InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FHA to accept private flood insurance for FHA-insured mortgages
On November 21, FHA published a final rule in the Federal Register to allow homeowners with FHA-insured mortgages to obtain flood insurance policies that meet FHA requirements from private insurance providers. Specifically, the Acceptance of Private Flood Insurance for FHA-Insured Mortgages final rule updates agency regulations to give borrowers the option to purchase a comparable private insurance policy that conforms to FHA requirements in lieu of a National Flood Insurance Program (NFIP) policy for FHA-insured mortgages secured by properties located in FEMA-designated special flood hazard areas (SFHAs). Previously, only flood insurance obtained through the NFIP was accepted. The final rule applies to all FHA-insured single family Title II mortgages, including home equity conversion mortgages, and loans insured under FHA Title I programs. Lenders should refer to Mortgagee Letter 2022-18 for guidance on implementing the final rule’s requirements, which are effective December 21.
Concurrently, HUD issued a press release stating that beginning December 21, “FHA will require lenders to provide detailed flood insurance coverage information when electronically submitting mortgages for FHA insurance on properties in SFHAs.” According to HUD, “[t]his data collection is an objective included in HUD’s Climate Action Plan and will allow FHA to capture and analyze flood insurance information on mortgages in its portfolio at a more granular level than has been possible previously.”
FTC seeks feedback on possible changes to Business Opportunity Rule
On November 17, the FTC announced it is soliciting public comments on possible modifications to the Business Opportunity Rule. According to the FTC’s advance notice of proposed rulemaking (ANPR), the Commission is seeking feedback on the rule’s effectiveness, whether it is necessary, and whether it should be expanded to cover other types of money-making opportunities, such as coaching or mentoring programs, e-commerce opportunities, or investment opportunities. The Business Opportunity Rule prohibits the use of deceptive statements when selling business opportunities, and requires sellers to make several key disclosures to potential buyers, including: (i) the seller’s identifying information; (ii) information supporting claims about possible earnings or profits; (iii) disclosures about whether the seller, its affiliates, or key personnel have been included in certain legal actions; (iv) information on whether the seller has a cancellation or refund policy and any applicable policy terms; and (v) a list covering the past three years of consumers who have purchased the business opportunity. The FTC will also require sellers who conduct business in languages other than English to provide disclosures in the language in which the sale is conducted.
The ANPR also asks commenters to address whether business opportunity practices “disproportionately target or affect certain communities or groups, including but not limited to people living in lower-income communities, communities of color, or other historically underserved communities,” and requests feedback on suggested amendments to address any negative effects. Comments on the ANPR are due 60 days after publication in the Federal Register.
FTC extends compliance on some Safeguards provisions
On November 15, the FTC announced that covered financial institutions now have until June 9, 2023, to comply with certain updated Safeguards Rule requirements. The Commission issued this extension based on reports, including a letter from the SBA’s Office of Advocacy, that a shortage of qualified personnel to implement financial institutions’ information security programs and supply chain issues could delay security system upgrades.
As previously covered by InfoBytes, in October 2021, the FTC issued a final rule updating the Safeguards Rule to strengthen data security protections for consumer financial information following widespread data breaches and cyberattacks. Among other things, the final rule added specific criteria financial institutions and other entities, such as mortgage brokers, motor vehicle dealers, and payday lenders, must undertake when conducting a risk assessment and implementing an information security program. Among other requirements, these include implementing provisions related to access controls, data inventory and classification, authentication, encryption, disposal procedures, and incident response. The final rule also added measures to ensure employee training and service provider oversight are effective and expanded the definition of “financial institution” to include “entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities.” Included in the definition are “finders” (i.e. companies that bring together buyers and sellers of products or services that fall within the scope of the Safeguards Rule). While many provisions of the Safeguards Rule became effective 30 days after publication in the Federal Register, certain other provisions, including requirements applicable to covered financial institutions, were set to take effect December 9, 2022.
