InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Dept. of Defense announces version 2.0 of cybersecurity maturity model certification program
On November 4, the Department of Defense (DoD) announced the completion of an internal assessment of its Cybersecurity Maturity Model Certification (CMMC) program and enhancements to that program. While CMMC 2.0 remains focused on safeguarding sensitive national security information, it updates CMMC 1.0 (see DoD guidance here) by streamlining compliance rules, strengthening cyber protection standards for companies operating in the defense industrial base, and encouraging a collaborative culture of cybersecurity and cyber resilience. “By establishing a more collaborative relationship with industry, these updates will support businesses in adopting the practices they need to thwart cyber threats while minimizing barriers to compliance with DoD requirements,” Jesse Salazar, Deputy Assistant Secretary of Defense for Industrial Policy, stated. Among other things, CMMC 2.0: (i) simplifies CMMC standards and provides further clarity on cybersecurity regulatory, policy, and contracting requirements; (ii) focuses the most advanced cybersecurity standards and third-party assessment requirements on companies that support the highest priority programs; and (iii) “increase[es] DoD oversight of professional and ethical standards in the assessment ecosystem.” Changes reflected in CMMC 2.0 will be implemented through future rulemaking, and companies are not required to comply with CMMC requirements until the forthcoming rules take effect. DoD will also suspend a current CMMC pilot program and “will not approve inclusion of a CMMC requirement in any DoD solicitation” during this period.
SEC approves PCAOB Rule under the Holding Foreign Companies Accountable Act
On November 5, the SEC announced it approved the Public Company Accounting Oversight Board’s (PCAOB) Rule 6100, Board Determinations Under the Holding Foreign Companies Accountable Act, which establishes a framework for the PCAOB’s determinations under that act “that the PCAOB is unable to inspect or investigate completely registered public accounting firms located in a foreign jurisdiction because of a position taken by an authority in that jurisdiction.” According to the Commission order, PCAOB Rule 6100 establishes, among other things: (i) the factors the PCAOB will evaluate and the information the PCAOB will consider when assessing if a determination is warranted; (ii) the form, public availability, effective date, and duration of such determinations; and (iii) the process by which the board will reaffirm, modify, or vacate any such determinations. According to a statement released by SEC Chair Gary Gensler, the rule is an “important step to protect U.S. investors,“ and it is “critical that the Commission and the PCAOB work together to ensure that the auditors of foreign companies accessing U.S. capital markets play by the same rules.”
Agencies adopt standardized approach for counterparty credit risk Call Report
On November 9, the FDIC, Federal Reserve Board, and the OCC announced the publication of final regulatory reporting changes in the Federal Register applicable to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051). In July, the agencies proposed to revise and extend the Call Report for three years, and requested public comments on proposed changes to clarify instructions for reporting of deferred tax assets (DTAs) and to add a new item related to the standardized approach for counterparty credit risk (SA–CCR). (See FIL-53-2021.) Following the comment period, the agencies are proceeding with the proposed SA-CCR-related reporting change to the Call Report, which will take effect with the December 31, 2021 report date, subject to approval by the Office of Management and Budget. However, proposed instruction revisions related to DTAs are not final as the agencies continue to consider comments received on the proposed rule on tax allocation agreements. (See FIL-29-2021.) Supervised financial institutions are encouraged to review the proposed regulatory change. Redline copies of the Call Report and related draft reporting instructions are available on the FFIEC’s webpage here.
SEC proposes amendments to electronic filing requirements
On November 4, the SEC announced two proposed amendments (Updating EDGAR Filing Requirements and Electronic Submission of Applications for Orders under the Advisers Act and the Investment Company Act, Confidential Treatment Requests for Filings on Form 13F, and Form ADV-NR; Amendments to Form 13F), which update electronic filing requirements. These proposed amendments are intended to increase efficiency, transparency, and operational resiliency by modernizing how information is submitted to the SEC and disclosed. The proposed rule and form amendments would require, among other things, certain forms to be filed or submitted electronically and would make technical amendments to certain forms to require structured data reporting and eliminate outdated references. According to the SEC, the Commission currently allows, and at times requires, certain forms to be filed or submitted in paper format. The SEC also noted that publicly filed electronic submissions would be more readily accessible to the public and would be available in a searchable format on the SEC’s website. The public comment period will be open for 30 days after publication in the Federal Register.
