Federal Reserve/FDIC/OCC: Joint Statement on Crypto-Asset Risks to Banking Organizations

Federal Reserve/FDIC/OCC
Joint Statement on Crypto-Asset Risks to Banking Organizations

Summary
January 8, 2023

The Board of Governors of the Federal Reserve System (Federal Reserve), the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) have issued a Joint Statement on Crypto-Asset Risks to Banking Organizations outlining the agencies’ concerns with the volatility and vulnerabilities of crypto-assets and the risks of which banking entities engaged with crypto-assets should be aware. The banking agencies use “crypto-asset” to refer to a digital asset implemented using cryptographic techniques.

NCUA is not a participant to the Joint Statement.

In the Joint Statement, the bank agencies emphasize:

  • The need to prevent crypto-asset sector risks that cannot be mitigated from infecting the banking sector.
  • That the banking agencies continue to take a cautious approach to crypto-asset related activities in banks.
  • That banks are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.
  • That a bank issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system was likely inconsistent with safety and soundness.
  • That the banking agencies have significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.
  • Banks are advised to implement appropriate risk management related to crypto-assets such as board oversight, policies, procedures, risk assessments, controls, gates and guardrails, and monitoring.

In the Joint Statement, the bank agencies highlight the following risks related to crypto-assets:

  • Risk of fraud and scams among crypto-asset sector participants
  • Legal uncertainties related to custody practices, redemptions, and ownership rights
  • Inaccurate or misleading representations and disclosures by crypto-asset companies and unfair, deceptive, or abusive acts and practices
  • Significant volatility in crypto-asset markets
  • Susceptibility of stablecoins to run risk and potential deposit outflows for banks holding stablecoin reserves
  • Contagion risk within the crypto-asset sector resulting from interconnections among certain crypto-asset participants
  • Concentration risk for banks resulting from the interconnected nature of the crypto-asset sector
  • Lack of maturity and robustness of risk management and governance practices in the crypto-asset sector
  • Heightened risks associated with open, public, and/or decentralized networks:
  • Absence of formal internal governance/system oversight
  • Lack of contractual established ownership/roles/responsibilities/liabilities
  • Vulnerability to cyber attacks
  • Potential for illicit finance
NCUA Proposed Rulemaking Summary 2022-0185
NCUA Rules 701 AND 714: Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions

NASCUS Legislative and Regulatory Affairs Department
January 6, 2023

Background

The NCUA Board[1] approved for publication NPRM NCUA 2022-0185[2]. Published in the Federal Register on December 29, 2022[3], the proposal entitled Financial Innovation: Loan Participations, Eligible Obligations, and Notes of Liquidating Credit Unions seeks to amend 12 CFR Parts § 701 and § 714.  Comments on the NPRM are due February 28, 2023.

The proposed amendments apply to §§701.21, 701.22, 701.23, and 714.9 related to loans and lines of credit to members; the purchase of loan participations and the purchase, sale, and pledge of eligible obligations (including notes from liquidating credit unions).

The proposed amendments are intended to add clarity to the NCUA’s regulations and provide additional flexibility to federally insured credit unions (FICUs) in the use of advanced technologies and other opportunities provided by the financial technology (Fintech) sector.

The proposed amendments attempt to conform NCUA’s rules regarding the aforementioned investment/loan related rules by amending definitions of indirect lending and indirect leasing arrangements to be consistent with concepts outlined in NCUA Legal Opinion 15-0813, Loan Participations in Indirect Loans – Originating Lender[4].

The majority of the proposed changes only apply to FCUs with the exception of amendments to specific sections of §701.22 (participations).  However, the proposed amendments could indirectly impact FISCUs in cases where state agencies use similarly defined state regulations related to the determination of a purchased investment being classified as a loan to member, a participation, or a purchased obligation of a member.  Of particular interest are the proposed amendments found in §701.21.

This summary will highlight the material implications of the changes that directly affect FISCUs and those with the potential to indirectly impact FISCUs through indirect, definitional and/or SSA adoption of NCUA like rules and regulations.

Summary

The following summarizes the material changes proposed to each applicable section as part of the NPRM.

701.21 (Loans to members and lines of credit to members)

Provisions of § 701.21 apply to FCUs with only the following provisions applying to FICUs:

  • Insider lending restrictions as outlined in (c)(8);
  • Non-preferential treatment requirements to FISCU officials or related parties outlined in (d)(5); and
  • Third-party servicing of indirect vehicle loan limitations found in (h).

The NCUA Board is proposing to amend the rule by adding a new paragraph §701.21(c)(9) clarifying the definition of indirect lending and indirect leasing arrangements.  None of these changes relate directly to state-chartered credit unions but may impact state language similarly adopted or bound by definitions in §701.21.  This new language is intended to replace language currently found in §701.23(b)(4)(iv), which would be removed.

Under the proposed §701.21(c)(9) indirect lending and leasing agreements would be defined as written agreements to purchase loans or leases from an originating entity where the purchaser (1) makes the final underwriting decision, and (2) the loan or lease agreement is assigned to the purchaser very soon after it is signed by the member and the originating entity.   It is presumed that loans assigned “very soon after” the agreement between the consumer and the third-party retailer indicate the retailer acts as a facilitator of the loan as opposed to the true initial lender.

The length of time that satisfies the “very soon after” depends on the nature of the loan, the practical realities of assigning certain kinds of loans in the current marketplace and in accordance with prevailing industry standards.[5]  The NPRM states that while “very soon after” is generally determined on a case-by-case basis as described above, the longer the period between the formation of the contract and its assignment, the more likely the program will be viewed as involving the purchase of an eligible obligation rather than the making of a loan.[6]

Presuming such indirect lending or leasing arrangement requirements are met would indicate such investments would be classified as loans to members, as authorized by §701.21, and not as the purchase of an eligible obligation of a member as authorized by §701.23.

701.22 (Loan Participations)

FISCUs must comply with all provisions of §701.22, except (b)(4) which requires a borrower to become a member of one of the participating credit unions before the purchasing federally insured credit unions purchases a participation interest in the loan.