CFPB finalizes nonbank supervisory rule
On November 10, the CFPB announced a final rule finalizing changes to a nonbank supervision procedural rule issued in April. As previously covered by InfoBytes, the Bureau announced earlier this year that it was invoking a “dormant authority” under the Dodd-Frank Act to conduct supervisory examinations of fintech firms and other nonbank financial services providers based upon a determination of risk. Specifically, the Bureau said it intends to use a provision under Section 1024 of Dodd-Frank that allows it to examine nonbank financial entities, upon notice and an opportunity to respond, if it has “reasonable cause” to determine that consumer harm is possible. Concurrently, the Bureau issued a request for public comment on an updated version of a procedural rule that implements its statutory authority to supervise nonbanks “whose activities the CFPB has reasonable cause to determine pose risks to consumers,” including potentially unfair, deceptive, or abusive acts or practices. Provisions outlined in the procedural rule would exempt final decisions and orders by the Bureau director from being considered confidential supervisory information, thus allowing the Bureau to publish the decisions on its website. Subject companies would be given an opportunity seven days after a final decision is issued to provide input on what information, if any, should be publicly released, the Bureau said.
After reviewing public comments received on the procedural rule, the Bureau incorporated certain changes to clarify the standard that the agency will apply when deciding what information is appropriate for public release, in whole or in part. The Bureau explained that information falling within Freedom of Information Act Exemptions 4 and 6 (which protect confidential commercial information and personal privacy) will not be published. Additionally, the Bureau said it may also choose to withhold information if the director determines there is other good cause to do so. The final rule also extends the deadline from seven to ten business days for nonbanks to submit input about what information should be released. The final rule will take effect upon publication in the Federal Register.
Notably, the Bureau emphasized that the “amended procedures only relate to the initial decision to extend supervision to a nonbank entity” and “do not affect the confidentiality of any ensuing supervisory examination or any other aspect of the supervisory process.”
FTC looks to Section 5 in enforcing “unfair” competition
On November 10, the FTC issued a policy statement announcing that it would “rigorously enforc[e] the federal ban on unfair methods of competition.” According to the announcement, the FTC intends to make wider use of the FTC Act to police companies that use unfair tactics to try to gain a competitive advantage. “When Congress created the FTC, it clearly commanded us to crack down on unfair methods of competition,” FTC Chair Lina M. Khan said. “Enforcers have to use discretion, but that doesn’t give us the right to ignore a central part of our mandate. Today’s policy statement reactivates Section 5 and puts us on track to faithfully enforce the law as Congress designed.” In enacting Section 5, Congress purposely introduced the phrase “unfair methods of competition” in the statute to distinguish the FTC’s authority from the definition of “unfair competition” at common law, the policy explained, adding that Section 5 was designed to extend beyond the reach of antitrust laws. However, recognizing that a static definition would become outdated, Congress afforded the FTC flexibility to adapt to changing circumstances. The policy statement lays out the FTC’s approach for policing unfair methods of competition, and will allow the Commission to, among other things, sue companies under its mandate to protect consumers from fraudulent practices, price discrimination, exclusive deals and loyalty rebates, and misleading business practices such as commercial bribery and false or deceptive advertising.
CFPB tells CRAs, furnishers to investigate disputes
On November 10, the CFPB issued Circular 2022-07 to outline how federal and state consumer protection enforcers can bring claims against companies that fail to investigate and resolve consumer report disputes. According to the Bureau, consumer reporting agencies (CRAs) and some furnishers have failed to conduct reasonable investigations of consumer disputes. The Circular affirmed that CRAs and furnishers must reasonably investigate all disputes that they have not reasonably determined to be frivolous or irrelevant, and may be liable under the Fair Credit Reporting Act if they fail to do so. Additionally, the Circular noted that claims can be pursued by both state and federal consumer protection enforcers and regulators. The Circular also described that enforcers can “bring a claim if a consumer reporting agency fails to promptly provide to the furnisher ‘all relevant information’ regarding the dispute that the consumer reporting agency receives from the consumer.” On the topic of whether CRAs need to forward to furnishers consumer-provided documents attached to a dispute, the Circular noted that “[i]t depends.” The Circular then explained that even “[w]hile there is not an affirmative requirement to specifically provide original copies of documentation submitted by consumers, it would be difficult for a consumer reporting agency to prove they provided all relevant information if they fail to forward even an electronic image of documents that constitute a primary source of evidence.”
