Letter to Credit Unions 22-FCU-03: Expiration of Emergency Exemption from Certain In-Person Meeting Requirements

NCUA Letter to Federal Credit Unions 22-FCU-03

NASCUS Legislative and Regulatory Affairs Department
December 10, 2022

On December 7, 2022, NCUA issued NCUA Letter 22-FCU-03[1] regarding the Expiration of Emergency Exemption from Certain In-Person Meeting Requirements.

The letter discusses the implications of three NCUA letters issued on March 2020, November 2020, and November 2021[2] providing federal credit unions (FCU) flexibility during the pandemic related to annual meetings. Specifically, the NCUA recognized the challenges intrinsic to the pandemic to physically conducting member meetings.  As a result of the letters, FCUs were allowed to conduct membership and board meetings completely virtually.  These emergency exemptions were set to expire on December 31, 2022.

Additionally, the NCUA allowed FCUs to approve, with a 2/3 board passage, bylaw language changes to article IV that would allow FCUs to invoke virtual-only meetings if a majority of the directors passed a resolution for each such meeting.  The letters provided specific wording for this bylaw amendment.

Summary

With this letter, NCUA is providing notice that the emergency conditions present to justify the flexibility enjoyed by FCUs to invoke virtual-only meetings is no longer present, and those emergency provisions will expire. FCUs that have adopted the bylaw amendment may retain it in their bylaws, but it will not be applicable after 2022 unless NCUA issues a new notification allowing it to be invoked.

NCUA also states that while “virtual-only” meetings will no longer be an option, FCUs will still have the option to best meet their needs[3] by conducting hybrid meetings that include an in-person AND virtual element.

While NCUA will permit a hybrid format, federal credit unions will still be required to meet the general quorum requirements, including counting participants in both the in-person and virtual aspects of the hybrid meeting.

NCUA believes that using a hybrid meeting format could preserve FCU resources and reduce the effort required to hold meetings without disenfranchising members for whom virtual attendance is difficult or impossible.

NCUA cautions its institutions to consider whether their current bylaws authorize hybrid meetings or whether bylaw changes would be necessary.

Finally, NCUA reminded FCUs of certain related bylaws provisions including:

  • Bylaws that permit FCU boards to conduct “virtual-only” meetings for all but one of their board meetings per calendar
  • If a quorum is obtained by “in person” attendees at the one required in-person meeting, the remaining board members could continue to attend virtually[4],
  • FCU bylaws permit flexibility for distributing member notices, including the option to provide such notices electronically if a member chooses to opt in[5].

[1] www.ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/expiration-emergency-exemption-certain-person-meeting-requirements?utm_medium=email&utm_source=NCUAgovdelivery#ftn_2

[2]Letter to Federal Credit Unions, 20-FCU-02, “NCUA Actions Related to COVID-19 – Annual Meeting Flexibility;” Letter to Federal Credit Unions, 20-FCU-04, “Federal Credit Union Meeting Flexibility During the COVID-19 Pandemic;” Letter to Federal Credit Unions, 21-FCU-06, “Federal Credit Union Meeting Flexibility in 2022 Due to the COVID-19 Pandemic.”

[3]12 C.F.R. Part 701, Appendix A, Official NCUA Commentary, Article V.

[4]Id. Article VI, § 5.

[5]Id. Article IV, § 2.

Summary re: CFPB Consumer Financial Protection Circular 2022-07: Reasonable Investigation of Consumer Reporting Disputes

12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) issued this circular to respond to two questions regarding the responsibilities of consumer reporting agencies.

The Bureau released this circular on its website on November 10, 2022, and the circular can be accessed here.

Summary

Congress enacted the Fair Credit Reporting Act (FCRA) to “prevent consumers from being unjustly damaged because of inaccurate or arbitrary information in a credit report. The Bureau notes that a central component of the protections against inaccurate information is the requirement to conduct a reasonable investigation of consumer disputes.  Since its enactment, the FCRA has required consumer reporting agencies to investigate consumer disputes.  Additionally, in 1996 Congress amended the FCRA to also impose “duties on the sources that provide credit information to CRAs (consumer reporting agencies) called “furnishers” in the statute.

In the circular, the Bureau responds to the questions:

  1. Are consumer reporting agencies and the entities that furnish information to them (furnishers) permitted under the Fair Credit Reporting Act (FCRA) to impose obstacles that deter the submission of disputes?
    • Consumer reporting agencies and furnishers are liable under the FCRA if they fail to investigate any dispute that meets the statutory and regulatory requirements, as described in more detail below. Enforcers may bring claims if consumer reporting agencies and furnishers limit consumers’ dispute rights by requiring any specific format or requiring any specific attachment, such as a copy of a police report or consumer report, beyond what that statute and regulations permit.
  2. Do consumer reporting agencies need to forward to furnishers consumer-provided documents attached to a dispute?
    • It depends. Enforcers may bring a claim if a consumer reporting agency fails to promptly provide to the furnisher “all relevant information” regarding the dispute that the consumer reporting agency receives from the consumer. While there is not an affirmative requirement to specifically provide original copies of documentation submitted by consumers, it would be difficult for a consumer reporting agency to prove they provided all relevant information if they fail to forward even an electronic image of documents that constitute a primary source of evidence.

