Protect our Service Members and Veterans!
Two groups of people that might not be thought about when it comes to COVID-19 are our service members and veterans. However, in a recently issued joint-notification letter the CFPB and Department of Justice noted that in the coming months thousands of service members and veterans will be exiting mortgage forbearance. In preparation for this mass exodus, the CFPB and DOJ have called attention to the loss mitigation rights of our service members and veterans and the importance of identifying and addressing any issues that arise.
Complaints regarding the treatment of service members and veterans over COVID-19 forbearance issues were highlighted in this recent notice, and included the following:
1) Mortgages reported as delinquent to credit bureaus, despite the borrowers being current when entering forbearance. CARES Act guidance additionally states that even if a borrower entered forbearance in a delinquent status, if the loan was brought current during the forbearance period, then the mortgage must be reported as current.
2) Requiring lump sum payments for the mortgages to be reinstated. Guidance indicates that borrowers of a federally backed mortgage cannot be required to repay their forbearance amount in a lump sum payment if the borrower indicates they cannot afford to do so.
3) Incorrect or confusing communication about hardship forbearances. A mid-2021 amendment to Regulation X established temporary early intervention obligations to ensure that financial institutions communicated critical information to borrowers about their options and clarified when institutions are required to resume reasonable diligence efforts for borrowers exiting certain COVID-19 related hardship forbearances.
The Regulation X amendment also established temporary COVID-19 hardship protections for borrowers until the end of 2021 to help ensure that borrowers have a meaningful opportunity to be reviewed for loss mitigation before an institution can make the first notice or filing required for foreclosure on certain mortgages.
As a refresher, financial institutions must comply with the SCRA when it comes to foreclosures for service members and veterans. Creditors must obtain a court order prior to foreclosing on a mortgage for active-duty military and for one year after the service member has left active-duty military service. Foreclosures obtained in court where the servicemember does not make an appearance require creditors to file an affidavit with the court stating whether or not the individual is in military service or that, after making a good-faith effort, the creditor is unable to determine whether or not the individual is in military service..
So, it’s important to remember that the CARES Act granted new protections, Regulation X was amended to do likewise, and both Regulation Z and the SCRA provide their normal protections for borrowers. Together these laws and regulations form of a web of important lending-related protections for United States’ service members and veterans, and financial institutions are reminded as these borrowers exit forbearance to provide all the rights provided to them.
Privacy: FTC Updates Safeguards Rule
The FTC recently announced an update to the existing Safeguards Rule (16 CFR 314.1) that will strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. The Safeguards Rule was mandated under the 1999 Gramm-Leach-Bliley Act. The update to the regulation is the result of years of public input which began in 2016 and helps bring the regulation in line with other agencies safeguards rules. The update is effective on January 10, 2022 and contains five main modifications to the existing rule.
First, the update provides more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption. While the current regulation requires institutions to undertake a risk assessment and develop and implement safeguards to address the identified risks, the update sets forth specific criteria for what the risk assessment must include and requires the risk assessment be set forth in writing. As to particular safeguards, the update requires that they address access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Although the update retains the requirement from the current regulation that financial provide employee training and appropriate oversight of service providers, it adds mechanisms designed to ensure such training and oversight are effective. Though the update has more specific requirements than the current regulation, it still provides institutions the flexibility to design an information security program appropriate to the size and complexity of the individual institution.
Second, the update improves the accountability of institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies. While the current regulation allows a financial institution to designate one or more employees to be responsible for the information security program, the update requires the designation of a single qualified individual. The update requires periodic reporting to boards of directors or governing bodies, which will provide senior management with better awareness of the institutions' information security programs, increasing the likelihood the programs will receive the resources required to run a successful program.
Third, the update exempts institutions that collect less customer information from certain requirements, recognizing the burden on smaller institutions. The update exempts institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.
Fourth, the update expands the definition of “financial institution” to include entities engaged in activities incidental to financial activity. The update also adds companies that bring buyers and sellers of a product or service together, referred to as “finders,” within the scope of the regulation. Finders often have access to sensitive consumer information, and this change will require them to comply with the Safeguards Rule's requirements to protect that information.
Fifth, the update adds definitions and examples in the regulation itself rather than cross-referencing other FTC rules, which allows the regulation to be self-contained and more understandable by itself, rather than having to visit other regulations to understand this regulation.