The NCUA Board is proposing to amend the rule by adding clarification to the introductory paragraph and codify NCUA Legal Opinion 15-0813.  This language would clarify that a FICU engaged in an indirect lending relationship can meet the definition of an “eligible organization” under §701.22, provided the FICU meets certain conditions.

Specifically, a FICU would be considered the originating lender and meet the definition of an “eligible organization” if the FICU (1) makes the final underwriting decision regarding the loan, and (2) the loan is assigned to the purchaser very soon after the inception of the obligation to extend credit.  An “originating lender” is defined as a participant with which the borrower initially or originally contracts for a loan and who, thereafter or concurrently with the funding of the loan, sells participations to other lenders.  An originating lender specifically includes a participant that acquires a loan through an indirect lending arrangement as defined under §701.21(c)(9).

The NPRM states the change is intended by the NCUA Board to clarify that a FICU can meet the definition of “originating lender” in certain transactions where the FICU is engaging in indirect lending arrangements with Fintech companies and other third-party loan acquisition channels, such as Credit Union Service Organizations (CUSOs) or other loan-originating retailers.

701.23 (Purchase, sale, and pledge of eligible obligations)

The NCUA Board is proposing to amend the rule through certain clarifying and conforming amendments to the introductory paragraph of §701.23.  No part of §701.23 applies to FISCUs.

Proposed amendments include the deletion of §701.23(b)(4) which excludes certain loans acquired through indirect lending and leasing arrangements from the 5-percent limit on the aggregate of the unpaid balance of certain loans purchased under §701.23.  Excluded loans include student loans, real estate loans, and eligible obligations purchased in accordance with §701.23(b)(4)(b)(1)(iii), (iv), or (i) or purchased through indirect lending arrangements defined in §701.23(b)(4)(iv).  These limitations would be removed and instead, such investments may meet the definition of a loan to a member under the proposed language of §701.21(c)(9).  The 5-percent limitation to unimpaired capital and surplus of the FCU purchaser would still apply to purchases of eligible obligations from liquidating FCUs and FICUs under §701.23(b)(1)(ii) and (2)(ii)

This change, in conjunction with the other changes in §701.21, is intended to provide clarification on the long-standing interpretation[7] that credit instruments acquired by an FCU pursuant to an indirect lending arrangement are considered loans made by the FCU under §701.21, if the aforementioned conditions of underwriting and timeliness of assignment are met, rather than eligible obligations purchased under §701.23.

Amendments to §701.23 would also include removing the CAMELS ratings and well-capitalized requirement found under §701.23(b)(2) for FCU purchases of certain non-member loans from FICUs and add principle-oriented safety and soundness requirements to section §701.23(b)(i)-(vi) concerning the purchase of eligible obligations.  These new safety and soundness requirements are proposed to offset the removal of the CAMELS/ well-capitalized requirements and the 5-percent limit constraints.

The proposed safety and soundness requirement additions on the purchasing FCU related to eligible obligations or notes from a liquidating credit union include:

  • Establishing written, board-approved policies, risk assessments, and risk management process requirements commensurate with the size, scope, type, complexity, and level of risk posed by the planned purchase activities.
  • Conducting due diligence on the seller prior to purchase.
  • Initiating written loan purchase agreements with provisions established in §701.22.
  • Conducting a legal review and assessment of applicable loan purchase agreements or contracts to protect the FCU’s legal and business interests from undue risk

Additional safety and soundness requirements to §701.23(c) relate to the selling FCU and include:

  • Obtaining a legal review and assessment of all applicable loan sale agreements on contracts.
  • Identifying the specific loan(s) being sold either directly in the written loan sale agreement or through a document incorporated by reference in the loan sale agreement.

The NPRM proposes to amend §701.23(b)(5) to broaden the grandfather provision of that section to include purchased obligations where the investments were made in compliance with the current rule so long as updated risk assessments, established concentration limits, and risk monitoring appropriate for safety and soundness are still effective.

Finally, the addition of §701.23(b)(6) implies requirements that purchases of eligible obligations from liquidating credit unions must comply with the purchasing FCUs internal written purchase policies, which must:

  • Require that the purchasing FCU conduct due diligence on the seller of the loans and other counterparties to the transaction prior to purchase.
  • Establish risk assessment and management process requirements that are commensurate with the size, scope, type, complexity, and level of risk posed by the panned loan purchase activities.
  • Establish internal underwriting and ongoing monitoring standards commensurate with the size, scope, type, complexity, and level of risk posed by the activities.
  • Require that the written agreement include (1) the specific loans purchased, the location and custodian of the original loan documents, an explanation of the duties and responsibilities of the seller, servicer, and all parties with respect to all aspects of the loans being purchased, and the circumstances and conditions under which the parties to the agreement may replace the servicer when the seller retains the servicing rights.
  • Establish portfolio concentration limits by loan type and risk category in relation to net worth commensurate with the size, scope, and complexity of the credit unions loan purchases.
  • Address when a legal review of agreements or contracts will be performed to ensure that the legal and business interests of the credit union are protected.

714.9 (Indirect leasing arrangements subject to the purchase of eligible obligation limit set forth in § 701.23)

The NCUA Board is seeking amendments to the rule proposing certain clarifying and conforming amendments. No part of §714.9 applies to state-chartered credit unions.

Proposed amendments would eliminate §714.9 completely as the amendments to the NPRM proposed under §701.23 to remove (b)(4)(iv) would no longer apply the 5-percent limitation to any purchases of eligible obligations, therefore, the current §714.9 would be rendered unnecessary.  Further, the definition of indirect leasing arrangements, previously addressed here, is now defined in §701.21(c)(9).

[1] Board agenda available at https://ncua.gov/files/agenda-items/financial-innovation-proposed-rule-20221215.pdf

[2] Available at https://www.regulations.gov/document/NCUA_FRDOC_0001-0309

[3] Available at https://www.federalregister.gov/documents/2022/12/30/2022-27607/financial-innovation-loan-participations-eligible-obligations-and-notes-of-liquidating-credit-unions

[4]NCUA Legal Op. 15-0813 (Aug. 10, 2015) available at https://www.ncua.gov/regulation-supervision/legal-opinions/2015/loan-participations-indirect-loans-originating-lenders.