 

 

High Level Summary and Discussion Guide of Outline of Proposals and Alternatives Under Consideration for SBREFA: Required Rulemaking on Personal Financial Data Rights

Section 1033(a) of the Dodd Frank Act authorizes the Consumer Financial Protection Bureau (CFPB) to prescribe rules requiring a “covered person to make available to a consumer (upon request) information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions or to the account including costs, charges and usage data.

The Bureau is in the process of drafting regulations to implement Section 1033.  During the process, the Bureau is required to consult with representatives of small entities likely to be affected directly by the regulations the Bureau is considering proposing and to obtain feedback on the likely impacts the rules the Bureau is considering would have on small entities.

The summary document provides a high-level summary of regulatory provisions the CFPB is considering proposing.  The proposals address the following topics:

  • Coverage of data providers who would be subject to the proposals under consideration
    • The proposals would require a defined subset of Dodd Frank Act covered persons to be considered “data providers” such as those defined as financial institutions and card issuers.
  • Recipients of information, including consumers and authorized third parties
    • The proposals would make available information (upon request) directly to consumers and to authorized third parties.
    • The proposals would require a third party requesting information to (i) provide an authorization disclosure to inform the consumer of the terms of access; obtain the consumer’s informed, express consent and certify to the consumer that it will abide by certain obligations regarding collection, use and retention of the consumer’s information.
  • The types of information that would need to be made available
    • The proposals set forth six categories of information the Bureau is considering requiring covered data providers to make available: periodic statement information; information regarding prior transactions and deposits that have not yet settled; information about prior transactions not typically shown on periodic statements or online financial account management portals; online banking transactions that the consumer has set up but that have not yet occurred; account identity information and other information, including consumer reports obtained/used by the covered product/service to a consumer, etc.
    • The proposals also provide for four exceptions to the Section 1033(a) requirement to make information available.
  • How and when information would need to be made available, including when information made available to consumers directly and to third parties authorized to access information on their behalf
    • The proposals would require a covered data provider would be required to make information available if it has enough information from the consumer to reasonably authenticate the consumer’s identity and reasonably identify the information requested.
    • The proposals would require that covered data providers be required to make available all the information that would be covered by the proposals under consideration through online financial account management portals and to allow consumers to export the information in both human and machine readable formats.
  • Third party obligations
    • The proposals would require authorized third parties to limit their collection, use and retention of consumer information to what is reasonably necessary to provide the product/service the consumer has requested.
    • The proposals would also require authorized third parties provide consumers with a simple way to revoke authorization at any point, consistent with the consumer’s mode of authorization.
  • Record retention obligations
    • The proposals would provide for record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule.
  • Implementation period
    • The Bureau seeks to ensure that consumers have the benefit of a final rule within a short timeframe, while also ensuring that covered data providers and authorized third parties have sufficient time to implement the rule.

The summary also includes questions drawn from the Outline to solicit feedback from small entity representatives on specific topics.  However, the CFPB is interested in input from SERs (small entity representatives) on all aspects of the proposals under consideration and any alternatives the CFPB should consider. The summary also includes an appendix that illustrates how the CFPB’s proposals under consideration would apply to a hypothetical transaction involving data access to an authorized third party.

The Bureau’s summary and discussion guide can be found here.  The larger, more comprehensive “Outline of Proposals and Alternatives under Consideration” can be found here and the CFPB is requesting non-SER stakeholder feedback by no later than January 25, 2023.  Stakeholders are welcome to provide written feedback on the CFPB’s proposals under consideration by emailing it to [email protected].

Final Rule Summary:
Appraisal Subcommittee; Appraiser Regulation; Temporary Waiver Requests 

NASCUS Legislative and Regulatory Affairs Department
November 21, 2022

The Appraisal Subcommittee (ASC) of the Federal Financial Institutions Examination Council (FFIEC) adopted a final rule amending temporary waiver proceedings, promulgated in 1992 pursuant to Title XI of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, as amended (Title XI). On January 13, 2022, the ASC published a related proposed rule with a 60-day public comment period.

The final rule adopts the rules of practice and procedure substantially as proposed, with the following modifications:

  • Definition of “Petition” to include State financial institutions’ regulatory agencies as potential petitioners; and
  • Clarification that either a mandatory or discretionary waiver termination requires publication in the Federal Register and that a discretionary waiver termination requires such publication with a 30-day comment period.

Summary

Section §1101.1 of the final rule clarifies the distinction between:

  • A request from a state appraiser regulatory agency (Request for Temporary Waiver in the proposed rule); and
  • Information received from other persons or entities (which could include a state appraiser regulatory agency) is referred to as “Petition” in the proposed rule.

Section §1102.2: Definitions

Petition

The proposed rule failed to include state financial institution regulators in the definition of “petition.” “Petition” in the final rule now includes State financial institution regulatory agencies as a potential petitioner.

Scarcity of Certified or Licensed Appraisers and Significant Delays in the Performance of Appraisals

The final rule retained the proposed definition of scarcity of certified or licensed appraisers and adopted the definition as the number of active certified or licensed appraisers within a State or a specified geographical, political subdivision is insufficient to meet the demand for appraisal services, and such appraisers are difficult to retain.

