Data Protection Safeguards Enhancements for Financial Institutions
The Federal Trade Commission (FTC) recently announced a newly updated rule addressing data security safeguards that financial institutions are required to implement to protect their customers’ financial information. Recently, data breaches, and cyberattacks have become a growing concern and have resulted in significant harm to consumers. Therefore, the FTC is enhancing its Safeguards Rule in hopes that financial institutions and other entities that collect sensitive consumer data protect it better to reduce the risk of these breaches and cyberattacks. This further updates the Safeguards Rule that was mandated by Congress under the Gramm-Leach-Bliley Act in 1999— a much needed update considering the internet has grown tremendously over the past two decades.
This new final rule details the required risk assessments to the existing Safeguards Rule. The Final Rule requires that financial institutions address “access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. Training is still required but the Rule continues to allow financial institutions the flexibility of designing an information security program that is appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.
Second, the Rule now requires a designation of a single “Qualified Individual” who is responsible for the information security program. It also requires periodic reports to boards of directors or other governing bodies, which will provide senior management with better awareness of the information security programs.
The Rule also provides an exemption for financial institutions that collect information for fewer than 5,000 consumers from the above-mentioned updates to relieve small businesses of the additional burden. However, the definition of “financial institution” has been expanded to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. This update includes finders/brokers since they often collect and maintain very sensitive consumer financial information. Finally, all of these definition changes are maintained only for this rule so that other rules are not impacted by the expansion of the definition of “financial institution.”
Many technical changes were made in this updated Safeguards rule, but one of the most important ones to keep track of is the one regarding reporting security events to the Commission. It was not implemented in this Final Rule because the FTC did not find reporting the incident to the FTC to be helpful and the initial proposed rule did not include such a requirement for notification. Therefore, it has been left out of this Final Rule, but the FTC has also issued a Notice of Supplemental Rulemaking (Direct Link) that proposes that financial institutions that have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected would have to be reported to the FTC. The time frame would be no later than 30 days after the discovery of the event.
This update to the Safeguards Rule is one of the first for the regulations to catch up to the changing digital world that we live in today. It seems that many other regulations would eventually follow in adjusting to the rapidly changing times.
OCC Clarifies That a Letter of Non-Objection is Required Before Engaging in Certain Activities Involving Virtual Currency
Over the last couple of years, the Office of the Comptroller of the Currency (OCC) has been busy issuing interpretive letters regarding the authority of a national bank and a federal savings association (FSA) to conduct various activities involving virtual currency (alternatively referred to as “cryptocurrency”). The OCC’s guidance has consistently advised national banks and FSA that they must conduct these activities in a safe and sound manner and manage and mitigate the risks inherent in these new technologies. While Interpretive Letters 1170, 1172, and 1174 advise on the legal permissibility of national banks and FSAs to engage in certain activities, the OCC has taken the stand in Interpretive Letter 1179 that prior to engaging in these activities, national banks and FSAs must notify the OCC and receive a letter of non-objection for the proposed activity.
Interpretive Letter #1170
In Interpretive Letter #1170, the OCC affirmed a national bank or FSA may provide these cryptocurrency custody services on behalf of customers. Custody services may include holding the unique cryptographic keys associated with cryptocurrency. The OCC expects a national bank or FSA planning to engage in new activities to develop and implement cryptocurrency custody services activities consistent with sound risk management practices and align them with the bank’s overall business plans and strategies.
To conduct these cryptocurrency custody services in a safe and sound manner, the bank must have adequate systems to identify, measure, monitor, and control the risks of its custody services. The OCC expects such systems to include policies, procedures, internal controls, and management information systems governing custody services. When looking at internal controls, an examiner looks at how the bank safeguards assets under custody, produces reliable financial reports, and complies with laws and regulations. The OCC expects custody activities to include dual control and segregation of duties and accounting controls. The bank’s accounting records and internal controls should ensure that assets of each custody account are segregated from the custodian’s assets and maintained under joint control to provide an asset is not lost, destroyed, or misappropriated by internal or external parties. Other considerations include settlement of transactions, physical access controls, and security servicing. The bank may need to tailor such controls in the context of digital custody.