The same day, the SEC published a fact sheet clarifying, among other things, how the rule applies and what is required under the proposed amendments. According to a statement released by SEC Chair Gary Gensler, “just as we are hoping to update our rules for market participants in the face of rapidly changing technology, it’s also important that we update our rules to make filing obligations more efficient.”
CFPB seeks comments on recent orders to U.S. tech companies
On November 5, the CFPB published a notice in the Federal Register seeking public comments on recently issued orders to six large U.S. technology companies requesting information and data on their payment system business practices (covered by InfoBytes here). According to the notice, the Bureau invites comments from “any interested parties, including consumers, small businesses, advocates, financial institutions, investors, and experts in privacy, technology, and national security.” The notice is “one of many efforts within the Federal Reserve System to plan for the future of realtime payments and to ensure a fair and competitive payments system in our country.” Comments are due by December 6.
CFPB deputy director discusses future rulemaking research efforts
On November 5, CFPB Deputy Director Zixta Martinez spoke before the Bureau’s Academic Research Council (ARC) meeting, in which she discussed recent research efforts taken to inform future rulemaking and identify root causes of challenges facing consumers. Martinez highlighted Section 1022 orders recently sent to several big tech payment platforms seeking information on their products, plans, and practices (covered by InfoBytes here). She noted that the evaluation of these companies’ payments platform data will help inform the Bureau on the future of the payments system as well as potential emerging risks, and will provide insights that may impact future rulemaking under Section 1033 concerning the disclosure of consumer data by regulated entities. Among other things, Martinez also discussed the importance of small business lending research to better understand whether these businesses provide fair and equitable access to credit and referred to the Bureau’s Section 1071 notice of proposed rulemaking issued in September (covered by a Buckley Special Alert). Martinez also noted that one of the Bureau’s priorities is ensuring access to fair and affordable credit for low-income, minority, or traditionally underserved communities, and said the Office of Research will solicit “suggestions and advice for ways to integrate racial and economic equity analyses into the CFPB’s research agenda.”
FATF updates virtual assets and service provider guidance
On October 28, the Financial Action Task Force (FATF) updated pre-existing guidance on its risk-based approach to virtual assets (VAs) and virtual asset service providers (VASPs). The updated guidance revises guidance originally released in 2019. According to FATF standards, countries are required to “assess and mitigate their risks associated with virtual asset financial activities and providers; license or register providers and subject them to supervision or monitoring by competent national authorities.” The guidance includes updates on certain key areas, such as: (i) expanding the definitions of VAs and VASPs; (ii) applying FAFT standards to stablecoins; (iii) adding guidance regarding the risks and the tools available to countries for the purpose of addressing money laundering and terrorist financing risks for peer-to-peer transactions; (iv) revising VASP licensing and registration guidance; (v) adding guidance for the public and private sectors on the implementation of the “travel rule”; and (vi) adding a section for principles of information-sharing and co-operation amongst VASP Supervisors. FATF also noted that the “guidance addresses the areas identified in the FATF’s 12-Month Review of the Revised FATF Standards on virtual assets and VASPs requiring further clarification and also reflects input from a public consultation in March - April 2021.”
NYDFS issues proposed amendments to debt collection rules for third-parties
On October 29, NYDFS issued draft proposed amendments to 23 NYCRR 1, which regulates third-party debt collectors and debt buyers. Among on things, the proposed amendments:
- Define “communication” as “the conveying of information regarding a debt directly or indirectly to any person through any medium.”
- Amend the definition of a “debt collector” to include “as any creditor that, in collecting its own debts, uses any name other than its own that would suggest or indicate that someone other than such creditor is collecting or attempting to collect such debts.”