The final rule also adopted the definition of significant delays in the performance of appraisals which is defined as delays that are substantially out of the ordinary when compared to the performance of appraisals for similarly situated Federally Related Transactions (FRTs) based on factors such as geographic location (e.g., rural versus urban) and assignment type, and the delay is not the result of intervening circumstances outside the appraiser’s control or brought about by the appraiser’s client (e.g., inability to access the subject property).[1]

Section §1102.3: Request for Temporary Waiver

Section 1102.3(a) states that the State Appraisal Agency for the State where temporary waiver relief is sought may file a Request for Temporary Waiver.  Section 1102.3(b) sets out a complete list of requirements for a temporary waiver to be deemed received by the ASC. The list includes:

  1. A written determination by the State Appraisal Agency that there is a scarcity of certified or licensed appraisers leading to significant delays in the performance of appraisal for FRTs or a specified class of FRTs within either a portion of, or the entire State;
  2. The requirement(s) of State law from which relief is being sought;
  3. The nature of the scarcity of certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable);
  4. The extent of the delays anticipated or experienced in the performance of appraisals by certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable);
  5. How complaints concerning appraisals by persons who are not certified or licensed would be processed in the event a temporary waiver is granted; and
  6. Meaningful suggestions and recommendations for remedying the situation.

Amendments to paragraph (b) also modify the requirement for a State Appraisal Agency to provide “a specific plan for expeditiously alleviating the scarcity and service delays” to “meaningful suggestions and recommendations for remedying the situation”.  This change recognizes a situation creating scarcity and delay may be outside the control of the State Appraisal Agency.

Amendments to the final rule also include the phrase “supporting documentation, statistical or otherwise verifiable.” A Request for Temporary Waiver should include clear and specific data to support a claim that there is a scarcity of appraisers leading to significant delays in the performance of appraisals for FRTs, or a specified class of FRTs, for either a portion of or the entire State.

The final rule indicates some specific information related to the following could assist the ASC in reviewing a request for a temporary waiver:

  1. Geography – location(s) of the scarcity leading to significant delay.
  2. Transactions – types of FRTs impacted (i.e., property and transaction type(s) and transaction amount(s)).
  3. Time – length of time for waiver requested.

Section 1102.3(b) of the final rule also includes that a Request for Temporary Waiver address how complaints concerning appraisals by persons who are not certified or licensed would be processed in the event a temporary waiver is granted.

Section 1102.3(c) clarifies that a Request for Temporary Waiver will be deemed received for purposes of publication in the Federal Register for notice and comment if the ASC determines that the information submitted meets the requirements of 1102.3(b) detailed above.

Section 1102.3(d) indicates that in the event a request is deemed “not received”, it may be denied in its entirety or referred to the State Appraisal Agency for further action. In either case, the ASC is to provide written notice to the State Appraisal Agency providing an explanation for the determination.

Section §1102.4: Petition Requesting the ASC Initiate a Temporary Waiver Proceeding

For consistency with amendments to Section 1102.2(c) and the definition of “petition,” Section 1102.4(a) has been amended to include State financial institutions’ regulatory agencies as a potential petitioner.  The final rule also clarifies that a petition is a request for the ASC to exercise its discretionary authority to initiate a temporary waiver proceeding. A petition may be filed by the Federal or State financial institutions’ regulatory agencies, the regulated financial institutions, or other persons or institutions with a “demonstrable” interest in appraiser regulation, including a State Appraisal Agency.

Petitions should include:

  1. Information (statistical or otherwise verifiable) to support the existence of a scarcity of certified or licensed appraisers leading to significant delays in the performance of appraisals for FRTs or a specified class of FRTs for either a portion of, or the entire State; and
  2. The extent of the delays anticipated or experienced in the performance of appraisals by certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable).
  3. A petition may also include meaningful suggestions and recommendations for remedying the situation.

In the event a petition is submitted by a party other than a State Appraisal Agency, the party must promptly provide a copy of its petition to the State Appraisal Agency.  If further action is needed on a petition, the ASC may refer a petition back to the State Appraisal Agency, where the temporary waiver relief is sought for further evaluation, or the ASC may take further action without referring.

Section §1102.5: Order Initiating a Temporary Waiver Proceeding

Under the final rule, the ASC may exercise discretion in determining whether to issue an Order initiating a temporary waiver proceeding in response to a petition, or the ASC may exercise discretion to initiate a proceeding without the submission of a petition.

Section §1102.6: Notice and Comment

Under the final rule, the ASC will:

  • Publish promptly in the Federal Register a notice respecting:
  • A received request for a temporary waiver; or
  • An ASC Order initiating a temporary waiver proceeding

The notice of the request for temporary waiver or ASC Order shall have a 30-calendar day comment public comment period.

Section §1102.7 ASC Determination

The final rule requires the ASC, within 90 calendar days of the date of publication of the notice in the Federal Register, by Order, to grant or deny a waiver, in whole or in part, and upon specified terms and conditions, including provisions for waiver termination.

The Order shall be published in the Federal Register. In the case of an Order approving a waiver, it will only be published upon approval of the FFIEC.