[5] The preamble to the 1998 proposal to amend the eligible obligations rule requested public comment on whether the NCUA should specify a certain number of days as constituting “very soon.” 63 FR 41976, 41977 (Aug. 6, 1998). After considering the comments, however, the NCUA Board determined not to specifically define it because it wanted to provide FCUs with flexibility under various circumstances. The NCUA Board also clarified that assignment of the loan means acceptance of the loan and not necessarily the physical receipt of the loan documentation, recognizing that acceptance and payment are often done electronically. However, physical receipt of the loan documents by the FCU should occur within a reasonable time following acceptance of the loan. 63 FR 70997, 70998 (Dec. 23, 1998); see also NCUA Legal Op. 97-0546 (Aug. 6, 1997) (Concluding that an indirect lending arrangement where the retailer made a loan and assigned it to the purchasing credit union within one business day met the “very soon after” timing requirement.).

[6] 63 FR 41976, 41977 (Aug. 6, 1998).

[7] See, e.g., NCUA Legal Op. 97-0546 (Aug. 6, 1997), available at https://www.ncua.gov/regulation-supervision/legal-opinions/1997/indirect-lending.

NCUA Letter to Federal Credit Unions 22-FCU-03

NASCUS Legislative and Regulatory Affairs Department
December 10, 2022

On December 7, 2022, NCUA issued NCUA Letter 22-FCU-03[1] regarding the Expiration of Emergency Exemption from Certain In-Person Meeting Requirements.

The letter discusses the implications of three NCUA letters issued on March 2020, November 2020, and November 2021[2] providing federal credit unions (FCU) flexibility during the pandemic related to annual meetings. Specifically, the NCUA recognized the challenges intrinsic to the pandemic to physically conducting member meetings.  As a result of the letters, FCUs were allowed to conduct membership and board meetings completely virtually.  These emergency exemptions were set to expire on December 31, 2022.

Additionally, the NCUA allowed FCUs to approve, with a 2/3 board passage, bylaw language changes to article IV that would allow FCUs to invoke virtual-only meetings if a majority of the directors passed a resolution for each such meeting.  The letters provided specific wording for this bylaw amendment.

Summary

With this letter, NCUA is providing notice that the emergency conditions present to justify the flexibility enjoyed by FCUs to invoke virtual-only meetings is no longer present, and those emergency provisions will expire. FCUs that have adopted the bylaw amendment may retain it in their bylaws, but it will not be applicable after 2022 unless NCUA issues a new notification allowing it to be invoked.

NCUA also states that while “virtual-only” meetings will no longer be an option, FCUs will still have the option to best meet their needs[3] by conducting hybrid meetings that include an in-person AND virtual element.

While NCUA will permit a hybrid format, federal credit unions will still be required to meet the general quorum requirements, including counting participants in both the in-person and virtual aspects of the hybrid meeting.

NCUA believes that using a hybrid meeting format could preserve FCU resources and reduce the effort required to hold meetings without disenfranchising members for whom virtual attendance is difficult or impossible.

NCUA cautions its institutions to consider whether their current bylaws authorize hybrid meetings or whether bylaw changes would be necessary.

Finally, NCUA reminded FCUs of certain related bylaws provisions including:

  • Bylaws that permit FCU boards to conduct “virtual-only” meetings for all but one of their board meetings per calendar
  • If a quorum is obtained by “in person” attendees at the one required in-person meeting, the remaining board members could continue to attend virtually[4],
  • FCU bylaws permit flexibility for distributing member notices, including the option to provide such notices electronically if a member chooses to opt in[5].

[1] www.ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/expiration-emergency-exemption-certain-person-meeting-requirements?utm_medium=email&utm_source=NCUAgovdelivery#ftn_2

[2]Letter to Federal Credit Unions, 20-FCU-02, “NCUA Actions Related to COVID-19 – Annual Meeting Flexibility;” Letter to Federal Credit Unions, 20-FCU-04, “Federal Credit Union Meeting Flexibility During the COVID-19 Pandemic;” Letter to Federal Credit Unions, 21-FCU-06, “Federal Credit Union Meeting Flexibility in 2022 Due to the COVID-19 Pandemic.”

[3]12 C.F.R. Part 701, Appendix A, Official NCUA Commentary, Article V.

[4]Id. Article VI, § 5.

[5]Id. Article IV, § 2.

Summary re: CFPB Consumer Financial Protection Circular 2022-07: Reasonable Investigation of Consumer Reporting Disputes

12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) issued this circular to respond to two questions regarding the responsibilities of consumer reporting agencies.

The Bureau released this circular on its website on November 10, 2022, and the circular can be accessed here.

Summary

Congress enacted the Fair Credit Reporting Act (FCRA) to “prevent consumers from being unjustly damaged because of inaccurate or arbitrary information in a credit report. The Bureau notes that a central component of the protections against inaccurate information is the requirement to conduct a reasonable investigation of consumer disputes.  Since its enactment, the FCRA has required consumer reporting agencies to investigate consumer disputes.  Additionally, in 1996 Congress amended the FCRA to also impose “duties on the sources that provide credit information to CRAs (consumer reporting agencies) called “furnishers” in the statute.

In the circular, the Bureau responds to the questions:

  1. Are consumer reporting agencies and the entities that furnish information to them (furnishers) permitted under the Fair Credit Reporting Act (FCRA) to impose obstacles that deter the submission of disputes?
    • Consumer reporting agencies and furnishers are liable under the FCRA if they fail to investigate any dispute that meets the statutory and regulatory requirements, as described in more detail below. Enforcers may bring claims if consumer reporting agencies and furnishers limit consumers’ dispute rights by requiring any specific format or requiring any specific attachment, such as a copy of a police report or consumer report, beyond what that statute and regulations permit.
  2. Do consumer reporting agencies need to forward to furnishers consumer-provided documents attached to a dispute?
    • It depends. Enforcers may bring a claim if a consumer reporting agency fails to promptly provide to the furnisher “all relevant information” regarding the dispute that the consumer reporting agency receives from the consumer. While there is not an affirmative requirement to specifically provide original copies of documentation submitted by consumers, it would be difficult for a consumer reporting agency to prove they provided all relevant information if they fail to forward even an electronic image of documents that constitute a primary source of evidence.