- Require collectors to clearly and conspicuously send written notification within five days after an initial communication with a consumer letting the consumer know specific information about the debt, including (i) the name of the creditor to which the debt was originally owed or alleged to be owed; (ii) account information associated with the debt; (iii) merchant/affinity/facility brand association; (iv) the name of the creditor to which the debt is currently owed; (v) the date of alleged default; (vi) the date the last payment (including any partial payment) was made; (vii) the statute of limitations, if applicable; (viii) an itemized accounting of the debt, including the amount currently due; and (ix) notice that the consumer “has the right to dispute the validity of the debt, in part or in whole, including instructions for how to dispute the validity of the debt.”
- State that disclosures may not be sent exclusively through an electronic communication, and that a formal pleading in a civil action shall not be treated as an initial communication.
- Prohibit collectors from communicating by telephone or other means of oral communication when attempting to collect on debts for which the statute of limitations has expired.
- Require collectors to provide consumer written substantiation of a debt within 30 days of receiving a written request via mail (consumers who consent to receiving electronic communications must still receive substantiation via mail).
- Limit collectors to three contact attempts via telephone in a seven-day period. Only one conversation with a consumer is permitted unless a consumer requests to be contacted.
- Permit collectors to communicate with consumers through electronic channels only if the consumer has voluntarily provided consent directly to the debt collector.
Comments on the proposal are due November 8.
CFPB publishes Regulation F debt collection compliance guidance
On October 29, the CFPB released information on validation notices to help facilitate compliance with requirements in the Regulation F debt collection final rule. As previously covered by InfoBytes, in October 2020 the CFPB issued its final rule (effective November 30) amending Regulation F, which implements the Fair Debt Collection Practices Act, addressing debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. The CFPB released guidance for debt collectors offering instructions on how to provide certain validation information, including using the “Itemization Table” in the model validation notice as well as examples of how the table might be completed for different types of debts. The guidance also provides, among other things, examples of itemization tables for the collection of multiple debt owned by the same consumer.
The Bureau also issued new FAQs related to Regulation F that address validation information generally and validation information related to residential mortgage debt. Among other things, the FAQs: (i) specify the validation information debt collectors must provide consumers who owe or allegedly owe a debt; (ii) clarify that while the use of the model validation notice provided in Appendix B of the final rule is not required, debt collectors must comply with the validation information content and format requirements in Regulation F; (iii) specify that a debt collector can make changes to the model validation notice and still obtain the validation information content and format safe harbor with certain limitations; (iv) state that a debt collector does not need to provide the itemization-related information in a validation notice provided the debt collector follows a special rule for certain residential mortgage debt; (v) outline validation information that may be omitted if using the Mortgage Special Rule, and clarify that generally if a debt collector uses the Mortgage Special Rule with the model validation notice, the debt collector may still receive a safe harbor as long as certain criteria is met; (vi) define “most recent periodic statement” for purposes of the Mortgage Special Rule; and (vii) clarify that under the Mortgage Special Rule, a debt collector “uses the date of the periodic statement provided under that Special Rule as the itemization date.” As previously covered by InfoBytes, the Bureau issued FAQs last month discussing limited-content messages and the call frequency provisions under the Debt Collection Rule in Regulation F.
OCC updates Retail Lending booklet
On October 28, the OCC issued Bulletin 2021-52 announcing the issuance of version 2.0 of the “Retail Lending” booklet of the Comptroller’s Handbook. The booklet rescinds OCC Bulletin 2017-15, “Retail Lending: New Comptroller's Handbook Booklet” (covered by InfoBytes here) and the “Retail Lending” booklet of the Comptroller’s Handbook, version 1.1. Among other things, the revised booklet: (i) reflects changes to laws and regulations since the last update of this booklet; (ii) reflects OCC issuances published and rescinded since the last update of this booklet; (iii) clarifies supervisory guidance, sound risk management practices, and legal language; and (iv) alters some content for clarity purposes.