Section §1102.8 Waiver Extension

Under the final rule, the ASC may initiate an extension of a temporary waiver. A State Appraisal Agency may also seek an extension by forwarding an additional written request to the ASC.

Section §1102.9 Waiver Termination

The final rule provides two types of waiver terminations.

  • Mandatory waiver termination: ASC shall terminate a temporary waiver order when the ASC determines that significant delays in the performance of appraisals by certified or licensed appraisers no longer exist.
  • Discretionary waiver termination: The ASC, at any time, may terminate a waiver Order on the finding that the terms and conditions of the waiver order are not being satisfied.

Waiver terminations are to be posted in the Federal Register. Discretionary waiver terminations require a 30-day comment period. If no further action is taken by the ASC, a discretionary waiver termination becomes final 21 calendar days after the close of the comment period.

Summary re: CFPB Consumer Financial Protection Circular 2022-06: Unanticipated Overdraft Fee Assessment Practices

12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) has issued Consumer Financial Protection Circular 2022-06, titled “Unanticipated Overdraft Fee Assessment Practices” to respond to a question posed about whether the assessment of overdraft fees under certain instances would be considered an unfair act or practice under the Consumer Financial Protection Act (CFPA), even if the entity complies with the Truth in Lending Act (TILA) and Regulation Z and the Electronic Fund Transfer Act (EFTA) and Regulation E.

The circular became effective on October 26, 2022 and can be found here.

Summary:

The Consumer Financial Protection Act (CFPA) prohibits conduct that constitutes an unfair act or practice.  An act or practice is unfair when: (i) it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers; and (ii) the injury is not outweighed by countervailing benefits to consumers or to competition.  Overdraft fee practices must comply with TILA, EFTA, Regulation Z, Regulation E and the prohibition against unfair, deceptive and abusive acts or practices in Section 1036 of the CFPA.

According to the circular, overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair. These unanticipated overdraft fees are likely to impose substantial injury on consumers that they cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.  The circular highlights potentially unlawful patterns of financial institution practices regarding unanticipated overdraft fees and provides some examples of practices that might trigger liability under the CFPA.  The circular notes that the examples provided are illustrative and not exhaustive.

CISA Guidance Summary: Implementing Phishing-Resistant MFA — Implementing Number Matching in MFA Applications

NASCUS Legislative and Regulatory Affairs Department
November 10, 2022 

The Cybersecurity & Infrastructure Security Agency (CISA), a subordinate agency of the Department of Homeland Security (DHS) released guidance on October 31, 2022, strongly urging all organizations to implement phishing-resistant Multi-Factor Authentication (MFA) to protect against cyber threats. Additionally, CISA recommends using number matching to mitigate MFA fatigue in cases where an organization utilized push-notification-based MFA without a phishing-resistant MFA tool.

Background

CISA, a departmental agency acting as the national coordinator for critical infrastructure security and resilience, issued two fact sheets on October 31, 2022.  The first, Implementing Phishing-Resistant MFA[1], outlines the importance of MFA in authenticating access to systems.  MFA makes use of multiple factors to validate the individual accessing a system, including something you know, something you have, or something you are.  An example of different factors could include a password or pin (you know), biometric facial or fingerprint recognition (you are) and/or use of a digital certificate, specific hardware/software configuration, pin producing token (you have).

The guidance further outlines potential weaknesses utilized by threat actors to overcome such cyber defenses, including:

  • Phishing: A social engineering form in which threat actors utilize email or malicious websites to solicit information or gain access to a machine to gain access to the necessary information to access a protected network.
  • Push Bombing or Push Fatigue: Threat actors bombard a user with push notifications until they “accept” the notification and thereby grant access to the protected network.
  • The exploitation of SS & Protocol Vulnerabilities: Threat actors utilize vulnerabilities in communications systems to transfer control of the user’s phone number to a controlled SIM card.

To address these vulnerabilities, organizations are encouraged to utilize one of the following:

  • FIDO/WebAuthn Authentication: Utilizes physical tokens to authenticate to a device via USB or are hardware embedded into laptops or mobile devices as platform identity authenticators.
  • PKI-based MFA: Public Key Infrastructure utilizes smart cards or digital certificates to validate access to a system through a combination of public and private keys. Keys on the transporting hardware are accessed by a user using a password or pin and are physically connected to the device used to access the application.

The guidance understands such systems require significant infrastructure and provides a further discussion on other, less substantial, MFA tools to utilize to mitigate the potential attack avenues discussed above and how to focus on implementing a phishing-resistant MFA system.

One of the most efficient methodologies to mitigate phishing attacks on MFA discussed includes a process called number matching, the subject of the second fact sheet titled Implementing Number Matching in MFA applications[2].

This fact sheet discusses different types of MFA push prompts in which the authenticating platform provides an additional layer of protection against phishing by requiring entering a pin/password from the identity platform (i.e, your phone) into the application instead of just checking an acknowledgment on the identity platform to gain access.  In this scenario, a threat actor without the phone would not be able to access the application, and a user, fatigued by numerous access requests, cannot inadvertently allow access.

Both fact sheets provide reference material available to further research and implement appropriately hardened systems relating to MFA.

[1] Available at www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf.

[2] Available at www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf.