Banks should also have adequate information security infrastructure and controls to mitigate hacking, theft, and fraud. Banks should be aware that different cryptocurrencies may have different technical characteristics and require risk management procedures specific to that particular currency. Banks offering cryptocurrency custody services should develop specialized audit procedures to ensure the bank’s controls are adequate for digital custody activities. The OCC provides the example that procedures for verifying that a bank maintains access controls for a cryptographic key will differ from those used for physical assets. The OCC will review these activities as part of its ordinary supervisory processes.
Different cryptocurrencies may also be subject to other OCC regulations and guidance outside of the custody context, as well as non-OCC regulations. A national bank should consult with OCC supervisors as appropriate before engaging in cryptocurrency custody activities. Banks seeking to engage in these activities should also conduct legal analysis to ensure they perform the activities consistent with all applicable laws. The bank’s due diligence process should include a review for compliance with anti-money laundering rules.
The OCC stresses that banks should assess and address the risks associated with an individual account before acceptance. A custodian’s acceptance process should include an adequate review of the customer’s needs and wants, as well as the operational needs of the account to ensure the bank can perform the contemplated duties.
Interpretive Letter #1172
In Interpretive Letter #1172, the OCC affirmed the ability of a national bank or FSA to accept deposits that serve as reserves for certain “stablecoins.” The interpretive letter is limited in scope to stablecoins backed on a 1:1 basis by a single fiat currency where the bank verifies at least daily that reserve account balances are greater than or equal to the number of the issuer’s outstanding stablecoins. A bank providing services supporting a stablecoin project must comply with all applicable laws and regulations and ensure that it has instituted appropriate controls and conducted sufficient due diligence commensurate with the risks associated with maintaining a relationship with a stablecoin issuer.
As with any deposit product, a national bank or FSA that accepts reserve accounts should be aware of the laws and regulations relating to deposit insurance coverage, including deposit insurance limits and the requirements for deposit insurance to “pass through” to an underlying depositor, if applicable. Stablecoin reserve accounts could be structured as deposits of the stablecoin issuer or as deposits of the individual stablecoin holder, assuming the individual stablecoin holder meets the requirements for pass-through insurance. Accordingly, a national bank or FSA should provide accurate and appropriate disclosures regarding deposit insurance coverage.
A national bank or FSA must ensure that it establishes and maintains procedures to comply with the Bank Secrecy Act (BSA) and its implementing regulations, including but not limited to the customer due diligence requirements under the BSA and the customer identification requirements under section 326 of the USA PATRIOT Act. A national bank or FSA must also identify and verify the beneficial owners of legal entity customers opening accounts.
Reserves associated with stablecoins could entail significant liquidity risks. The OCC expects all banks to manage liquidity risk with a sophistication equal to the risks undertaken and complexity of exposures. A bank may also enter into appropriate contractual agreements with a stablecoin issuer governing the terms and conditions of the services that the bank provides to the issuer. Such contracts may include contractual restrictions or requirements concerning the assets held in the reserve account. The agreement may also specify the parties’ respective responsibilities, such as the steps the parties will take to ensure the appropriate party will be deemed the issuer or obligor of the stablecoin. For example, the bank should have appropriate agreements with an issuer to verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer. Such agreements should include mechanisms to allow the bank to verify the number of outstanding stablecoins regularly. In the analogous context of prepaid cards distributed and sold by third-party program managers, interagency guidance specifically contemplates banks would enter into contracts with third-party program managers permitting banks to audit the third-party program managers.
