule requiring a 30-day written notification for evictions due to nonpayment of rent in certain subsidized housing.
Also mentioned was the recent White House announcement of actions it is taking to combat “unfair and hidden fees” concerning rental housing (covered by InfoBytes here).
DOE recognizes states’ role in investigating student loan servicers
On July 24, the Department of Education (DOE) issued a final interpretation to clarify that the Higher Education Act (HEA) preempts state laws and other applicable federal laws “only in limited and discrete respects.” Specifically, the final interpretation revises and clarifies the DOE’s position on the legality of state laws and regulations regarding certain aspects of the federal student loan servicing, including preventing unfair or deceptive practices, correcting misapplied payments, or addressing servicers’ refusals to communicate with borrowers.
The final interpretation supersedes a 2021 DOE interpretation (covered by InfoBytes here), as well as prior statements and interpretations issued by the agency, which addressed state regulation of the servicing of student loans under the William D. Ford Federal Direct Loan Program and the Federal Family Education Loan Program. Following a review of public comments, the DOE modified its interpretation to more clearly describe the standard for conflict preemption, explaining that recent court rulings on the issue of conflict preemption have consistently found that the HEA does not prioritize maintaining uniformity in federal student loan servicing, and that as a result, the courts have upheld the authority of individual states to address fraud and affirmative misrepresentations in the federal student aid program without being hindered by federal preemption. Additionally, the DOE noted that courts have consistently applied conflict preemption to state laws that require licensing of the DOE’s student loan servicers, particularly in limited circumstances where the licensing requirement aims to disqualify a federal contractor from operating within the state. The final interpretation states that it is firmly established that states cannot hinder the federal government's ability to choose its contractors by imposing such licensing requirements, noting that two courts recently concluded that such preemption also applies to a state’s refusal to license federal student loan servicers.
The final interpretation is effective immediately.
SEC proposes rules for addressing conflicts of interest raised by predictive data analytics
On July 26, the SEC issued proposed rules under the Securities Exchange Act of 1924 and the Investment Advisors Act of 1940 to address certain conflicts of interest associated with the use of predictive data analytics, including artificial intelligence (AI) and similar technologies, “that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.” The SEC explained that broker-dealers and investment advisors (collectively, “firms”) are increasingly using AI to improve efficiency and returns but cautioned that, due to the scalability of these technologies and the potential for firms to quickly reach a large audience, any resulting conflicts of interest could result in harm to investors that is more pronounced and on a broader scale than previously possible.
Based on existing legal standards, the proposed rules generally would require a firm to identify and eliminate, or neutralize, the effects of conflicts of interest that result in the firm’s (or associated persons) interests being placed ahead of investors’ interests. Firms, however, would be permitted to employ tools that they believe would address such risks and that are specific to the particular technology being used. Firms that use covered technology for investor interactions would also be required to have written policies and procedures in place to ensure compliance with the proposed rules, the SEC said. These policies and procedures must include a process for evaluating the use of covered technology in investor interactions and addressing any conflicts of interest that may arise. Firms must also maintain books and records related to these requirements. Comments on the proposed rules are due 60 days after publication in the Federal Register.
SEC adopts breach-reporting rules, establishes requirements for cybersecurity risk management
On July 26, a divided SEC adopted a final rule outlining disclosure requirements for publicly traded companies in the event of a material cybersecurity incident. The final rule (proposed last year and covered by InfoBytes here) also requires companies to periodically disclose their cybersecurity risk management processes and establishes requirements for how cybersecurity disclosures must be presented. The final rule requires that material cybersecurity incidents be disclosed within four days from the time a company determines the incident was material (a disclosure may be delayed should the U.S. attorney general notify the SEC in writing that immediate disclosure poses a substantial risk to national security or public safety). Companies must also identify material aspects of the incident’s nature, scope, and timing, as well as its impact or reasonably likely impact on the company, and are required to describe their board’s and management’s oversight of risks from cybersecurity threats and previous cybersecurity incidents. These disclosures will be required in a company’s annual report. The final rule will also mandate foreign private issuers to provide comparable disclosures on forms related to material cybersecurity incidents and risk management, strategy, and governance.