 

 

High Level Summary and Discussion Guide of Outline of Proposals and Alternatives Under Consideration for SBREFA: Required Rulemaking on Personal Financial Data Rights

Section 1033(a) of the Dodd Frank Act authorizes the Consumer Financial Protection Bureau (CFPB) to prescribe rules requiring a “covered person to make available to a consumer (upon request) information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions or to the account including costs, charges and usage data.

The Bureau is in the process of drafting regulations to implement Section 1033.  During the process, the Bureau is required to consult with representatives of small entities likely to be affected directly by the regulations the Bureau is considering proposing and to obtain feedback on the likely impacts the rules the Bureau is considering would have on small entities.

The summary document provides a high-level summary of regulatory provisions the CFPB is considering proposing.  The proposals address the following topics:

  • Coverage of data providers who would be subject to the proposals under consideration
    • The proposals would require a defined subset of Dodd Frank Act covered persons to be considered “data providers” such as those defined as financial institutions and card issuers.
  • Recipients of information, including consumers and authorized third parties
    • The proposals would make available information (upon request) directly to consumers and to authorized third parties.
    • The proposals would require a third party requesting information to (i) provide an authorization disclosure to inform the consumer of the terms of access; obtain the consumer’s informed, express consent and certify to the consumer that it will abide by certain obligations regarding collection, use and retention of the consumer’s information.
  • The types of information that would need to be made available
    • The proposals set forth six categories of information the Bureau is considering requiring covered data providers to make available: periodic statement information; information regarding prior transactions and deposits that have not yet settled; information about prior transactions not typically shown on periodic statements or online financial account management portals; online banking transactions that the consumer has set up but that have not yet occurred; account identity information and other information, including consumer reports obtained/used by the covered product/service to a consumer, etc.
    • The proposals also provide for four exceptions to the Section 1033(a) requirement to make information available.
  • How and when information would need to be made available, including when information made available to consumers directly and to third parties authorized to access information on their behalf
    • The proposals would require a covered data provider would be required to make information available if it has enough information from the consumer to reasonably authenticate the consumer’s identity and reasonably identify the information requested.
    • The proposals would require that covered data providers be required to make available all the information that would be covered by the proposals under consideration through online financial account management portals and to allow consumers to export the information in both human and machine readable formats.
  • Third party obligations
    • The proposals would require authorized third parties to limit their collection, use and retention of consumer information to what is reasonably necessary to provide the product/service the consumer has requested.
    • The proposals would also require authorized third parties provide consumers with a simple way to revoke authorization at any point, consistent with the consumer’s mode of authorization.
  • Record retention obligations
    • The proposals would provide for record retention requirements for covered data providers and authorized third parties to demonstrate compliance with certain requirements of the rule.
  • Implementation period
    • The Bureau seeks to ensure that consumers have the benefit of a final rule within a short timeframe, while also ensuring that covered data providers and authorized third parties have sufficient time to implement the rule.

The summary also includes questions drawn from the Outline to solicit feedback from small entity representatives on specific topics.  However, the CFPB is interested in input from SERs (small entity representatives) on all aspects of the proposals under consideration and any alternatives the CFPB should consider. The summary also includes an appendix that illustrates how the CFPB’s proposals under consideration would apply to a hypothetical transaction involving data access to an authorized third party.

The Bureau’s summary and discussion guide can be found here.  The larger, more comprehensive “Outline of Proposals and Alternatives under Consideration” can be found here and the CFPB is requesting non-SER stakeholder feedback by no later than January 25, 2023.  Stakeholders are welcome to provide written feedback on the CFPB’s proposals under consideration by emailing it to [email protected].

Final Rule Summary:
Appraisal Subcommittee; Appraiser Regulation; Temporary Waiver Requests 

NASCUS Legislative and Regulatory Affairs Department
November 21, 2022

The Appraisal Subcommittee (ASC) of the Federal Financial Institutions Examination Council (FFIEC) adopted a final rule amending temporary waiver proceedings, promulgated in 1992 pursuant to Title XI of the Financial Institutions Reform, Recovery, and Enforcement Act of 1989, as amended (Title XI). On January 13, 2022, the ASC published a related proposed rule with a 60-day public comment period.

The final rule adopts the rules of practice and procedure substantially as proposed, with the following modifications:

  • Definition of “Petition” to include State financial institutions’ regulatory agencies as potential petitioners; and
  • Clarification that either a mandatory or discretionary waiver termination requires publication in the Federal Register and that a discretionary waiver termination requires such publication with a 30-day comment period.

Summary

Section §1101.1 of the final rule clarifies the distinction between:

  • A request from a state appraiser regulatory agency (Request for Temporary Waiver in the proposed rule); and
  • Information received from other persons or entities (which could include a state appraiser regulatory agency) is referred to as “Petition” in the proposed rule.

Section §1102.2: Definitions

Petition

The proposed rule failed to include state financial institution regulators in the definition of “petition.” “Petition” in the final rule now includes State financial institution regulatory agencies as a potential petitioner.

Scarcity of Certified or Licensed Appraisers and Significant Delays in the Performance of Appraisals

The final rule retained the proposed definition of scarcity of certified or licensed appraisers and adopted the definition as the number of active certified or licensed appraisers within a State or a specified geographical, political subdivision is insufficient to meet the demand for appraisal services, and such appraisers are difficult to retain.

The final rule also adopted the definition of significant delays in the performance of appraisals which is defined as delays that are substantially out of the ordinary when compared to the performance of appraisals for similarly situated Federally Related Transactions (FRTs) based on factors such as geographic location (e.g., rural versus urban) and assignment type, and the delay is not the result of intervening circumstances outside the appraiser’s control or brought about by the appraiser’s client (e.g., inability to access the subject property).[1]

Section §1102.3: Request for Temporary Waiver

Section 1102.3(a) states that the State Appraisal Agency for the State where temporary waiver relief is sought may file a Request for Temporary Waiver.  Section 1102.3(b) sets out a complete list of requirements for a temporary waiver to be deemed received by the ASC. The list includes:

  1. A written determination by the State Appraisal Agency that there is a scarcity of certified or licensed appraisers leading to significant delays in the performance of appraisal for FRTs or a specified class of FRTs within either a portion of, or the entire State;
  2. The requirement(s) of State law from which relief is being sought;
  3. The nature of the scarcity of certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable);
  4. The extent of the delays anticipated or experienced in the performance of appraisals by certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable);
  5. How complaints concerning appraisals by persons who are not certified or licensed would be processed in the event a temporary waiver is granted; and
  6. Meaningful suggestions and recommendations for remedying the situation.

