Your monthly compliance news roundup
The House Financial Services Committee is making a focused effort at reforming the United States’ Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulatory regime. In March, the committee released three proposed bills related to BSA/AML reform, and two other pieces of BSA/AML-related legislation have already passed the House of Representatives and now rest with the Senate Committee on Banking, Housing, and Urban Affairs. We summarize the proposed legislation below, starting with the three proposed bills that were released in March:
- Reforms to the Federal Bank Secrecy Act. Entitled as “To make reforms to the Federal Bank Secrecy Act and anti-money laundering laws and for other purposes,” this draft legislation makes numerous reforms, none of which, individually, would appear particularly impactful. Collectively, the intent of the legislation is to “reform the structure, capabilities, and oversight of BSA/AML to keep pace with changing priorities, adapting threats, and new technologies.” Title I (Strengthening the Treasury) includes such varied initiatives as increasing the pay scale of FinCEN employees, establishing a mechanism for FinCEN outreach and education for financial institutions and non-financial institutions, and revising Treasury’s international attachés program by adding six additional liaisons to promote the adoption of U.S. AML and establish countering financing of terrorism (CFT) standards internationally. Title I would also require that each of the financial regulatory agencies, including Treasury, appoint a civil liberties and privacy officer to provide oversight of civil liberties concerns that may arise with the availability of personally identifiable financial information and increased use of technology. Title II (Improving AML-CFT Oversight) focuses more on enforcement and collaboration and proposes, among other things, applying BSA/AML requirements to the arts and antiquities industry; permitting the sharing of suspicious activity reports with an institution’s foreign branches, subsidiaries, and affiliates; and facilitating the sharing of BSA/AML resources, as initially encouraged by the Interagency Statement on Sharing BSA Resources, released in October 2018. Title II would also establish whistleblower incentives for original information leading to a covered judicial or administrative action. Lastly, Title III (Modernizing the AML System) is entirely focused on encouraging innovation in BSA compliance, as discussed in the Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing (Joint Statement), issued in December 2018. Title III would codify the establishment of BSA-related innovation labs within each regulator, as required by the Joint Statement, and allows the Secretary of the Treasury to provide exemptions to BSA/AML requirements, if necessary, to facilitate the testing and potential use of new technologies and innovations.
- Corporate Transparency Act of 2019. The primary purpose of the Corporate Transparency Act of 2019 is to facilitate the collection of beneficial ownership information by requiring applicants requesting to form a corporation or limited liability company under the laws of a state to file a report with FinCEN containing specified beneficial ownership information. Currently, no U.S. state requires companies to disclose their beneficial ownership at the time of formation and such anonymity is considered by many to be an obstacle in the fight against financial crime. The data would be maintained within a private FinCEN database which would only be available to law enforcement and to financial institutions, with customer consent.
- Kleptocracy Asset Recovery Rewards Act. The purpose of the proposed Kleptocracy Asset Recovery Rewards Act legislation is to authorize the Secretary of the Treasury to pay rewards to help identify assets in U.S. financial institutions that are linked to foreign corruption, in order to facilitate the recovery and return of those assets. According to the bill, developing countries lose $20 billion to $40 billion annually to corruption, which leaves fewer resources for such countries to devote to building strong financial, law enforcement, and judicial institutions to aid in the fight against the financing of terrorism.
In addition to these proposed bills released by the House Financial Services Committee in March, two other pieces of legislation impacting the BSA/AML landscape have been passed by the full House of Representatives and are now under review in the Senate:
- FinCEN Improvement Act of 2019. The purpose of the FinCEN Improvement Act, as set forth within the preamble to the bill, is to ensure FinCEN works with tribal law enforcement agencies; protects against all forms of terrorism, including domestic terrorism; and focuses on emerging technologies such as virtual currencies.
Cooperate with Law Enforcement Agencies and Watch Act. The Cooperate with Law Enforcement Agencies and Watch Act has the specific purpose of granting safe harbor from liability to financial institutions that are maintaining a customer account pursuant to a written request from a federal, state, tribal or local law enforcement agency.
The proposed legislation described above addresses a wide variety of potential gaps within the United States BSA/AML regulatory and enforcement framework. While none of the legislative proposals appear to create a significant regulatory burden on financial institutions, they provide a good indication of the types of concerns that Congress, law enforcement and the regulatory agencies have been contemplating. There appears to be bipartisan support for at least these reforms; however, it is difficult to gauge whether these bills would progress in the current Congress. We recommend that financial institutions continue to monitor developments in Washington to ensure their long-term outlook on BSA/AML compliance is well informed.
