InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
SEC proposes amendments to cybersecurity risk management
On March 9, the SEC announced proposed amendments to its standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies. The proposed amendments would require, among other things, “current reporting about material cybersecurity incidents and periodic reporting to provide updates about previously reported cybersecurity incidents.” Specifically, firms would be required to describe their policies and procedures for the identification and management of cyber risks, provide information about the board’s oversight of and management’s role in cybersecurity risk, and disclose if a member of the board has expertise in cybersecurity. According to the SEC, “[t]he proposed amendments are intended to better inform investors about a registrant's risk management, strategy, and governance and to provide timely notification to investors of material cybersecurity incidents.” Comments are due 60 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the amendments are applied and what is required. SEC Chair Gary Gensler issued a statement stating he was “pleased to support this proposal because, if adopted, it would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” According to a dissenting statement issued by SEC Commissioner Hester M. Peirce, the proposed amendments “flirt[] with casting us as the nation’s cybersecurity command center, a role Congress did not give us,” and argued that the “precise disclosure requirements look more like a list of expectations about what issuers’ cybersecurity programs should look like and how they should operate.”
Fed reshaping “novel institutions” guidelines
On March 1, the Federal Reserve Board announced that it is soliciting comments on a supplement to a previous proposal intended to ensure that the Fed’s banks utilize a transparent and consistent set of factors when reviewing requests to access Federal Reserve Bank accounts and payment services. The framework, which builds on a proposal from May 2021 (covered by InfoBytes here), would establish a three tier system. Tier 1 would consist of eligible institutions that are federally-insured, and would be “subject to a less intensive and more streamlined review.” Tier 2 would consist of certain eligible institutions or holding companies that are not federally-insured but subject to prudential supervision, and would generally receive an “intermediate” level of review. Tier 3 would consist of eligible institutions that are “not federally insured and not subject to prudential supervision by a federal banking agency at the institution or holding company level,” and, given their potential higher risk, “would be subject to the strictest level of review.” Comments close 45 days after publication in the Federal Register.
CFPB reviewing 2,100 comments on small business data collection
On February 22, the CFPB filed its eighth status report in the U.S. District Court for the Northern District of California, as required under a stipulated settlement reached in February 2020 with a group of plaintiffs, including the California Reinvestment Coalition, related to the collection of small business lending data. The settlement (covered by InfoBytes here) resolved a 2019 lawsuit that sought an order compelling the Bureau to issue a final rule implementing Section 1071 of the Dodd-Frank Act, which requires the Bureau to collect and disclose data on lending to women and minority-owned small businesses. The current status report states that the Bureau has met the deadlines under the stipulated settlement, which included issuing its long-awaited proposed rule (NPRM) last September. As covered by a Buckley Special Alert, the NPRM would require a broad swath of lenders to collect small business loan data, including information about the loans themselves, borrower characteristics, and demographic information regarding the borrower’s principal owners. This information would be reported annually to the Bureau and published by the Bureau on its website. The Bureau notes in its status report that the NPRM’s comment period ended on January 6. The Bureau is currently reviewing approximately 2,100 comments submitted via the public docket and will confer with plaintiffs regarding an appropriate deadline for issuing a final rule.
Find continuing Section 1071 coverage here.
State AGs urge FTC to take action on impersonation scams
On February 23, a coalition of state attorneys general sent a letter to FTC Chair Lina M. Khan, responding to the Commission’s advance notice of proposed rulemaking and urging the FTC to target “impersonation scams” to ensure consumers are protected from harm. As previously covered by InfoBytes, last December the FTC issued a request for comments on a wide range of questions related to government and business impersonation fraud. According to the FTC, reported losses due to impersonation fraud have spiked during the Covid-19 pandemic, with data from the Social Security Administration reporting $2 billion in total losses between October 2020 and September 2021. The AGs commented that overall, they “believe there is a pressing need for FTC rulemaking to address the scourge of impersonation scams impacting consumers across the United States,” noting that “[a] national rule that encompasses and outlaws such commonly experienced scams discussed [within the letter] would assist attorneys general and their partners in reducing consumer harm, maximizing consumer benefits, and holding bad actors to account.” Among other things, the letter discussed state-specific consumer complaints related to business impersonation, document preparation, regulatory compliance, and lead generation scams, and warned that the FTC should explore the means and instrumentalities used in these types of fraud. One example, the AGs pointed out, is impersonators using third-party payment processing services to effectuate their scams, often times requiring certain payment methods for fictitious overdue mortgage, utility, and student loan debts. In stressing the “burgeoning need for a robust standard outlawing impersonation scams,” the AGs stated that “[w]hen a specific type of unfair or deceptive business practice becomes so prevalent, Commission rulemaking is appropriate.” They further added that these efforts are welcomed as part of their ongoing collaborative relationship with the FTC.