NYDFS amends cybersecurity regs
On November 9, NYDFS proposed expanded amendments to the state’s cybersecurity regulation (23 NYCRR 500) to strengthen the Department’s risk-based approach for ensuring cybersecurity risk is integrated into regulated entities’ business planning, decision making, and ongoing risk management. NYDFS’ cybersecurity regulation took effect in March 2017 (covered by InfoBytes here) and imposes a series of cybersecurity requirements for banks, insurance companies, and other financial services institutions. NYDFS is proposing the new amendments via a data-driven approach to ensure regulated entities implement effective controls and best practices to protect consumers and businesses. “With cyber-attacks on the rise, it is critical that our regulation keeps pace with new threats and technology purpose-built to steal data or inflict harm,” Superintendent Adrienne A. Harris said in the announcement. “Cyber criminals go after all types of companies, big and small, across industries, which is why all of our regulated entities must comply with these standards – whether a bank, virtual currency company, or a health insurance company.”
Some changes within the proposed amended regulation include:
- New Obligations for Larger Companies. The proposed amended regulation adds a new subcategory of larger covered entities called “Class A companies,” which would be subject to additional security and external auditing requirements in addition to the general requirements that apply to all covered entities. This includes, among other things, a requirement to have an external audit of a Class A company’s cybersecurity program annually. Class A companies are defined as covered entities with at least $20 million in gross annual revenue in each of the last two fiscal years (generated from the business operations of a covered entity and its affiliates in New York) that have either (i) more than 2,000 employees averaged over the last two fiscal years (includes both the covered entity and all affiliates despite the location); or (ii) over $1 billion in gross annual revenue in each of the last two fiscal years (generated from all business operations of a covered entity and all of its affiliates).
- Cybersecurity Governance. The proposed amended regulation provides several enhancements to the Part 500 governance requirements including:
- The chief information security officer (CISO) must have adequate authority to ensure that cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.
- The CISO must present an annual written report to the covered entity’s senior governing body that addresses the covered entity’s cybersecurity program as well as five topics described in the regulation and the company’s plans for remediating material inadequacies.
- The CISO must timely report to the senior governing body material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cyber events.
- If the covered entity has a board of directors or equivalent, the board or an appropriate committee shall have sufficient expertise and knowledge (or be advised by persons with sufficient knowledge and expertise) to exercise effective oversight of cyber risk management.
- Notice of Compliance. The annual certification of compliance must be signed by the covered entity’s highest-ranking executive and its CISO. The proposed amended regulation would allow a covered entity to choose to alternatively provide written acknowledgement that a covered entity did not fully comply with the regulation by describing the areas of noncompliance, including areas, systems, and processes that require material improvement, updating, or redesign, and a remedial plan and timeline for their implementation.
- Requirements for Resiliency, Business Continuity, and Disaster Recovery Plans. The proposed amended regulation adds significant documentation and technical requirements for business continuity and disaster recovery plans, including: (i) designation of essential data and personnel; (ii) communication preparations; (iii) back-up facilities; and (iv) identification of necessary third parties.
- Risk Assessments. The proposed amended regulation expands the definition of risk assessment. A covered entity’s risk assessment shall be reviewed and updated at least annually and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. Class A companies are required to use external experts to conduct a risk assessment at least once every three years.
- Technology. The proposed amended regulation adds several significant mandatory security control requirements, including:
- Asset Inventory: Each covered entity will be required to implement written policies and procedures to ensure a complete, accurate, and documented asset inventory. At a minimum, the policies and procedures should include a method to track key information for each asset, including, as applicable, the owner, location, classification or sensitivity, support expiration date, and recovery time requirements.
- Privilege Management: The proposed amended regulation introduces additional standards for privilege management, including, among other things, that covered entities must (i) limit privileged accounts to only those that are necessary and to conduct only specific functions; (ii) conduct access reviews on at least an annual basis; (iii) disable or securely configure remote access protocols; and (iv) promptly terminate access privileges for departing users.
- Multi-Factor Authentication: The proposed amendment expands the type of accounts and access types that require multi-factor authentication, to include all privileged accounts.
- Vulnerability Management: Cybersecurity programs must now, through policies and procedures, explicitly address internal and external vulnerabilities, remediate issues in a timely manner, and report material issues to senior management.
- Reporting Requirements. The proposed amended regulation contains provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or “deployment of ransomware within a material part of the covered entity’s information system.” This timeframe also applies to cybersecurity events that occur at a third-party service provider. Entities would also be directed to provide the superintendent within 90 days of the notice of the cybersecurity event “any information requested regarding the investigation of the cybersecurity event.” Additionally, entities would also be directed to alert the Department within 24 hours of making a ransom payment. Within 30 days, entities must also explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations, including federal sanctions implications.