In April 2019, the Federal Trade Commission (FTC) issued two proposed rules for the purpose of amending its two privacy-related regulations issued pursuant to the Gramm-Leach-Bliley Act (GLBA). The regulations targeted for revision include the FTC’s Standards for Safeguarding Customer Information (Safeguards Rule, 16 CFR Part 314) and the Privacy of Consumer Financial Information Rule Under the Gramm-Leach-Bliley Act (Privacy Rule, 16 CFR Part 313). According to a press release, the proposed changes to the Safeguards Rule are designed to keep up with marketplace trends and respond to technological developments, while the proposed changes to the Privacy Rule are primarily directed toward updating the regulation for past statutory changes regarding applicability and the delivery of annual privacy notices. Financial institutions may comment on the proposed rule until June 3, 2019.
Although both regulations are issued by the FTC, they apply to different groups of financial institutions. The Safeguards Rule applies to all financial institutions over which the FTC has rulemaking authority pursuant to Section 501(b) of the GLBA. Effectively, this includes all financial institutions that are not otherwise subject to the enforcement authority of another federal regulatory agency and includes entities such as mortgage lenders, finance companies, check cashers and similar entities. It also applies to non-federally insured credit unions. Although the Privacy Rule was initially established with the same applicability as the Safeguards Rule, its applicability was modified by the Dodd-Frank Act, which transferred substantially all rulemaking authority for Section 501(a) of the GLBA to the Consumer Financial Protection Bureau (CFPB). As a result, the FTC’s Privacy Rule applies only to entities that are predominantly engaged in the sale and servicing or sale and leasing of motor vehicles. A summary of each of the proposed rule changes is provided below:
Safeguards Rule: The purpose of the Safeguards Rule, as stated in the current version of the regulation, is to “set forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” When the FTC issued its original rule in 2002, it provided only general requirements and guidance on establishing an information security program. The FTC’s proposal indicates that the agency now believes it is important to provide more specific requirements and that this will benefit financial institutions by providing them more certainty in developing their information security programs. With respect to the changes, they are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services (23 NYCRR 500) and the insurance data security model law issued by the National Association of Insurance Commissioners. In addition to providing more detailed requirements for establishing an information security program, the proposed rule also exempts small businesses from certain requirements and expands the applicability of the rule to include entities engaged in activities determined by the Federal Reserve Board to be incidental to financial activities.
Privacy Rule: The FTC’s Privacy Rule generally requires a financial institution to inform customers about its information sharing practices and allows customers to opt out of having their information shared with certain third parties. The FTC’s proposal contains the following modifications to the current rule:
- Modifies the scope of the regulation by removing references that do not apply to motor vehicle dealers;
- Modifies the annual privacy notice requirement to reflect the changes made to the GLBA by Section 75001 of the Fixing America’s Surface Transportation Act (FAST Act), which provided an exception to the annual privacy notice disclosure requirement for financial institutions whose information sharing practices do not require providing a customer opt-out and that have not changed their information sharing policies or practices from what was disclosed in their most recent annual privacy disclosure; and
- Updates the scope and definition of the term “financial institution” to include entities that are engaged in activities that are incidental to financial activities, which primarily impacts “finders,” or companies that connect consumers with lenders, within the scope of the rule.
For financial institutions subject to the FTC’s Safeguards Rule, the proposed changes are likely to have a substantive impact on their information security programs. Financial institutions should review the proposed changes in detail, evaluate the degree to which those changes will impact their current information security programs, and consider the steps they should take now to be best positioned to revise their programs when the final rule is issued. Consideration may also be given to performing a gap analysis between the existing GLBA controls and the proposed requirements. Any gaps in the program identified by this review may then be prioritized, allowing the board of directors and management to be better prepared for potential impacts to the business. There is a reduced urgency with respect to the proposed changes to the Privacy Rule and institutions may wish to wait for the final rule before taking further action.
Private Education Loan Borrowers Find Relief in the Economic Growth, Regulatory Relief, and Consumer Protection Act
According to the Quarterly Report on Household Debt and Credit, student loan debt continues to rise, reaching over $1.46 trillion as of fiscal year end 2018. This debt consists of both federal and private student loans and the levels of delinquency and default are increasing for both types. Unfortunately, private student loan borrowers have not previously been eligible for many of the benefits and protections offered to federal student loan borrowers under Title IV of the Higher Education Act. These include income-driven repayment plans, loan forgiveness and rehabilitation loan programs. However, the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA or the Act), which was signed into law on May 24, 2018, is beginning to level the playing field by establishing a rehabilitation loan program for private student loan borrowers and creating certain protections for private student loans involving cosigners.