COVID Mandate Stopped by the Supreme Court
On January 13, 2022 the U.S. Supreme Court halted the OSHA vaccine mandate. The mandate’s brief history began on September 9, 2021 when the President announced a plan to require more Americans to be vaccinated. This was followed by OSHA publishing an interim final rule issuing an emergency temporary standard (ETS). This ETS / vaccine mandate required certain employers to develop, implement and enforce a mandatory COVID-19 vaccination policy. In response, litigants around the country filed suit against OSHA to stop the mandate.
For a variety of complex legal reasons, the Fifth Circuit Court of Appeals put an indefinite hold on the mandate, an action which was reversed by the Sixth Circuit Court of Appeals, about a week later. The U.S. Supreme Court overturned the decision by the Sixth Circuit and stopped OSHA from implementing the vaccine mandate permanently.
What was the mandate?
The mandate required certain employers to develop, implement and enforce a mandatory COVID-19 vaccination policy, including retention of proof of fully vaccinated status of its employees. Alternatively, employers had the option of allowing employees to undergo COVID-19 testing once every seven days and to wear a facemask while working in lieu of requiring employees to be fully vaccinated. Willful violations of the mandate were punishable with a fine of up to $136,532.
To whom did it apply?
The OSHA vaccine mandate applied to employers with at least 100 employees, but specifically exempted employees who worked from home, employees who worked by themselves, employees or employees who worked exclusively outdoors.
OSHA estimated that this mandate would have impacted 84.2 million workers. Based on the current COVID-19 vaccination rate in the United States, and the average age of workers, of the estimated 84.2 million workers projected to be impacted by the mandate, an estimated 52.5 million (62%) have already been vaccinated, and an estimated 31.7 million (38%) remain unvaccinated.
Supreme Court’s Reasoning
In overturning the Sixth Circuit’s decision, the Supreme Court found that OSHA lacked the authority to impose such a mandate. OSHA was created to enforce standards that are necessary to provide healthy and safe employment, not to impose rules about health and safety in general.
Authority to make rules about safety and health in general belongs only to Congress, and if Congress wants to delegate that authority to an agency like OSHA, such authority must be specifically given. The Occupational Safety and Health Act that created OSHA grants general authority for workplace health and safety standards, not specific authority to address public health risks. OSHA has the authority to regulate workplace risks, but not risks that exist outside of the workplace. Although COVID-19 is a risk in many workplaces, it is not specifically a workplace risk in most workplaces, it is a general health risk, which makes it outside of OSHA’s authority.
Things That Go Bump in the Night: What Will Keep Compliance Officers Awake in 2022
“Be afraid…Be VERY afraid.” Although the red-headed stepchildren 2020 and 2021, did not have us morphing into fly-hybrid creatures (ok, yes, referencing 1986’s The Fly horror classic), they did bring about one of the biggest shocks to the financial services industry since the financial crash. COVID-19 took banks’ business continuity plans and other contingency measures head-on, pressuring compliance officers into addressing unknown, but now very present gaps in their compliance programs. Operational, financial, credit, legal, and regulatory compliance risks reared their heads, splaying open technology and process deficiencies, and ushering in the need to improve compliance systems at scale. We have learned compliance is more than a tick-box exercise.
As we begin the new year, it is imperative financial institutions know what lies beyond the horizon for 2022. This article addresses the top five compliance concerns of 2022.
1. BSA/AML
Financial crimes are growing but in response, agencies are doubling down on policies and guidance to create a more transparent financial system. With the passing of the Anti-Money Laundering Act of 2020, FinCen and the agencies are taking actions to implement changes. We are seeing an increase in attention to beneficial ownership, with regulations and guidance supporting FinCen AML/CFT priorities. These priorities are reemphasizing enhanced AML requirements, regulations, and enforcements and provide initiatives banks need to be aware of to address many of the broader issues confronting the financial industry as a whole. This includes corruption, cybercrime (including cybersecurity and virtual currency), fraud, foreign and domestic terrorist financing, transnational criminal organization activity, drug trafficking organization activity, human trafficking and smuggling, and proliferation financing.
At this point, the AML/CFT priorities are just a preview of what is to come—no immediate changes to BSA requirements for banks or non-bank financial institutions have been made. FinCEN is charged with publishing those additional regulations regarding AML/CFT priorities. But once finalized, covered financial institutions are required to incorporate AML/CFT priorities into their risk-based AML and BSA compliance programs. Increased BSA/AML regulations and enforcements will pose risks to financial institutions, so banks should take proactive steps now an begin updating their existing compliance programs to account for AML/CFT priorities. This includes flexible compliance programs and incorporating data analytics into their audit and compliance programs to better monitor the risk areas identified in the priorities.