Interpretive Letter #1174
In Interpretive Letter #1174, the OCC affirmed the ability of a national bank or FSA to use new technologies, including independent node verification networks (INVNs) and related stablecoins, to perform bank-permissible functions, such as payment activities. The OCC reasoned that as banks are “the recognized intermediaries between other, non-bank participants in the financial markets and the payment systems, banks possess the expertise to facilitate the exchange of payments and securities between, and settle transactions for, parties and to manage their own intermediation position.” As such, “a bank may validate, store, and record payments transactions by serving as a node on an INVN. Likewise, a bank may use INVNs and related stablecoins to carry out other permissible payment activities. A bank must conduct these activities consistent with applicable law and safe and sound banking practices.”
The OCC cited the statement by the President’s Working Group on Financial Markets to remind banks that if they are participating in stablecoin arrangements, they “should have the capability to obtain and verify the identity of all transacting parties, including for those using unhosted wallets…. The stablecoin arrangement should have appropriate systems, controls, and practices in place to manage these risks, including to safeguard reserve assets. Strong reserve management practices include ensuring a 1:1 reserve ratio and adequate financial resources to absorb losses and meet liquidity needs.” In addition to understanding the risks generally associated with virtual currencies, banks must have the technical know-how to manage the risks in a safe and sound manner and conduct the activities in compliance with applicable law.
The OCC also highlighted the heightened BSA/AML compliance risk. The OCC expects banks that “engage in providing cryptocurrency services to customers to adapt and expand their BSA/AML compliance programs to assure compliance with the reporting and recordkeeping requirements of the BSA and to address the particular risks of cryptocurrency transactions.”
Interpretive Letter #1179
In its previous interpretive letters, the OCC has stated that while certain activities surrounding cryptocurrency may be legally permissible for banks to engage in, “provided the bank can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.” In Interpretive Letter #1179, the OCC has clarified that to demonstrate this, the bank must “notify its supervisory office, in writing, of its intention to engage in any of the activities addressed in the interpretive letters.” The OCC will then provide a letter of non-objection if it approves the activity.
Prior to seeking supervisory non-objection, the bank should consider all applicable laws, ensure that the proposed structure of the activity is consistent with such laws, and that the compliance management system will be sufficient and appropriate to ensure compliance. To obtain supervisory non-objection, the bank should demonstrate that it has “established an appropriate risk management and measurement process for the proposed activities, including having adequate systems in place to identify, measure, monitor, and control the risks of its activities, including the ability to do so on an ongoing basis.” The bank’s request should demonstrate its understanding of and preparedness for the operational risk liquidity risk, strategic risk, and compliance risk of the proposed activity.
The OCC will “evaluate the adequacy of a bank’s risk measurement and management information systems and controls to enable the bank to engage in the proposed activities on a safe and sound basis. The supervisory office will also evaluate any other supervisory considerations relevant to the particular proposal, consulting with agency subject matter experts as appropriate. As part of that review, and in coordination with the Chief Counsel, as needed, the supervisory office will assess whether the bank has demonstrated that it understands and will comply with laws that apply to the proposed activities.”
After a bank receives supervisory non-objection, the bank may conduct the activities as outlined. The OCC will review these activities as part of its ordinary supervisory processes.
Expect more updates from the OCC and the other prudential regulators over 2022. In November, the financial regulatory agencies released Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps that provides a roadmap of where the agencies expect regulatory policy announcements. The areas highlighted in the roadmap are: crypto-asset safekeeping and traditional custody services; ancillary custody services; facilitation of customer purchases and sales of crypto-assets; loans collateralized by crypto-assets; issuance and distribution of stablecoins; and activities involving the holding of crypto-assets on balance sheet. The OCC has released the interpretive letters outlined above to discuss some of these areas, but we should expect more announcements in this space in the coming year.
Compliance Alliance is committed to helping you navigate the evolving landscape of regulatory expectations of banks adopting and working with new technologies. Members can find summaries of the OCC’s Interpretive Letters and other helpful tools in our Cryptocurrency and Digital Assets Toolkit. As always, our Hotline advisors are here to help answer specific questions.