The final rule is effective 30 days following publication of the adopting release in the Federal Register. The SEC noted that incident-specific disclosures will be required in Forms 8-K and 6-K beginning either 90 days after the final rule’s publication in the Federal Register or on December 18, whichever is later, though smaller reporting companies are provided an extra 180 days before they must begin providing such disclosures. Annual disclosures on cyber risk management, strategy, and governance will be required in Form 10-K and Form 20-F reports starting with annual reports for fiscal years ending on or after December 15. In terms of structured data requirements, all companies must tag disclosures in the required format beginning one year after initial compliance with the related disclosure requirement.
SEC Chair Gary Gensler commented that, in response to public comments received on the proposed rule, the final rule “streamlines required disclosures for both periodic and incident reporting” and requires companies “to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.”
In voting against the final rule, Commissioner Hester M. Pierce raised concerns that the final rule’s compliance timelines are overly aggressive even for large companies and that the short incident disclosure period could potentially mislead otherwise uninformed investors and “lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market.’” The final rule allows a company to update its incident disclosure with new information in subsequent reports that was unavailable at first and could impact investors who may suffer a loss due to the mispricing of the company’s securities following the initial reporting, Pierce said. She also criticized the risk to national security or public safety exemption as being overly narrow. Commissioner Mark Uyeda also opposed the adoption, writing that “[n]o other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.” Uyeda also questioned whether “[p]remature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, [thus] resulting in widespread panic in the market and financial contagion.”
Agencies propose new capital requirements for biggest banks
On July 27, the FDIC’s Board of Directors unveiled proposed interagency amendments to the regulatory capital requirements for the largest and most complex banks in the United States. The notice of proposed rulemaking (NPRM), issued jointly by the FDIC, OCC, and the Federal Reserve Board (and passed by an FDIC Board vote of 3-2 and a Fed vote of 4-2), would revise capital requirements for large banking organizations with at least $100 billion in assets, as well as certain banking organizations with significant trading activity. (See also FDIC fact sheet here.) The proposed changes would implement the final components of the Basel III agreement—recent changes made to international capital standards issued by the Basel Committee on Banking Supervision—as well as modifications made in response to recent bank failures in March, the agencies said.
Specifically, the NPRM would implement standardized approaches for market risk and credit valuation adjustment risk by amending the way banks calculate their risk-weighted assets. According to FDIC FIL-38-2023, the new “expanded risk-based approach” would incorporate a standardized approach for credit risk and operational risk, a revised internal models-based approach, a new standardized measure for market risk, and a new revised approach for credit valuation adjustment. Banks subject to Category III and IV standards would also be required “to calculate their regulatory capital in the same manner as banking organizations subject to Category I and II standards, including the treatment of accumulated other comprehensive income, capital deductions, and rules for minority interest.” Additionally, the supplementary leverage ratio and the countercyclical capital buffer would be applied to banks subject to Category IV standards.
The agencies said the proposed modifications are intended to:
- Better reflect banks’ underlying risks;
- Increase transparency and consistency by revising the capital framework in four main areas: credit, market, operational, and credit valuation adjustment risk;
- Strengthen the banking system, by applying consistent capital requirements across large banks by requiring institutions to (i) include unrealized gains and losses from certain securities in capital ratios; (ii) comply with the supplementary leverage ratio requirement; and (iii) comply with the countercyclical capital buffer, if activated.
The agencies predict that these changes will “result in an aggregate 16 percent increase in common equity tier 1 capital requirements for affected bank holding companies, with the increase principally affecting the largest and most complex banks.” The impact would vary by bank based on activities and risk profiles, the agencies stated, noting that most banks currently have enough capital to meet the proposed requirements. The NPRM would not amend capital requirements for smaller, less complex banks or for community banks. The agencies propose a three-year phased-in transition process beginning July 1, 2025, to provide banks sufficient time to accommodate the changes and minimize potentially adverse impacts. The changes would be fully phased in on July 1, 2028.