Summary re: CFPB Notice and Request for Comment Regarding the CFPB’s Inquiry Into Big Tech Payment Platforms

The Bureau ordered six large technology companies operating payments systems in the United States to provide information about certain of their business practices.  Accompanying the orders, the Director of the Bureau issued a statement and invited interested parties to submit comments to was published in the Federal Register on November 5, 2021.  The Bureau has decided to re-open the comment period for an additional 30 days to gather additional stakeholder comments.

Comments must be received by December 7, 2022, and the notice can be found here.

Summary:

On October 21, 2021, the CFPB ordered six large technology companies operating payments systems in the United States to provide information about certain of their business practices.   The orders were issued to Google, Apple, Facebook, Amazon, Square and Paypal.  The Bureau will also study the practices of the Chinese tech giants that offer payments services, such as WeChat Pay and Alipay.  The Bureau’s inquiry was intended to inform regulators and policymakers about the future of our payments system.  Stakeholders interested in commenting on the notice can find the original notice here.

The Bureau invites all interested parties to submit comments to inform the agency’s inquiry.  In addition, the Bureau is inviting comment on the following questions related to the Bureau’s inquiry:

  • What fees, fines or other penalties do large technology companies assess on users of their payment platforms, including for:
  • Purported violations of the technology companies’ acceptable use policies; or
  • Any other conduct?
  • Do the acceptable use policies for technology companies’ payment platforms include provisions that can restrict access to their platforms? If so, under what circumstances can the technology companies restrict access to their platforms?

Summary re: CFPB Bulletin 2022-06: Unfair Returned Deposited Item Fee Assessment Practices  

12 CFR Chapter X 

A returned deposited item is a check that a consumer deposits into their checking account that is returned to the consumer because the check could not be processed against the check originator’s account.  Blanket policies of charging Returned Deposited Item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair under the Consumer Financial Protection Act (CFPA).  The CFPB is issuing this bulletin to notify regulated entities how the Bureau intends to exercise its enforcement and supervisory authorities on this issue.   

The bulletin is effective as of November 7, 2022, and can be found here

Summary:  

The CFPA prohibits covered persons from engaging in unfair acts or practices.  Congress defined an unfair act or practice as one that (i) causes or is likely to cause substantial injury to consumers which is not reasonably avoidable and (ii) such as substantial injury is not outweighed by countervailing benefits to consumers or to competition. Blanket policies of charging “Returned Deposited Item” fees to consumers for all returned transactions irrespective of the circumstances of the transaction or patterns of behavior on the account are likely unfair.   

In addition, fees charged for Returned Deposited Items cause substantial injury to consumers.  In many instances in which fees are charged for these returned items, consumers would not be able to reasonably avoid the substantial monetary injury imposed by the fees.  An injury is not reasonably avoidable unless consumers are fully informed of the risk and have practical means to avoid it.  However, a consumer depositing a check would normally be unaware of and have little to no control over whether a check originator has funds in their account; will issue a stop payment instruction; or has closed the account.  Nor would a consumer normally be able to verify whether a check will clear with the check originator’s depository institution before depositing the check or be able to pass along the cost of the fee to check originator.   

The Bureau notes that it is unlikely that an institution will violate the prohibition if the method in which fees are imposed are tailored to only charge consumers who could reasonably avoid the injury.   

CFPB Summary re: Advisory Opinion on Fair Credit Reporting; Facially False Data
12 CFR Part 1022

The Consumer Financial Protection Bureau (CFPB) issued this advisory opinion to highlight that a consumer reporting agency that does not implement reasonable internal controls to prevent the inclusion of facially false data, including logically inconsistent information, in consumer reports it prepares is not using reasonable procedures to assure maximum possible accuracy under Section 607(b) of the Fair Credit Reporting Act (FCRA).

This advisory opinion became effective on October 26, 2022, and can be found here.

Summary:

The FCRA regulates consumer reporting.  The statute was designed to ensure that “consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.”  The FCRA was enacted “to protect consumers from the transmission of inaccurate information about them and to establish credit reporting practices that utilize accurate, relevant, and current information in a confidential and responsible manner.”

The Bureau is issuing this advisory opinion to highlight that the legal requirement to follow reasonable procedures to assure maximum possible accuracy of the information concerning the individuals about whom the reports related includes, but is not limited to, procedures to screen for and eliminate logical inconsistencies to avoid including facially false data in consumer reports. The opinion provides a non-exhaustive list of examples of inconsistent account information/statuses and illogical information relating to consumers that could be considered problematic. Finally, the advisory opinion applies to all consumer reporting agencies as defined in FCRA Section 603(f).

Final Rule Summary
FinCEN: Beneficial Ownership Information Reporting Requirements

NASCUS Legislative and Regulatory Affairs Department
October 31, 2022

On September 30, 2022, the Financial Crimes Enforcement Network (FinCEN), issued a final rule, Beneficial Ownership Information Reporting Requirements, implementing the reporting requirements of Section 6403 of the Corporate Transparency Act (CTA)[1]. In conjunction with the final rule, FinCEN also issued a summary Fact Sheet found here.  The final rule requires certain entities to file with FinCEN reports that identify two categories of individuals: the beneficial owners of the entity, and individuals who have filed an application with specified governmental authorities to create the entity or register it to conduct business. This information will be housed within the forthcoming Beneficial Ownership Secure System (“BOSS”), a database currently under development by FinCEN.