How the New Debt Collection Rule Impacts You
At the end of November, the Consumer Financial Protection Bureau’s (CFPB’s) highly anticipated Debt Collection Rule (the “Rule”) took effect. The Fair Debt Collection Practices Act (the “FDCPA”) places numerous restrictions on what collectors can—and cannot—do when collecting debts. It also provides consumers with certain rights and remedies against those who violate any of the law's provisions. The Rule interprets the federal FDCPA, clarifies how debt collects can use new communication technologies, and expands the information debt collectors must provide at the outset of the debt collection efforts. There have been many questions regarding the Rule’s applicability to financial institutions, so this article is intended to address some of the most common concerns regarding the Rule’s potential impact to you and your institution.
There has been some confusion about the Rule’s applicability to banks so, to start, the Rule is applicable to “debt collectors.” Broadly speaking, the term means any person who uses any instrumentality of interstate commerce or the mail in the collection or debts. Specifically excluded from the term is any officer or employee of a creditor collecting debts for the creditor in the creditor’s name. Put another way, if a bank is collecting its own debt in its own name the bank is not considered a “debt collector” under the FDCPA and the Rule. If there is ever a time a bank is attempting to collect its debt under a different name, then that bank would be a “debt collector” and the Rule would be applicable.
For many of you this means the Rule will not apply to you or your collection practices, but there is still reason to understand the Rule’s requirements and even apply them to your debt collection practices. First, banks should monitor their debt collectors for compliance and ensure their practices are appropriate for risk management purposes. While the actions of a third-party debt collector will not automatically result in a bank FDCPA violation it could lead to potential UDAAP concerns. Second, many state laws track with the FDCPA but have a wider scope. It will be important to watch for legislation at the state level which could extend these rules to community banks collecting their own debts under state law. Lastly, for UDAAP and general best practice reasons, applying the Rule to all debt collection practices, even if not subject to the Act, may at least serve as a safe harbor in claims by debtors.
In summary, while first-party creditors have avoided direct implications from the Rule thus far, there remain indirect implications. Creditors should revisit third-party vendor management requirements and update them, as appropriate, to reflect changes and ensure the compliance of third-party debt collectors and keep an eye on future legislation that could impact creditor debt collection practices at the state level. As always, feel free to reach us on the Hotline with any additional questions. If looking for more specific information on what the Rule entails you may be interested in our summary of the Rule here: https://compliancealliance.com/find-a-tool/tool/final-rule-on-debt-collection-practices-regulation-f
Compliance Priorities for 2022
2022 is just around the corner! As we enter a new year, compliance remains a priority as financial institutions try to determine what to expect from regulators in the days to come. The FDIC and the OCC have recently released guidance to provide financial institutions with some of the areas in which they can expect to see some focus. Their guidance includes their priorities for the upcoming year and for the next few years to follow.
The FDIC released their strategic plan for 2022-2026 which outlines several strategic challenges on the horizon. One of the main focal points covered among the strategic challenges is the country’s economic status as it slowly continues to recover from a global wide pandemic. The FDIC states that ““while the banking industry continues to perform well, the interest rate environment and economic uncertainty continue to pose challenges for many institutions. Overall, the industry must manage interest-rate risk, liquidity risk, and credit risk carefully to remain on a long-term, sustainable growth path.” The goal of the FDIC has always been and remains to be focused on ensuring that depositors are protected against loss, safe and sound banking practices, consumer protections, and communities. Other strategic challenges are also addressed among the FDIC’s strategic priorities such as nonbank competition with community and regional banks, innovation, information technology and cybersecurity, economic inclusion, and workforce development and management.