Separately, the Fed also issued an NPRM on a proposal that would modify certain provisions relating to the calculation of the capital surcharge for the largest and most complex banks in order to “better align the surcharge to each bank’s systemic risk profile. . .by measuring a bank’s systemic importance averaged over the entire year, instead of only at the year-end value.”
Comments on both NPRMs are due November 30.
FDIC Chairman Martin Gruenberg stressed that “[e]nhanced resilience of the banking sector supports more stable lending through the economic cycle and diminishes the likelihood of financial crises and their associated costs.” Also voting in favor of the NPRM was CFPB Chairman and FDIC Board Member Rohit Chopra who expressed interest in feedback from the public on ways to simplify the methodologies used to calculate the requirements. Acting Comptroller of the Currency Michael also voted in favor and encouraged commenters “to include assumptions about capital distributions and competition from banks and other financial institutions in their analyses of the impacts of the proposal on lending and economic growth.”
Voting against the new standards, FDIC Vice Chairman Travis Hill argued that while he supports strong capital requirements, he has several “concerns with the impact of excessive gold plating of international standards.” He stressed that the “proposal rejects the notion of capital neutrality and takes a starkly different path, ‘gold plating’ the new Basel standard in a number of ways and dramatically increasing capital requirements for banks with certain business models.”
FHA proposes to change lender and mortgagee requirements, clarify GSE definition
On July 18, FHA announced a proposed rule for public comment that would revise requirements for investing lenders and mortgagees “to gain or maintain status as an FHA-approved lender or mortgagee.” The proposed rule would also “separately define Government-Sponsored Enterprises (GSEs) and the Federal Home Loan Banks (FHLB) from other governmental entities and align general FHA approval standards with current industry business practices.” The proposed changes are mainly aimed at accommodating more precise language and definitions concerning an investing lender or mortgagee's limited participation in FHA programs. According to FHA, these changes do not represent a significant departure from existing requirements for most lenders and mortgagees involved in originating, endorsing, or servicing FHA-insured loans. Through the proposed rule, HUD proposes to: (i) “separately define the GSEs and their approval requirements from other Federal, State, or municipal governmental agencies and Federal Reserve Banks”; (ii) include Freddie Mac, Fannie Mae, and the FHLBs in the GSE definition; (iii) add language to require investing lenders and mortgagees to comply with applicable audit and financial statement requirements; and (iv) “clarify that investing lenders and mortgagees must comply with FHA’s annual certification requirements.”
FTC proposal would allow facial recognition for consent under COPPA
On July 19, the FTC announced it is seeking public feedback on whether it should approve an application that proposes to create a new method for obtaining parental consent under the Children’s Online Privacy Protection Act (COPPA). The new method would involve analyzing a user’s facial geometry to confirm the individual’s age. Under COPPA, online sites and services directed to children under 13 are required to obtain parental consent before collecting or using a child’s personal information. COPPA provides a number of acceptable methods for obtaining parental consent but also allows interested parties to submit proposals for new verifiable parental consent methods to the FTC for approval.
The application was submitted by a company that runs a COPPA safe harbor program, along with a digital identity company and a technology firm that helps companies comply with parental verification requirements. Specifically, the FTC’s request for public comment solicits feedback on several questions relating to the application, including: (i) whether the proposed age verification method is covered by existing methods; (ii) whether the proposed method meets COPPA’s requirements for parental consent (i.e., can the proposed method ensure that the person providing consent is the child’s parent); (iii) does the proposed method introduce a privacy risk to consumers’ personal information, including their biometric information; and (iv) does the proposed method “pose a risk of disproportionate error rates or other outcomes for particular demographic groups.” Comments are due 30 days after publication in the Federal Register.