The final rule and associated requirements are intended to help prevent and combat money laundering, terrorist financing, corruption, tax fraud, and other illicit activity while minimizing the burden on the entities doing business in the United States.

Summary

The Corporate Transparency Act (CTA) was enacted as part of the Anti-Money Laundering Act (AMLA) of 2020 and is intended to expand and modernize the U.S. government’s ability to collect beneficial ownership information in order to deter money laundering, corruption, tax evasion, fraud, and other financial crime.  The CTA requires FinCEN to:

  1. Implement rules for the reporting of beneficial ownership information (BOI) of legal entities organized or registered to conduct business in the U.S.
  2. Develop protocols for access to, and the sharing of reported BOI
  3. Amend the current Customer Due Diligence (CDD) Rule applicable to financial institutions to account for the new requirements of the CTA

This final rule applies only to beneficial ownership. FinCEN must still issue two additional proposed rulemakings under the CTA addressing items 2 and 3 above related to access and CDD.

The final rule is effective January 1, 2024. Companies required to report that are created or registered prior to the effective date will have a one-year grace period (January 1, 2025) to file their initial BOI reports. Reporting companies created or registered on or after the effective date will have 30 days to file their initial reports with FinCEN. Exempt entities that no longer qualify for exemption under the regulation will be required to file a report within 30 calendar days of the date it no longer meets the exemption criteria.

What is a Reporting Company?

Reporting Companies are both domestic and foreign. The final rule defines each type as follows:

  • Domestic Reporting Companies: Any corporation, limited liability company, or other entity that is created by the filing of a document with a secretary of state or any similar office under the law of a State or Indian tribe[2]; and
  • Foreign Reporting Companies: Any corporation, limited liability company, or other entity, that is formed under the law of a foreign country; and registered to do business in any State or tribal jurisdiction by the filing of a document with a secretary of state or any similar office under the law of a State or Indian tribe.

The CTA sets forth from the definition of “reporting company” twenty-three[3] specific types of exempt entities. Consistent with the proposed rule, categories of exempted entities include:

  • SEC reporting issuers
  • Banks and credit unions
  • Tax-exempt entities
  • MSBs registered with FinCEN
  • Broker-dealers
  • S. government authorities

Also exempt from the final rule are:

  • Large operating companies: employ more than 20 full-time employees in the U.S. and have an operating presence at a physical office within the U.S. and filed a federal income tax or information return in the U.S. for the previous year demonstrating more than $5,000,000 in gross receipts or sales.
  • Inactive entities: in existence on or before January 1, 2020, and meet other requirements[4]
  • Pooled investment vehicles: operated or advised by a qualifying bank, credit union, broker-dealer, investment company, investment adviser, or venture capital fund adviser[5]
  • Subsidiaries: whose ownership interests are controlled or wholly owned, directly or indirectly, by one or more exempt entities subject to exception.
  • Investment companies and investment advisers: registered with the SEC
  • Venture capital fund advisers: that have filed Item 10, Schedule A, and Schedule B of Part 1A of Form ADV, or any successor thereto, with the SEC.

What information must be reported?

As previously discussed, domestic or foreign entities registered after January 1, 2024, must file an initial report with FinCEN within 30 days after formation or registration while reporting companies registered prior to the January 1, 2024, effective date will have a one-year grace period.

Reporting Companies

The initial report must include the following about the reporting company in order to comply with the rule:

  • Full name and address;
  • Trade or fictitious names used;
  • Address of the principal place of business
  • Jurisdiction of formation or, in the case of a foreign company, jurisdiction in which first registered; and
  • Taxpayer Identification Number (TIN), or where a foreign reporting company has not been issued a TIN, a tax identification number issued by a foreign jurisdiction.[6]
  • Beneficial Owners and Company Applicants

The initial report must also include the following information about each beneficial owner and company applicant:

  • Full legal name;
  • Date of birth;
  • Current address;
  • A unique identifying number from a non-expired passport, driver’s license, government-issued ID, or identification document issued by a State or local government or tribe; and
  • An image of the document showing the unique identifying number.

A FinCEN unique identifier may also be obtained. A FinCEN identifier issued by FinCEN to individuals and reporting companies and an individual may apply for a unique identifier if the individual submits to FinCEN the same four pieces of identifying information as required for the BIO report.

It is noted that obtaining a unique identifier may reduce the burden on reporting companies on keeping BOI up to date as well as mitigate privacy concerns inherent with document retention.

Beneficial Owners

Similar to the current CDD rule, the BOI final rule requires the reporting of beneficial ownership concerning (1) beneficial owners; and (2) company applicants of the reporting company

  • The term “beneficial owner” is defined in terms of both ownership and control, similar to that of the current CDD rule.
  • “Ownership” is defined as any individual who, directly or indirectly, exercises substantial control over a reporting company or who owns or controls at least 25% of the ownership interests of a reporting company.