Section 602 of the EGRRCPA amends the Fair Credit Reporting Act to allow financial institutions to offer a loan rehabilitation program to private education loan borrowers. The new provision allows financial institutions that choose to offer such a program to remove a reported default of a private education loan from a consumer report, upon a consumer’s request, without it being considered inaccurate. In order to do so, the loan rehabilitation program must require a consumer to make consecutive on-time monthly payments in a number that demonstrates, in the assessment of the financial institution, a renewed ability and willingness to repay the loan. The rehabilitation benefits may be utilized once per loan. The Act does not require lenders to offer Section 602 Rehabilitation Programs; however, lenders that offer an approved 602 Rehabilitation Program are entitled to a safe harbor from claims of inaccurate reporting for removing a defaulted loan. The EGRRCPA requires financial institutions supervised by a federal banking agency to seek the agency’s written approval concerning the terms and conditions of the loan rehabilitation program.
In December 2018, the Office of the Comptroller of the Currency (OCC) released Bulletin 2018-48, Statement of Programs for Rehabilitation of Private Education Loans (the Bulletin), which outlines the OCC’s process for approving Section 602 Rehabilitation Programs. The Bulletin states that the OCC will review an institution’s program to assess whether it includes Section 602’s requirements and that feedback will be provided within 120 days of the request, as mandated by the EGRRCPA. The Bulletin also states that if the request is denied, the OCC will notify the bank in writing of the reasons for its decision. A similar communication was jointly issued by the Board of Governors of the Federal Reserve (SR 19-2) and the Federal Deposit Insurance Corporation (FIL-5-2019) on February 4, 2019.
An additional protection for private education loans was established by Section 601 of the EGRRCPA. Section 601 amended the Truth in Lending Act to prohibit the holder of a private education loan from declaring a loan in default or accelerating the debt against a student obligor on the sole basis of the bankruptcy or death of a cosigner. Section 601 also adds protections for cosigners by requiring the holder of a private education loan to release any cosigner from their obligations under a private education loan when notified of the death of a student obligor. Both protections are only available on private education loan agreements entered into 180 days or more after enactment of the EGRRCPA.
Financial institutions that offer Section 602 Rehabilitation Programs should ensure that borrowers understand the requirements of the program and clearly communicate the requirements which must be met to remove the default from the consumer’s credit report. Financial institutions should implement monitoring programs to facilitate compliance of their Section 602 Rehabilitation Program with applicable laws, regulations, and safe and sound banking principles. Financial institutions must implement effective processes that would allow timely notification to the credit reporting agencies once borrowers successfully complete the program. With respect to the cosigner-related protections, institutions should review their private education loan agreements to ensure they comply with the new restrictions and should modify loan servicing procedures to ensure compliance with these revisions.
On March 6, 2019, the Federal Financial Institution’s Examination Council (FFIEC) continued efforts related to its Examination Modernization Project by issuing a Policy Statement on the Report of Examination (New Policy Statement) designed to enhance the consistency and clarity of information in regulatory reports. The FFIEC, which was established in 1979 to promote uniformity in supervisory matters, views the Report of Examination (ROE) as a key method of communication with financial institutions and believes that the ROE should evolve to address changes in the supervision process, advances in technology, changes within the banking industry, and industry feedback. In support of this objective, the New Policy Statement establishes a set of principles that should apply to all ROEs, which was agreed to by FFIEC members consisting of the Federal Reserve Board (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB).
Prior to the issuance of the New Policy Statement, ROEs were prepared in accordance with the 1993 Interagency Policy Statement on the Uniform Core Report of Examination (1993 Policy Statement). The 1993 Policy Statement, which was rescinded upon issuance of the New Policy Statement, provided for three broad categories of pages to be included in each ROE: (1) a mandatory core section documenting key findings and conclusions, (2) an optional core section to provide greater context and support for previously documented findings and conclusions, and (3) a supplemental section to allow for additional information required by the different regulatory agencies. In contrast to this format-based approach, the FFIEC has determined that a principles-based approach would better achieve its goals of promoting transparency and consistency in the examination process while still affording agencies the flexibility to tailor individual ROEs to best document conclusions unique to each institution.
The list of principles that should apply to all ROEs include:
- High-level information to identify the institution;
- A confidentiality disclosure for information contained in the ROE;
- Clear narrative and key data to support discussions surrounding the financial institution’s condition and risk profile, the adequacy of risk management practices, and issues that are of supervisory concern or warrant corrective action; and
- A request to all board members to sign and acknowledge receipt and review of the ROE.
Of note, the length and order of narratives are stressed, with areas of the highest supervisory concern expected to be the most detailed and identified concerns presented in order of importance.
Although the New Policy Statement does not alter the risk environment in which financial institutions operate or directly impact the examination process for institutions, it does provide further evidence of the recent regulatory emphasis on streamlining examinations and ensuring the utilization of risk-based approaches. When reviewing ROEs and crafting any necessary responses or remedial actions, financial institutions should keep in mind the principles noted in the Policy Statement and allocate resources as necessary to optimize corrective actions.