Amendments to paragraph (b) also modify the requirement for a State Appraisal Agency to provide “a specific plan for expeditiously alleviating the scarcity and service delays” to “meaningful suggestions and recommendations for remedying the situation”.  This change recognizes a situation creating scarcity and delay may be outside the control of the State Appraisal Agency.

Amendments to the final rule also include the phrase “supporting documentation, statistical or otherwise verifiable.” A Request for Temporary Waiver should include clear and specific data to support a claim that there is a scarcity of appraisers leading to significant delays in the performance of appraisals for FRTs, or a specified class of FRTs, for either a portion of or the entire State.

The final rule indicates some specific information related to the following could assist the ASC in reviewing a request for a temporary waiver:

  1. Geography – location(s) of the scarcity leading to significant delay.
  2. Transactions – types of FRTs impacted (i.e., property and transaction type(s) and transaction amount(s)).
  3. Time – length of time for waiver requested.

Section 1102.3(b) of the final rule also includes that a Request for Temporary Waiver address how complaints concerning appraisals by persons who are not certified or licensed would be processed in the event a temporary waiver is granted.

Section 1102.3(c) clarifies that a Request for Temporary Waiver will be deemed received for purposes of publication in the Federal Register for notice and comment if the ASC determines that the information submitted meets the requirements of 1102.3(b) detailed above.

Section 1102.3(d) indicates that in the event a request is deemed “not received”, it may be denied in its entirety or referred to the State Appraisal Agency for further action. In either case, the ASC is to provide written notice to the State Appraisal Agency providing an explanation for the determination.

Section §1102.4: Petition Requesting the ASC Initiate a Temporary Waiver Proceeding

For consistency with amendments to Section 1102.2(c) and the definition of “petition,” Section 1102.4(a) has been amended to include State financial institutions’ regulatory agencies as a potential petitioner.  The final rule also clarifies that a petition is a request for the ASC to exercise its discretionary authority to initiate a temporary waiver proceeding. A petition may be filed by the Federal or State financial institutions’ regulatory agencies, the regulated financial institutions, or other persons or institutions with a “demonstrable” interest in appraiser regulation, including a State Appraisal Agency.

Petitions should include:

  1. Information (statistical or otherwise verifiable) to support the existence of a scarcity of certified or licensed appraisers leading to significant delays in the performance of appraisals for FRTs or a specified class of FRTs for either a portion of, or the entire State; and
  2. The extent of the delays anticipated or experienced in the performance of appraisals by certified or licensed appraisers (including supporting documentation, statistical or otherwise verifiable).
  3. A petition may also include meaningful suggestions and recommendations for remedying the situation.

In the event a petition is submitted by a party other than a State Appraisal Agency, the party must promptly provide a copy of its petition to the State Appraisal Agency.  If further action is needed on a petition, the ASC may refer a petition back to the State Appraisal Agency, where the temporary waiver relief is sought for further evaluation, or the ASC may take further action without referring.

Section §1102.5: Order Initiating a Temporary Waiver Proceeding

Under the final rule, the ASC may exercise discretion in determining whether to issue an Order initiating a temporary waiver proceeding in response to a petition, or the ASC may exercise discretion to initiate a proceeding without the submission of a petition.

Section §1102.6: Notice and Comment

Under the final rule, the ASC will:

  • Publish promptly in the Federal Register a notice respecting:
  • A received request for a temporary waiver; or
  • An ASC Order initiating a temporary waiver proceeding

The notice of the request for temporary waiver or ASC Order shall have a 30-calendar day comment public comment period.

Section §1102.7 ASC Determination

The final rule requires the ASC, within 90 calendar days of the date of publication of the notice in the Federal Register, by Order, to grant or deny a waiver, in whole or in part, and upon specified terms and conditions, including provisions for waiver termination.

The Order shall be published in the Federal Register. In the case of an Order approving a waiver, it will only be published upon approval of the FFIEC.

Section §1102.8 Waiver Extension

Under the final rule, the ASC may initiate an extension of a temporary waiver. A State Appraisal Agency may also seek an extension by forwarding an additional written request to the ASC.

Section §1102.9 Waiver Termination

The final rule provides two types of waiver terminations.

  • Mandatory waiver termination: ASC shall terminate a temporary waiver order when the ASC determines that significant delays in the performance of appraisals by certified or licensed appraisers no longer exist.
  • Discretionary waiver termination: The ASC, at any time, may terminate a waiver Order on the finding that the terms and conditions of the waiver order are not being satisfied.

Waiver terminations are to be posted in the Federal Register. Discretionary waiver terminations require a 30-day comment period. If no further action is taken by the ASC, a discretionary waiver termination becomes final 21 calendar days after the close of the comment period.

Summary re: CFPB Consumer Financial Protection Circular 2022-06: Unanticipated Overdraft Fee Assessment Practices

12 CFR Chapter X

The Consumer Financial Protection Bureau (CFPB) has issued Consumer Financial Protection Circular 2022-06, titled “Unanticipated Overdraft Fee Assessment Practices” to respond to a question posed about whether the assessment of overdraft fees under certain instances would be considered an unfair act or practice under the Consumer Financial Protection Act (CFPA), even if the entity complies with the Truth in Lending Act (TILA) and Regulation Z and the Electronic Fund Transfer Act (EFTA) and Regulation E.

The circular became effective on October 26, 2022 and can be found here.

Summary:

The Consumer Financial Protection Act (CFPA) prohibits conduct that constitutes an unfair act or practice.  An act or practice is unfair when: (i) it causes or is likely to cause substantial injury to consumers that is not reasonably avoidable by consumers; and (ii) the injury is not outweighed by countervailing benefits to consumers or to competition.  Overdraft fee practices must comply with TILA, EFTA, Regulation Z, Regulation E and the prohibition against unfair, deceptive and abusive acts or practices in Section 1036 of the CFPA.