Substantial Control

The final rule establishes three specific, yet broad, indicators of substantial control. “Substantial Control” includes:

  • Serves as a senior officer of a reporting company (not including those who serve as a corporate secretary or treasurer);
  • Has authority over the appointment or removal of any senior officer or a majority of the board of directors;
  • Directs, determines, or has substantial influence over important influence over important decisions made by a reporting company[7] or;

The final rule also indicates that an individual may directly, or indirectly, including as a trustee of a trust or similar arrangement, exercise substantial control over a reporting company through:

  • Board representation;
  • Ownership or control of a majority of the voting power or voting rights of a reporting company;
  • Rights associated with any financing arrangement or interest in a company;
  • Control over one or more intermediary entities that separately or collectively exercise substantial control over a reporting company
  • Arrangements or financial or business relationships, whether formal or informal, with other individuals or entities acting as nominees; or
  • Any other contract, arrangement, understanding, relationship, or otherwise.

Company Applicants

In addition to beneficial owners, the reporting company must also report the “company’s applicant.” A “company applicant” is defined as the individual who directly files the document to create or register the reporting company and the individual who is primarily responsible for directing or controlling such filling if more than one individual is involved in the filing.

This requirement is only applicable to reporting companies created or registered on or after the January 1, 2024, effective date.

Certification

Under the final rule, each reporting company is required to certify that its report or application is true, correct, and complete. The final rule also clarifies that the certification requirement applies to any report or application submitted to FinCEN pursuant to 31 CFR 1010.380(b), such as an application for a FinCEN ID, not just to a BOI report submitted by a reporting company.[8]  Under the final rule, each reporting company will certify that its report or application is true, correct, and complete. FinCEN recognized in the final rule that much of the information required to be reported about beneficial owners and applicants will be provided to reporting companies by those other individuals. However, the structure of the CTA deliberately places the responsibility for reporting this information on the reporting company itself.

While an individual may file a report on behalf of a reporting company, the reporting company is ultimately responsible for the filing. The same is true of the certification. Under the final rule, the reporting company is required to make the certification and any individual who files the report as an agent of the reporting company will certify on the reporting company’s behalf.

Timing Requirements

As previously discussed, the final rule imposes specific timing requirements for the filing of BOI reports as well as updates and corrections to information submitted. Newly created entities (domestic and foreign reporting companies) must file the initial BOI reports within 30 days after formation or registration. Existing reporting companies have until January 1, 2025, to file with FinCEN.

Reporting companies must also update information in a timely manner as well as correct any inaccurate information filed in the BOSS. The final rule requires an updated report to be filed within 30 days after any change in the information reported to FinCEN. This includes any change in beneficial ownership information as well as any change in previously reported beneficial ownership or company applicant. Additionally, the final rule requires a corrected report must be filed within 30 days after the reporting company becomes aware of any inaccuracies.

[1] See NDAA for Fiscal Year 2021, H.R. 6395, 116th Congress (2020) Sec. 6401-6403.

[2] FinCEN believes this definition will exclude many sole proprietorships, trusts, and general partnerships, subject to applicable State or tribal law.

[3] See 31 U.S.C. 5336(a)(11)(B)(i)–(xxiii)

[4] FR, Vol. 87, No.189, p. 59545

[5] FinCEN further notes that the term “pooled investment vehicle” encompasses a wide variety of investment products with a wide range of names and structures, which present a range of risk profiles. It is accordingly impracticable for FinCEN to prospectively opine on the applicability of the exemption to specific structures that may not carry the name “pooled investment vehicle.” However, as a general principle, FinCEN notes that a vehicle’s eligibility for this exemption does not hinge on its nominal designation, but rather on whether the vehicle or entity satisfies the elements articulated in the final regulatory text.

[6] The proposed rule did not require that reporting companies provide the TIN

[7] Including decisions regarding: (1) The nature, scope, and attributes of the business of the reporting company, including the sale, lease, mortgage, or other transfer of any principal assets of the reporting company;

(2) The reorganization, dissolution, or merger of the reporting company;

(3) Major expenditures or investments, issuances of any equity, incurrence of any significant debt, or approval of the operating budget of the reporting company;

(4) The selection or termination of business lines or ventures, or geographic focus, of the reporting company;

(5) Compensation schemes and incentive programs for senior officers;

(6) The entry into or termination, or the fulfillment or non-fulfillment, of significant contracts;

(7) Amendments of any substantial governance documents of the reporting company, including the articles of incorporation or similar formation documents, bylaws, and significant policies or procedures;

 

[8] 31 CFR 1010.380(b)

Rule Summary: FRB 12 CFR Part 235; Regulation II; Debit Card
Interchange Fees and Routing

NASCUS Legislative and Regulatory Affairs Department
November 1, 2022

The Board of Governors adopted a final rule amending Regulation II Debit Card Interchange Fees and Routing [1] on October 11, 2022. The final rule specifies the requirement that each debit card transaction must be able to be processed on at least two unaffiliated payment card networks applies to card-not-present transactions, clarifies the requirement that debit card issuers ensure that at least two unaffiliated networks have been enabled to process debit card transactions, and standardizes and clarifies the use of certain terminology.