- Small Business Exemption. NYDFS noted in its announcement that based on industry feedback as well as the operating realities facing small businesses, it is proposing to raise the exemption threshold for small companies. If adopted, limited exemptions will be provided to covered entities with (i) fewer than 20 employees, including any of the entity’s independent contractors or its affiliates located in the state or that are responsible for the business of a covered entity; (ii) less than $5 million in gross annual revenue in each of the last three fiscal years from business operations of a covered entity and its affiliates in the state; and (iii) less than $15 million in year-end total assets, including the assets of all affiliates.
The proposed amended regulation is subject to a 60-day comment period beginning on November 8th upon publication in the State Register. NYDFS stated it looks forward to receiving feedback on the proposed amended regulation during this comment period. As the comment period ends, NYDFS will then review received comments and either repropose a revised version or adopt the final regulation. Covered entities will have 180 days from the effective date to comply except as otherwise specified.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
SBA seeks to end SBLC moratorium
On November 7, SBA published a proposed rule in the Federal Register seeking to lift the moratorium on licensing new small business lending companies (SBLCs) and adding a new type of entity called a “Mission-Based SBLC.” The moratorium was imposed in 1982, after the agency lacked adequate resources to effectively service and supervise additional SBLCs participating in SBA’s 7(a) loan program beyond the 14 it was authorized to approve. According to SBA, while the majority of 7(a) lenders are federally-regulated depository institutions, “SBLCs are regulated, supervised, and examined solely by SBA” and “are subject to specific regulations regarding formation, capitalization, and enforcement actions.” SBA explained that there are capital market gaps in certain markets that “continue to struggle to obtain financing on non-predatory terms.” The proposed rule seeks to lift the licensing moratorium and further create the Mission-Based SBLC to help bridge the financing gap. Mission-Based SBLCs will be nonprofit entities that will help SBA meet the needs of underserved communities and increase opportunities for access to capital in precisely targeted capital market gaps. Comments on the proposed rule are due January 6, 2023.
CPPA says comments on modified draft privacy rules due November 21
On November 3, the California Privacy Protection Agency (CPPA) Board officially posted updated draft rules for implementing the Consumer Privacy Rights Act of 2020, which amends and builds on the California Consumer Privacy Act of 2018. The draft rules were previously released in advance of a CPPA Board meeting held at the end of October (see previous InfoBytes coverage here for a detailed breakdown of the proposed changes). A few notable changes between the versions include:
- A requirement that a business must treat an opt-out preference signal as a valid request to opt out of sale/sharing for not only that browser or device but also for “any consumer profile associated with that browser or device, including pseudonymous profiles.”
- A requirement that if a business does not ask a consumer to affirm their intent with regard to a financial incentive program, “the business shall still process the opt-out preference signal as a valid request to opt-out of sale/sharing for that browser or devise and any consumer profile the business associates with that browser or device.” However if a consumer submits an opt-out of sale/sharing request but does not affirm their intent to withdraw from a financial incentive program, the business may ignore the opt-out preference signal with respect to the consumer’s participation in the financial incentive program.
- The addition of the following provision: “As part of the Agency’s decision to pursue investigations of possible or alleged violations of the CCPA, the Agency may consider all facts it determines to be relevant, including the amount of time between the effective date of the statutory or regulatory requirement(s) and the possible or alleged violation(s) of those requirements, and good faith efforts to comply with those requirements.”
Comments on the amended draft rules are due November 21 by 8 am PT.
Fed asks for comments on publicizing FRB master accountholders
On November 4, the Federal Reserve Board issued a notice and request for comment seeking feedback on proposed amendments to its Guidelines for Evaluating Account and Services Requests. Specifically, the proposed amendments would require the Federal Reserve Banks to publish a periodic list of depository institutions that have access to Reserve Bank accounts (often known as “master accounts”) and payment services. In August, the Fed adopted final guidance establishing “a transparent, risk-based, and consistent set of factors for Reserve Banks to use in reviewing requests to access these accounts and payment services.” Recognizing that the longstanding practice of both the Fed and the Reserve Banks “has been to not disclose account-related information to the general public on the basis that such information is considered confidential business information,” the Fed said it is considering “the potential benefits of expanding the disclosure of the names of institutions that have access to accounts and services” following comments received from stakeholders that called for greater public disclosure of account-related information. Comments are due 60 days after publication in the Federal Register.