According to the circular, overdraft fees assessed by financial institutions on transactions that a consumer would not reasonably anticipate are likely unfair. These unanticipated overdraft fees are likely to impose substantial injury on consumers that they cannot reasonably avoid and that is not outweighed by countervailing benefits to consumers or competition.  The circular highlights potentially unlawful patterns of financial institution practices regarding unanticipated overdraft fees and provides some examples of practices that might trigger liability under the CFPA.  The circular notes that the examples provided are illustrative and not exhaustive.

CISA Guidance Summary: Implementing Phishing-Resistant MFA — Implementing Number Matching in MFA Applications

NASCUS Legislative and Regulatory Affairs Department
November 10, 2022 

The Cybersecurity & Infrastructure Security Agency (CISA), a subordinate agency of the Department of Homeland Security (DHS) released guidance on October 31, 2022, strongly urging all organizations to implement phishing-resistant Multi-Factor Authentication (MFA) to protect against cyber threats. Additionally, CISA recommends using number matching to mitigate MFA fatigue in cases where an organization utilized push-notification-based MFA without a phishing-resistant MFA tool.

Background

CISA, a departmental agency acting as the national coordinator for critical infrastructure security and resilience, issued two fact sheets on October 31, 2022.  The first, Implementing Phishing-Resistant MFA[1], outlines the importance of MFA in authenticating access to systems.  MFA makes use of multiple factors to validate the individual accessing a system, including something you know, something you have, or something you are.  An example of different factors could include a password or pin (you know), biometric facial or fingerprint recognition (you are) and/or use of a digital certificate, specific hardware/software configuration, pin producing token (you have).

The guidance further outlines potential weaknesses utilized by threat actors to overcome such cyber defenses, including:

  • Phishing: A social engineering form in which threat actors utilize email or malicious websites to solicit information or gain access to a machine to gain access to the necessary information to access a protected network.
  • Push Bombing or Push Fatigue: Threat actors bombard a user with push notifications until they “accept” the notification and thereby grant access to the protected network.
  • The exploitation of SS & Protocol Vulnerabilities: Threat actors utilize vulnerabilities in communications systems to transfer control of the user’s phone number to a controlled SIM card.

To address these vulnerabilities, organizations are encouraged to utilize one of the following:

  • FIDO/WebAuthn Authentication: Utilizes physical tokens to authenticate to a device via USB or are hardware embedded into laptops or mobile devices as platform identity authenticators.
  • PKI-based MFA: Public Key Infrastructure utilizes smart cards or digital certificates to validate access to a system through a combination of public and private keys. Keys on the transporting hardware are accessed by a user using a password or pin and are physically connected to the device used to access the application.

The guidance understands such systems require significant infrastructure and provides a further discussion on other, less substantial, MFA tools to utilize to mitigate the potential attack avenues discussed above and how to focus on implementing a phishing-resistant MFA system.

One of the most efficient methodologies to mitigate phishing attacks on MFA discussed includes a process called number matching, the subject of the second fact sheet titled Implementing Number Matching in MFA applications[2].

This fact sheet discusses different types of MFA push prompts in which the authenticating platform provides an additional layer of protection against phishing by requiring entering a pin/password from the identity platform (i.e, your phone) into the application instead of just checking an acknowledgment on the identity platform to gain access.  In this scenario, a threat actor without the phone would not be able to access the application, and a user, fatigued by numerous access requests, cannot inadvertently allow access.

Both fact sheets provide reference material available to further research and implement appropriately hardened systems relating to MFA.

[1] Available at www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf.

[2] Available at www.cisa.gov/sites/default/files/publications/fact-sheet-implement-number-matching-in-mfa-applications-508c.pdf.

Summary re: CFPB Notice and Request for Comment Regarding the CFPB’s Inquiry Into Big Tech Payment Platforms

The Bureau ordered six large technology companies operating payments systems in the United States to provide information about certain of their business practices.  Accompanying the orders, the Director of the Bureau issued a statement and invited interested parties to submit comments to was published in the Federal Register on November 5, 2021.  The Bureau has decided to re-open the comment period for an additional 30 days to gather additional stakeholder comments.

Comments must be received by December 7, 2022, and the notice can be found here.

Summary:

On October 21, 2021, the CFPB ordered six large technology companies operating payments systems in the United States to provide information about certain of their business practices.   The orders were issued to Google, Apple, Facebook, Amazon, Square and Paypal.  The Bureau will also study the practices of the Chinese tech giants that offer payments services, such as WeChat Pay and Alipay.  The Bureau’s inquiry was intended to inform regulators and policymakers about the future of our payments system.  Stakeholders interested in commenting on the notice can find the original notice here.

The Bureau invites all interested parties to submit comments to inform the agency’s inquiry.  In addition, the Bureau is inviting comment on the following questions related to the Bureau’s inquiry:

  • What fees, fines or other penalties do large technology companies assess on users of their payment platforms, including for:
  • Purported violations of the technology companies’ acceptable use policies; or
  • Any other conduct?
  • Do the acceptable use policies for technology companies’ payment platforms include provisions that can restrict access to their platforms? If so, under what circumstances can the technology companies restrict access to their platforms?

Summary re: CFPB Bulletin 2022-06: Unfair Returned Deposited Item Fee Assessment Practices  

12 CFR Chapter X 

A returned deposited item is a check that a consumer deposits into their checking account that is returned to the consumer because the check could not be processed against the check originator’s account.  Blanket policies of charging Returned Deposited Item fees to consumers for all returned transactions irrespective of the circumstances or patterns of behavior on the account are likely unfair under the Consumer Financial Protection Act (CFPA).  The CFPB is issuing this bulletin to notify regulated entities how the Bureau intends to exercise its enforcement and supervisory authorities on this issue.   

The bulletin is effective as of November 7, 2022, and can be found here

Summary:  

The CFPA prohibits covered persons from engaging in unfair acts or practices.  Congress defined an unfair act or practice as one that (i) causes or is likely to cause substantial injury to consumers which is not reasonably avoidable and (ii) such as substantial injury is not outweighed by countervailing benefits to consumers or to competition. Blanket policies of charging “Returned Deposited Item” fees to consumers for all returned transactions irrespective of the circumstances of the transaction or patterns of behavior on the account are likely unfair.   