FHFA finalizes enterprise regulatory capital framework
On February 25, FHFA announced a final rule, which amends the Enterprise Regulatory Capital Framework (ERCF) by refining the prescribed leverage buffer amount (leverage buffer) and risk-based capital treatment of retained credit risk transfer (CRT) exposures for Fannie Mae and Freddie Mac (collectively, GSEs). Among other things, the final rule: (i) replaces the fixed leverage buffer equal to 1.5 percent of a GSE's adjusted total assets with a dynamic leverage buffer equal to 50 percent of the GSE's stability capital buffer; (ii) replaces the prudential floor of 10 percent on the risk weight assigned to any retained CRT exposure with a prudential floor of 5 percent on the risk weight assigned to any retained CRT exposure; and (iii) removes the requirement that a GSE must apply an overall effectiveness adjustment to its retained CRT exposures in accordance with the ERCF’s securitization framework. Additionally, the final rule implements technical corrections to provisions of the ERCF that were published in December 2020. (Covered by InfoBytes here.) The ERCF amendments and technical corrections will be effective 60 days after publication in the Federal Register.
NIST to update cybersecurity framework with a focus on supply chain risk
On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as well as other existing and potentials standards related to supply chain cybersecurity. NIST stated it is considering updating the framework (last updated in 2018) to account for the changing landscape of cybersecurity risks, technologies, and resources, and noted that it recently announced it intends to launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in this space. Responses to the RFI will help to inform the direction of the NIICS, including how it may be integrated and aligned with the framework. NIST explained that the framework outlines standards and guidance for private and public sector companies on how to prevent and respond to cyber threats. Acknowledging that much has changed in the cybersecurity landscape since the framework was last updated, including an increased awareness and emphasis on supply chain cybersecurity risks, the RFI seeks information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors. Among other things, NIST is interested in: the usefulness of the framework for managing risks; the relationship of the framework to other NIST risk management resources; and how companies manage security risks to their software supply chains and whether this area of increasing concern should be incorporated into the framework or whether a new, separate framework focusing on cybersecurity supply chain risk management might be more valuable. Comments are due April 25.
CFPB seeks to prevent algorithmic bias
On February 23, the CFPB released an outline of possible options for upcoming rulemaking to prevent algorithmic bias in automated home valuation models (AVMs). Dodd-Frank mandates that the Bureau, Federal Reserve Board, OCC, FDIC, NCUA, and FHFA engage in joint agency rulemaking to strengthen the oversight of AVMs, which requires (i) ensuring a high level of confidence in the estimates; (ii) protecting against data manipulation; (iii) avoiding conflicts of interest; (iv) requiring random sample testing and reviews; and (v) accounting for other factors deemed “appropriate” by the agencies. The Small Business Advisory Review Panel’s Outline of Proposals and Alternatives Under Consideration details options for ensuring computer models used to determine home valuations are accurate and fair. While recognizing that AVMs “have the potential to contribute to lower costs and shorter turnaround times in the performance of property valuations” and are increasingly being used—in part due to advances in database and modeling technology and the availability of larger property datasets—the Bureau cautioned that using AVMs may introduce several risks that can impact data integrity and accuracy. The outline also expressed concerns that AVMs may “reflect bias in design and function or through the use of biased data and may introduce fair lending risk.” To mitigate potential fair lending risks in AVMs, the Bureau stated it is considering proposing “a requirement that covered institutions establish policies, practices, procedures, and control systems to ensure that their AVMs comply with applicable nondiscrimination laws.” The Bureau added that it “preliminarily believe[s] standards designed to ensure compliance with applicable nondiscrimination laws may help ensure the accuracy, reliability, and independence of AVMs for all consumers and users.” Without proper safeguards, the Bureau warned in its announcement that “flawed” AVMs “could digitally redline certain neighborhoods and further embed and perpetuate historical lending, wealth, and home value disparities.”