2. Data Protection
The Agencies issued Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, a final rule effective April 1, 2022 with a compliance date of May 1, 2022. This rule requires banking organizations to notify their regulators as soon as possible, but no later than 36 hours after identifying a significant computer-security incident that results in actual harm and rises to the level of a “notification incident,” as defined in the final rule. This rule is also applicable to a bank service provider, or a company or person that performs covered services. Bank service providers also must give notice to one designated contact at the bank via email or phone as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has or is reasonably likely to materially disrupt or degrade covered services for four or more hours.
Financial institutions and their providers need to ensure that they have the plans, policies, and procedures in place to comply with these requirements. This could include updating incident response plans to include the appropriate points of contact, performing training exercises with the new timing requirements, incorporating applicable definitions into service provider contracts, as well as updating incident response playbooks. But banks must remain cognizant of other applicable state, federal, and international security incident reporting requirements, such as the GLBA and Interagency Guidelines Establishing Information Security Standards, and BSA SAR reporting just to name a few.
3. Environmental, Social and Governance (ESG) Risk
ESG and sustainable finance has experienced a lot of encouraging progress, with meteoric growth in ESG-themed investment funds, ESG-rated loans and bonds, and the coming consolidation of ESG rating and reporting systems. But, for all this progress, the ESG landscape remains unknown. Banks are failing to align their public commitments with practice. Yet that is not without a lack of clarity and standards in ESG metrics, or the methodologies used for ratings. Social issues are coming to the forefront of public discussion as COVID-19 aids in highlighting certain social problems. Sustainable finance is not going away—banks need to consider ESG strategies, reporting accountability metrics, and data-driven insights into their compliance programs, regardless of size of the institution. Boards of Directors should begin educating themselves on the costs of these initiatives and what they could/will entail as more parameters emerge.
4. Allowance for Loan and Lease Losses (ALLL)/Allowance for Credit Losses (ACL)
For all banks, examiners will be focusing on ALLL and ACL adequacy considering any stress on credit portfolios. Because of COVID-19, regulators are evaluating banks’ actions to manage credit risk, particularly given the changes in market conditions, termination of pandemic-related forbearances, and economic uncertainties. As an industry, we are just now beginning to see what the lasting effects of COVID-19 have been on the economy and consumers. Examiners are going to be focusing on strategic and operational planning to ensure banks are maintaining positions, especially regarding capital, the allowances for credit losses, management of net interest margins, and earnings. Remaining vigilant when considering growth and new profit opportunities will demonstrate the Boards and managements’ understanding of the impact of the new activities on the bank’s financial performance, strategic planning process and overall risk profile.
5. Crypto Assets and Fintech
In 2022, banking regulators are going to continue to clarify what role traditional banks can legally play in the cryptocurrency market. The past years brought about massive changes in understanding and regulatory oversight to the cryptocurrency markets, with the OCC leading that initiative. Going forward, the agencies are planning to clearly detail the specific activities banks can engage in involving cryptocurrency, including holding it on balance sheets, issuing stablecoins, holding crypto assets, or even facilitating crypto trading on behalf of customers. It is acknowledged already that the rapid growth of cryptocurrency presents potential opportunities and risks for traditional banks, so understanding what activities are permissible, as well as the fact that a bank’s participation will rely heavily on expectations for safety and soundness, consumer protection and compliance with other existing laws and regulations remains key.
The years 2020 and 2021 faced challenges of digital transformation, and 2022 will look to stabilizing “new normal” business activities. The Fintech evolution of digital banking has increased, forcing new innovations in engaging customers and tailoring products and services. Real-time analytics also provide increased speed of service. Regulators are going to be identifying banks that are implementing significant changes to their operations using new technological innovations and will be evaluating their implementations, including use of cloud computing, artificial intelligence, and digitalization in the risk management process.
In short, 2022 is going to require progressive, forward-thinking vision. As Dr. Seth Brundlefly (played by Jeff Goldblum) said wisely: “Don’t go back to it.” 2021 brought about an unexpected mutation: forever moving forward, banks need to be considering local, national, and global financial conditions and initiatives. What we once knew as compliance concerns are continuing to shift, evolve and expand. Top industry and compliance concerns continue to emerge, so taking action to ensure your institutions will thrive in the new, exciting financial system of tomorrow is critical.