In addition, fees charged for Returned Deposited Items cause substantial injury to consumers.  In many instances in which fees are charged for these returned items, consumers would not be able to reasonably avoid the substantial monetary injury imposed by the fees.  An injury is not reasonably avoidable unless consumers are fully informed of the risk and have practical means to avoid it.  However, a consumer depositing a check would normally be unaware of and have little to no control over whether a check originator has funds in their account; will issue a stop payment instruction; or has closed the account.  Nor would a consumer normally be able to verify whether a check will clear with the check originator’s depository institution before depositing the check or be able to pass along the cost of the fee to check originator.   

The Bureau notes that it is unlikely that an institution will violate the prohibition if the method in which fees are imposed are tailored to only charge consumers who could reasonably avoid the injury.   

CFPB Summary re: Advisory Opinion on Fair Credit Reporting; Facially False Data
12 CFR Part 1022

The Consumer Financial Protection Bureau (CFPB) issued this advisory opinion to highlight that a consumer reporting agency that does not implement reasonable internal controls to prevent the inclusion of facially false data, including logically inconsistent information, in consumer reports it prepares is not using reasonable procedures to assure maximum possible accuracy under Section 607(b) of the Fair Credit Reporting Act (FCRA).

This advisory opinion became effective on October 26, 2022, and can be found here.

Summary:

The FCRA regulates consumer reporting.  The statute was designed to ensure that “consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information.”  The FCRA was enacted “to protect consumers from the transmission of inaccurate information about them and to establish credit reporting practices that utilize accurate, relevant, and current information in a confidential and responsible manner.”

The Bureau is issuing this advisory opinion to highlight that the legal requirement to follow reasonable procedures to assure maximum possible accuracy of the information concerning the individuals about whom the reports related includes, but is not limited to, procedures to screen for and eliminate logical inconsistencies to avoid including facially false data in consumer reports. The opinion provides a non-exhaustive list of examples of inconsistent account information/statuses and illogical information relating to consumers that could be considered problematic. Finally, the advisory opinion applies to all consumer reporting agencies as defined in FCRA Section 603(f).

Final Rule Summary
FinCEN: Beneficial Ownership Information Reporting Requirements

NASCUS Legislative and Regulatory Affairs Department
October 31, 2022

On September 30, 2022, the Financial Crimes Enforcement Network (FinCEN), issued a final rule, Beneficial Ownership Information Reporting Requirements, implementing the reporting requirements of Section 6403 of the Corporate Transparency Act (CTA)[1]. In conjunction with the final rule, FinCEN also issued a summary Fact Sheet found here.  The final rule requires certain entities to file with FinCEN reports that identify two categories of individuals: the beneficial owners of the entity, and individuals who have filed an application with specified governmental authorities to create the entity or register it to conduct business. This information will be housed within the forthcoming Beneficial Ownership Secure System (“BOSS”), a database currently under development by FinCEN.

The final rule and associated requirements are intended to help prevent and combat money laundering, terrorist financing, corruption, tax fraud, and other illicit activity while minimizing the burden on the entities doing business in the United States.

Summary

The Corporate Transparency Act (CTA) was enacted as part of the Anti-Money Laundering Act (AMLA) of 2020 and is intended to expand and modernize the U.S. government’s ability to collect beneficial ownership information in order to deter money laundering, corruption, tax evasion, fraud, and other financial crime.  The CTA requires FinCEN to:

  1. Implement rules for the reporting of beneficial ownership information (BOI) of legal entities organized or registered to conduct business in the U.S.
  2. Develop protocols for access to, and the sharing of reported BOI
  3. Amend the current Customer Due Diligence (CDD) Rule applicable to financial institutions to account for the new requirements of the CTA

This final rule applies only to beneficial ownership. FinCEN must still issue two additional proposed rulemakings under the CTA addressing items 2 and 3 above related to access and CDD.

The final rule is effective January 1, 2024. Companies required to report that are created or registered prior to the effective date will have a one-year grace period (January 1, 2025) to file their initial BOI reports. Reporting companies created or registered on or after the effective date will have 30 days to file their initial reports with FinCEN. Exempt entities that no longer qualify for exemption under the regulation will be required to file a report within 30 calendar days of the date it no longer meets the exemption criteria.

What is a Reporting Company?

Reporting Companies are both domestic and foreign. The final rule defines each type as follows:

  • Domestic Reporting Companies: Any corporation, limited liability company, or other entity that is created by the filing of a document with a secretary of state or any similar office under the law of a State or Indian tribe[2]; and
  • Foreign Reporting Companies: Any corporation, limited liability company, or other entity, that is formed under the law of a foreign country; and registered to do business in any State or tribal jurisdiction by the filing of a document with a secretary of state or any similar office under the law of a State or Indian tribe.

The CTA sets forth from the definition of “reporting company” twenty-three[3] specific types of exempt entities. Consistent with the proposed rule, categories of exempted entities include:

  • SEC reporting issuers
  • Banks and credit unions
  • Tax-exempt entities
  • MSBs registered with FinCEN
  • Broker-dealers
  • S. government authorities

Also exempt from the final rule are:

  • Large operating companies: employ more than 20 full-time employees in the U.S. and have an operating presence at a physical office within the U.S. and filed a federal income tax or information return in the U.S. for the previous year demonstrating more than $5,000,000 in gross receipts or sales.
  • Inactive entities: in existence on or before January 1, 2020, and meet other requirements[4]
  • Pooled investment vehicles: operated or advised by a qualifying bank, credit union, broker-dealer, investment company, investment adviser, or venture capital fund adviser[5]
  • Subsidiaries: whose ownership interests are controlled or wholly owned, directly or indirectly, by one or more exempt entities subject to exception.
  • Investment companies and investment advisers: registered with the SEC
  • Venture capital fund advisers: that have filed Item 10, Schedule A, and Schedule B of Part 1A of Form ADV, or any successor thereto, with the SEC.

What information must be reported?

As previously discussed, domestic or foreign entities registered after January 1, 2024, must file an initial report with FinCEN within 30 days after formation or registration while reporting companies registered prior to the January 1, 2024, effective date will have a one-year grace period.