Among other things, the outline also previewed definitions under consideration for terms such as “mortgage originator,” “mortgage,” and “consumer’s principal dwelling,” and noted that the Bureau is considering a “principles-based option” to allow regulated institutions more flexibility to set their own AVM quality control standards, as well as a “prescriptive option” with a more detailed set of requirements for institutions to reduce potential compliance uncertainty. “It is tempting to think that machines crunching numbers can take bias out of the equation, but they can’t,” CFPB Director Rohit Chopra said. “This initiative is one of many steps we are taking to ensure that in-person and algorithmic appraisals are fairer and more accurate.”
The Bureau stated that the next step will be to review the options to determine their potential impact on small business stakeholders as required by the Small Business Regulatory Enforcement Fairness Act of 1996. Feedback will be used to inform the Bureau’s efforts on developing a formal proposal with the other agencies.
California Privacy Protection Agency plans to finish rulemaking by Q4 of 2022
On February 17, the California Privacy Protection Agency (CPPA) Board held a public meeting to provide an update on the California Privacy Rights Act (CPRA or the Act) rulemaking process. According to sources, the CPPA, which was established under the CPRA, stated it intends to finalize rulemaking in the third or fourth quarter of 2022. As previously covered by InfoBytes, last September, the CPPA formally called on stakeholders to provide preliminary comments on proposed CPRA rulemaking. The Act (effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 (covered by InfoBytes here) and amended the existing California Consumer Privacy Act. The invitation for comments highlighted several areas of interest for the CPPA, including topics concerning cybersecurity audits and risk assessments, automated decision-making, consumer privacy rights and requests to know, sensitive personal information, and dark patterns. While the CPRA established a July 1, 2022 deadline for rulemaking, CPPA Executive Director Ashkan Soltani stated during the meeting that the rulemaking process will extend into the second half of the year. Soltani noted that preliminary and informational proceedings will take place sometime this March and April, and will include instructive sessions with various subject matter experts and public sessions to obtain stakeholder input, and will take into account responses from the comment solicitation period that ended November 8, 2021. Following these proceedings, the Board will begin the formal rulemaking process during the second and third quarters, with final rules being finished by the end of the year. Soltani acknowledged that while the Board is behind schedule with respect to the July deadline, the CPPA expects to use the extra time to fill open positions at the agency.
FDIC announces final rule to simplify deposit insurance
Recently, the FDIC published a final rule that amends the deposit insurance regulations for trust accounts and mortgage servicing accounts. According to the FDIC, the final rule is intended to make the deposit insurance rules more understandable, facilitate timely insurance determinations for trust accounts in the event of a bank failure, and enhance consistency of insurance coverage for mortgage servicing account deposits. Highlights of the final rule include, among other things: (i) merging the revocable and irrevocable trust deposit insurance categories into a “trust accounts” category; (ii) establishing a consistent formula for calculating deposit insurance coverage for trust accounts; (iii) establishing that “a deposit owner’s trust deposits will be insured in an amount up to $250,000 per beneficiary, not to exceed five beneficiaries, regardless of whether a trust is revocable or irrevocable, and regardless of contingencies or the allocation of funds among the beneficiaries”; and (iv) providing a maximum amount of deposit insurance coverage of $1,250,000 per owner, per insured depository institution for trust deposits. The final rule becomes effective on April 1, 2024, which provides “depositors and insured depository institutions more than two years to prepare for the changes in coverage.” The FDIC also released a fact sheet which provides information on the final rule.
CFPB revises Rules of Practice for Adjudication Proceedings
On February 22, the CFPB published a procedural rule and request for public comment in the Federal Register, to update its Rules of Practice for Adjudication Proceedings. Under Section 1053(e) of the Consumer Financial Protection Act, the Bureau has authority to conduct administrative proceedings. The CFPB indicated that the amendments would provide greater procedural flexibility, providing parties earlier access to relevant information, expanding deposition opportunities, and making various changes related to “timing and deadlines, the content of answers, the scheduling conference, bifurcation of proceedings, the process for deciding dispositive motions, and requirements for issue exhaustion, as well as other technical changes.” The proposed amendments also propose to simplify and clarify the computation of deadlines and would indicate that motions for extension of time are “generally disfavored” (a list of factors to be considered, however, would be retained). Comments must be received by April 8.