The OCC set forth their supervisory priorities and objectives for the fiscal year 2022 which begins October 1, 2021, and end September 30, 2022. The fiscal year 2022 Bank Supervision Strategy Planning Guidance outlines supervision priorities which align with the OCC’s Strategic Plan for 2019-2023. One of the first areas of focus noted is safety and soundness of strategic and operational planning which include “guarding against complacency”. The OCC notes that examiners will ensure that “banks remain vigilant when considering growth and new profit opportunities and will assess management’s and the board’s understanding of the impact of new activities on the bank’s financial performance, strategic planning process, and risk profile”. The OCC outlines it top examination concerns as cybersecurity, vendor management, BSA (Bank Secrecy Act), consumer compliance, and fair lending and CRA (Community Reinvestment Act), all areas of focus in the past. New areas of focus include payment products and services, fintech and cryptocurrency, and climate.
Financial institutions are familiar with and are not likely to be surprised by the vast majority of supervisory priorities among both the FDIC and the OCC. It is however, critical that financial institutions pay particularly close attention to the newer areas of focus or those areas which were not typically priorities among the agencies in past years. This means becoming familiar with the agencies’ expectations, discussing with the bank’s Board of Director’s and senior management, and reviewing compliance programs to ensure that you are prepared and in compliance.
Reference: 2022-2026-FDIC-Strategic-Plan and Fiscal Year 2022 Bank Supervision Operating Plan, Office of the Comptroller of the Currency, Committee on Bank Supervision (treas.gov)
An Update on OSHA’s Vaccine or Testing Mandate
As a bit of background, on November 5, 2021, the Occupational Safety and Health Administration (OSHA) published an emergency temporary standard (ETS) that creates binding requirements for employers of 100 or more employees, which includes many of our member banks. In OSHA’s own words, the ETS is intended to “protect unvaccinated employees . . . from the risk of contracting COVID-19 in the workplace.”
The ETS became effective immediately upon publication. Employers were originally required to comply with the requirement to request proof of vaccination status from employees by December 6, 2021. For employees who are not fully vaccinated, testing was originally required to begin by January 4, 2022.
As you might expect from these strict requirements and the short timeline, there was quite a bit of pushback. Just a day after the ETS was published, the Court of Appeals for the Fifth Circuit issued an administrative stay of enforcement, which effectively caused OSHA to pause implementation and enforcement of the ETS until further notice.
Because so many lawsuits were filed across the country, a lottery system was eventually used to determine which case challenging the ETS would be the case that the court would end up hearing. Ultimately, the Court of Appeals for the Sixth Circuit, which is based in Cincinnati, OH, won the lottery.
Shortly after, the Sixth Circuit lifted the stay which put the ETS back into effect. Because of the delay, however, OSHA published on its website that the original compliance dates would be shifted to January 10, 2022 for the proof of vaccination status requirement and February 9, 2022 for mandatory testing requirement for unvaccinated employees.
In yet another recent development, the U.S. Supreme Court announced on the night of December 22, 2021 that it would hold an emergency hearing on January 7, 2022 to review the OSHA ETS (in addition to separate a vaccination mandate for health-care workers).
As of the date of this writing, the OSHA ETS remains in effect subject to the revised dates noted above. It is unclear at this time what the outcome of the Supreme Court’s decision will be, but in the meantime, it has declined to put in place any temporary stay on the ETS until it hears arguments as scheduled on January 7th.
Banks should certainly take this into consideration in determining the extent to which it should be preparing for the possibility of having to comply with the vaccination or testing requirements. Some questions that the Bank may want to consider include:
- What is the Bank’s strategic plan if the ETS were to remain in effect?
- Who is leading this effort at the Bank? HR? Legal? Other?
- Which employees of the Bank would fall under the requirements?
- Will the Bank allow testing? If so, will the Bank pay for it?
- What will the Bank’s approach be for employees who do not want to get vaccinated or be subject to testing?
- What about employees who agree but skip a testing day?
- How will the Bank document testing status?
- How will it ensure proper confidentiality?
Compliance Alliance will continue to provide relevant updates as they arise. For any additional questions on the OSHA emergency temporary standard, feel free to contact us on the Hotline.