Reporting Companies

The initial report must include the following about the reporting company in order to comply with the rule:

  • Full name and address;
  • Trade or fictitious names used;
  • Address of the principal place of business
  • Jurisdiction of formation or, in the case of a foreign company, jurisdiction in which first registered; and
  • Taxpayer Identification Number (TIN), or where a foreign reporting company has not been issued a TIN, a tax identification number issued by a foreign jurisdiction.[6]
  • Beneficial Owners and Company Applicants

The initial report must also include the following information about each beneficial owner and company applicant:

  • Full legal name;
  • Date of birth;
  • Current address;
  • A unique identifying number from a non-expired passport, driver’s license, government-issued ID, or identification document issued by a State or local government or tribe; and
  • An image of the document showing the unique identifying number.

A FinCEN unique identifier may also be obtained. A FinCEN identifier issued by FinCEN to individuals and reporting companies and an individual may apply for a unique identifier if the individual submits to FinCEN the same four pieces of identifying information as required for the BIO report.

It is noted that obtaining a unique identifier may reduce the burden on reporting companies on keeping BOI up to date as well as mitigate privacy concerns inherent with document retention.

Beneficial Owners

Similar to the current CDD rule, the BOI final rule requires the reporting of beneficial ownership concerning (1) beneficial owners; and (2) company applicants of the reporting company

  • The term “beneficial owner” is defined in terms of both ownership and control, similar to that of the current CDD rule.
  • “Ownership” is defined as any individual who, directly or indirectly, exercises substantial control over a reporting company or who owns or controls at least 25% of the ownership interests of a reporting company.

Substantial Control

The final rule establishes three specific, yet broad, indicators of substantial control. “Substantial Control” includes:

  • Serves as a senior officer of a reporting company (not including those who serve as a corporate secretary or treasurer);
  • Has authority over the appointment or removal of any senior officer or a majority of the board of directors;
  • Directs, determines, or has substantial influence over important influence over important decisions made by a reporting company[7] or;

The final rule also indicates that an individual may directly, or indirectly, including as a trustee of a trust or similar arrangement, exercise substantial control over a reporting company through:

  • Board representation;
  • Ownership or control of a majority of the voting power or voting rights of a reporting company;
  • Rights associated with any financing arrangement or interest in a company;
  • Control over one or more intermediary entities that separately or collectively exercise substantial control over a reporting company
  • Arrangements or financial or business relationships, whether formal or informal, with other individuals or entities acting as nominees; or
  • Any other contract, arrangement, understanding, relationship, or otherwise.

Company Applicants

In addition to beneficial owners, the reporting company must also report the “company’s applicant.” A “company applicant” is defined as the individual who directly files the document to create or register the reporting company and the individual who is primarily responsible for directing or controlling such filling if more than one individual is involved in the filing.

This requirement is only applicable to reporting companies created or registered on or after the January 1, 2024, effective date.

Certification

Under the final rule, each reporting company is required to certify that its report or application is true, correct, and complete. The final rule also clarifies that the certification requirement applies to any report or application submitted to FinCEN pursuant to 31 CFR 1010.380(b), such as an application for a FinCEN ID, not just to a BOI report submitted by a reporting company.[8]  Under the final rule, each reporting company will certify that its report or application is true, correct, and complete. FinCEN recognized in the final rule that much of the information required to be reported about beneficial owners and applicants will be provided to reporting companies by those other individuals. However, the structure of the CTA deliberately places the responsibility for reporting this information on the reporting company itself.

While an individual may file a report on behalf of a reporting company, the reporting company is ultimately responsible for the filing. The same is true of the certification. Under the final rule, the reporting company is required to make the certification and any individual who files the report as an agent of the reporting company will certify on the reporting company’s behalf.

Timing Requirements

As previously discussed, the final rule imposes specific timing requirements for the filing of BOI reports as well as updates and corrections to information submitted. Newly created entities (domestic and foreign reporting companies) must file the initial BOI reports within 30 days after formation or registration. Existing reporting companies have until January 1, 2025, to file with FinCEN.

Reporting companies must also update information in a timely manner as well as correct any inaccurate information filed in the BOSS. The final rule requires an updated report to be filed within 30 days after any change in the information reported to FinCEN. This includes any change in beneficial ownership information as well as any change in previously reported beneficial ownership or company applicant. Additionally, the final rule requires a corrected report must be filed within 30 days after the reporting company becomes aware of any inaccuracies.

[1] See NDAA for Fiscal Year 2021, H.R. 6395, 116th Congress (2020) Sec. 6401-6403.

[2] FinCEN believes this definition will exclude many sole proprietorships, trusts, and general partnerships, subject to applicable State or tribal law.

[3] See 31 U.S.C. 5336(a)(11)(B)(i)–(xxiii)

[4] FR, Vol. 87, No.189, p. 59545

[5] FinCEN further notes that the term “pooled investment vehicle” encompasses a wide variety of investment products with a wide range of names and structures, which present a range of risk profiles. It is accordingly impracticable for FinCEN to prospectively opine on the applicability of the exemption to specific structures that may not carry the name “pooled investment vehicle.” However, as a general principle, FinCEN notes that a vehicle’s eligibility for this exemption does not hinge on its nominal designation, but rather on whether the vehicle or entity satisfies the elements articulated in the final regulatory text.

[6] The proposed rule did not require that reporting companies provide the TIN

[7] Including decisions regarding: (1) The nature, scope, and attributes of the business of the reporting company, including the sale, lease, mortgage, or other transfer of any principal assets of the reporting company;

(2) The reorganization, dissolution, or merger of the reporting company;

(3) Major expenditures or investments, issuances of any equity, incurrence of any significant debt, or approval of the operating budget of the reporting company;

(4) The selection or termination of business lines or ventures, or geographic focus, of the reporting company;

(5) Compensation schemes and incentive programs for senior officers;

(6) The entry into or termination, or the fulfillment or non-fulfillment, of significant contracts;

(7) Amendments of any substantial governance documents of the reporting company, including the articles of incorporation or similar formation documents, bylaws, and significant policies or procedures;

 

[8] 31 CFR 1010.380(b)