Amendments to Regulation II become effective July 1, 2023.[2]

Background

The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) was enacted on July 21, 2010[3], amending the Electronic Fund Transfer Act (EFTA) (15 U.S.C. 1693 et seq.) to add a new section 920.  EFTA Section 920 directed the board to prescribe regulations that limit restrictions issuers and payment card networks (networks) may place on the processing of debit card transactions. These requirements included prohibiting exclusivity arrangements with networks for debit card transaction processing and prohibiting issuers or networks from restricting the ability of a merchant to choose among networks enabled to process debit card transactions

As a result of these changes the Board of Governors promulgated Regulation II in July 2011[4], including Sections 235.7(a) and (b).

On May 13, 2021, the Board proposed to amend Regulation II’s prohibition on network exclusivity to clarify that debit card issuers should enable at least two unaffiliated networks for card-not-present debit card transactions.[5]

The Board received slightly more than 2,750 comment letters in response to the proposal including 1,700 from debit card issuers (all depositories or related trade associations, approximately 1,000 from merchants and related trades organizations, five network providers, three federal agencies, three government officials and approximately 40 from interested consumers or consumer groups.  Approximately 2,600 of the letters were one of 11 form letters.

Summary

The Board adopted amendments to §235.7(a)(2) and the commentary of Appendix A to §235.7(a) substantially consistent with the initial proposal but with modest changes to address issues raised by commenters.

Specifically, §235.7(a)(2) of the final rule provides that an issuer satisfies the prohibition on network exclusivity only if the issuer enables at least two unaffiliated networks to process an electronic debit transaction, where such networks satisfy two requirements:

  • The enabled networks in combination must not, by their respective rules or policies or by contract with other restrictions imposed by the issuer, result in the operation of only one network or only multiple affiliated networks for a geographic area, specific merchant, particular type of merchant, or particular type of transaction.
  • The enabled networks must have each taken steps reasonably designed to be able to process the electronic debit transactions that they would reasonably expect will be routed to them based on the expected volume.

The notice states that the Board believes §235.7(a)(2) final language clarifies the requirement to “enable” at least two unaffiliated networks.

The Board also adopted amendments to Appendix A to Part 235 Official Board Commentary on Regulation II to clarify that §235.7(a) does not require an issuer to ensure that two or more unaffiliated networks will be available to the merchant to process every electronic debit transaction.  To comply with §235.7(a) it is sufficient for an issuer to configure each of its debit cards so that each electronic debit transaction performed with such card can be processed on at least two unaffiliated networks, even if the networks that are actually available to the merchant for a particular transaction are limited by other factors, including card acceptance technologies that a merchant adopts or the networks that the merchant accepts.

Finally, the Board adopted other non-substantive changes to terminology outside the aforementioned amendments to Append A to Part 235 Official Board Commentary on Regulation II to Part 235.7(b).

[1] Federal Register announcement can be found at https://www.federalregister.gov/documents/2022/10/11/2022-21838/debit-card-interchange-fees-and-routing

[2] Section 302 of the Riegle Community Development and Regulatory Improvement Act, Pub. L. 103–325, requires that amendments to regulations prescribed by a federal banking agency that impose additional requirements on insured depository institutions must take effect on the first day of a calendar quarter that begins on or after the

date of publication in the Federal Register. 12 U.S.C. 4802. Consistent with this requirement, the effective date of the final rule is July 1, 2023.

[3] Public Law 111–203, 124 Stat. 1376 (2010)

[4] Regulation II, Debit Card Interchange Fees and Routing, codified at 12 CFR part 235. Regulation II also implements a separate provision of EFTA section 920 regarding debit card interchange fees.

[5] 86 FR 26189 (May 13, 2021). The original proposal requested public comment by July 12, 2021, but the Board later extended the comment period an additional 30 days to August 11, 2021. 86 FR 34644 (June 30, 2021).

Treasury Request for Comment Summary: Federal Insurance Response to Catastrophic Cyber Incidents

In response to a Government Accountability Office report, the Federal Insurance Office in the Department of Treasury issued a notice requesting comment from the public on whether there should be a federal insurance response related to cyber insurance and catastrophic cyber incidents.

Comments are due by November 14, 2022, and the notice can be found here.

Summary

The Government Accountability Office (GAO) issued a report in June 2022 recommending that the Federal Insurance Office (FIO) and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) conduct a joint assessment to determine “the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response.”

The FIO is seeking public comment as to whether a federal insurance response to “catastrophic” cyber incidents may be warranted, as well as how such an insurance response should be structured and other related issues.  The FIO is also seeking comment on issued concerning the risks of catastrophic cyber incidents to critical infrastructure, the potential quantification of such risks, the extent of existing private market insurance protection for such risks, whether a federal insurance response is warranted, and how such a federal insurance response, if warranted, should be structured.

The FIO seeks feedback on a number of topics such as:

  • Catastrophic cyber incidents
    • Nature of Event
    • Measuring financial and insured losses
    • Cybersecurity Measures
  • Potential Federal Insurance Response from Catastrophic Cyber Incidents
    • Insurance Coverage Availability
    • Data and Research
    • Federal Insurance Response
    • Potential Structures for Federal Insurance Response
    • Potential Models
    • Participation
    • Scope of Coverage
    • Cybersecurity Measures
    • Moral Hazard
    • Risk Sharing
    • Reinsurance/Capital Markets
    • Funding
    • Evaluation/Data Collection
    • Limitations
  • Effects on cyber insurance market