The Future of Financial Regulation
As a result of the recent election, the United States will soon have both an administration and Congress controlled by the Republican Party. The outcome of the election will likely result in changes to financial regulation; however, the true priorities and perspectives of the incoming Congress and President-elect are not yet clear. Some of the immediate questions are addressed below:
- Will there be changes to the regulatory agencies?
- Congress has routinely called for changes to the structure of the Consumer Financial Protection Bureau (CFPB), the consumer protection watchdog agency established as a result of the 2010 Dodd-Frank Act, which operates currently under one director as opposed to a board or commission. Changes here are certainly possible.
- The President-elect will have the opportunity to appoint new heads to several banking and securities regulatory agencies with like-minded views on regulation and supervision. The immediate impact of these changes, though, will take time to trickle down.
- How will rulemaking and existing regulations be impacted?
- Much of the rulemaking associated with the Dodd-Frank Act is already complete. That said, the new Administration could impose a moratorium on any additional rules, including putting a freeze on rules that are proposed or finalized but not yet implemented. Any additional rulemaking will likely be subject to increased scrutiny.
- While an outright repeal of the Dodd-Frank Act seems unlikely, certain provisions of the Act and rules implemented under the Act could face changes. Expect that any regulatory relief, however, will likely be weighed against the downside risks of public criticism regarding lax consumer protections that could be raised whenever a negative event occurs, such as the recent sales practices matter.
- Additional consideration is likely to be given to the impact of regulation on smaller institutions and financial technology (fintech) firms.
- Does this mean that the pace of enforcement activity will slow down?
- Enforcement activities, particularly those taken by the CFPB, may be more measured in the future, but financial institutions should continue to expect to face scrutiny on all fronts, including the prudential banking and securities regulators, the Department of Justice, the Federal Trade Commission and state agencies.
- In general, enforcement activity is largely event-driven and can be consumer-/market-driven as well, so it is reasonable to expect that situations with extensive consumer impact will continue to be subject to regulatory scrutiny and enforcement.
Future releases of the Compliance Insights newsletter will address any developments as they continue to unfold. Financial institutions should monitor these developments and assess the potential impacts on their businesses, while continuing to manage their legal and regulatory risks as they do now.
CFPB Finalizes New Prepaid Rule
In October 2016, the CFPB finalized a rule that significantly changes the regulatory environment for financial institutions offering prepaid accounts. The new rule provides stronger protections for consumers of prepaid accounts, including new protections for “hybrid” prepaid cards that contain credit features. The new rule culminates years of CFPB inquiry into prepaid accounts and concerns related to potentially unfair, deceptive or abusive acts or practices given that the use of, and volume of funds stored on, prepaid accounts has grown substantially in recent years. The amount of complaints about fees and the resolution of issues such as unauthorized transactions has also increased, while concerns remain that certain consumers may also use such accounts in lieu of traditional deposit accounts, though prepaid accounts are not necessarily insured by the Federal Deposit Insurance Corporation or subject to the same types of protections as insured deposit accounts.
Highlights of the final rule include:
- What’s Covered? Under the rule, a “prepaid account” includes traditional physical prepaid cards, including general-purpose reloadable cards and non-reloadable cards, but excluding gift cards and certificates (these are covered by separate regulatory requirements). It includes payroll cards, student financial aid disbursement cards, tax refund cards, and certain federal, state, and local government benefit cards such as those used to distribute unemployment insurance and child support. It also includes mobile wallets, person-to-person payment products, and other electronic prepaid accounts (with or without a physical access device) that can store funds.
- Disclosures Required. The rule requires prepaid account issuers to post account agreements publicly online and to submit these agreements to the CFPB. Issuers must provide prospective customers a “short form” and/or “long form” disclosure prior to the point at which a customer acquires a new account, depending on the manner in which the account is opened. Prepaid cards must be issued with certain disclosures on and with the card itself. The primary intent of the disclosures is to provide descriptions of relevant fees, key terms, and other information that enable consumers to compare the prepaid account product to others in the market.
- Extension of Error Resolution Requirements. Consumers will be afforded the opportunity under the new rule to assert errors related to transactions on their prepaid accounts, similar to current requirements for electronic funds transfers (EFTs) associated with traditional deposit accounts. Prepaid account issuers will be subject to similar requirements related to conducting a thorough and timely investigation, and providing provisional credit to consumers during the investigation when warranted.
- New Credit-Related Protections. A “hybrid” prepaid account refers to one that contains an overdraft credit feature. Under the new rule, prepaid account issuers will be required to provide certain disclosures under the CFPB’s Regulation Z (which applies to consumer credit), adhere to certain “cooling off” periods before selling the feature on the account, determine the consumer’s ability to repay, and provide a minimum repayment term to the customer.
Though the majority of the new requirements are effective in October 2017, financial institutions that offer prepaid accounts should begin evaluating the impacts of these changes to their current prepaid account program offerings and determine the nature and extent of the operational changes necessary to support the new requirements.
FinCEN Advises on Reporting Cybersecurity Issues Through SARs
In October 2016, the Financial Crimes Enforcement Network (FinCEN) published an advisory and FAQs designed to assist financial institutions in fulfilling their Bank Secrecy Act (BSA) obligations regarding the reporting of suspicious activities related to cybersecurity issues. FinCEN’s advisory follows former FinCEN director Jennifer Shasky’s comments made last year reminding financial institutions to include cyber-related information in suspicious activity reports (SARs), and dovetails with the June 2015 launch of the Federal Financial Institutions Examination Council’s (FFIEC) Cyber Assessment Tool (CAT). FinCEN indicates that its advisory does not change existing anti-money laundering (AML) requirements or other obligations for financial institutions, but instead serves as a clear indication that regulators expect financial institutions to monitor and report potentially suspicious cyber activities.
Key terms defined within FinCEN’s advisory are as follows:
- Cyber Event. An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.
- Cyber-Enabled Crime. Illegal activities carried out or facilitated by electronic systems and devices, such as networks and computers.
- Cyber-Enabled Information. Information that describes technical details of electronic activity and behavior, such as internet protocol (IP) addresses, timestamps, and indicators of compromise (IOCs), which are artifacts in a network or operating system indicating an intrusion. Cyber-related information also includes, but is not limited to, data regarding the digital footprint of individuals and their behavior.
The advisory states that suspicious activity reporting is required for cyber events when a financial institution knows, suspects, or has reason to suspect that a cyber event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or series of transactions.
FinCEN provides examples to help clarify the types of information that should be reported through a SAR, some of which may fall outside the norm of what is required to be reported. For instance, Distributed Denial of Service (DDoS) attacks, events where numerous compromised systems attack a single targeted system causing denial of service for intended users, have traditionally been treated as non-reportable events; however, the advisory makes clear that a SAR should be filed if the attack “prevented or distracted” cybersecurity. When determining whether or not to file a SAR on cyber-events, FinCEN suggests that financial institutions consider all relevant information related to the event, including the nature of the attack, information and systems targeted. Further, the advisory includes examples of the types of cyber-related information that should be included in SARs, including, but not limited to: a description and the magnitude of the event, the known or suspected time, location and characteristics of the event, IOCs, relevant IP addresses with timestamps, and methodologies used.
To help support quality SAR filings, the advisory emphasizes the importance of, and encourages, information sharing among a financial institution’s various internal operational units, such as BSA/AML, information technology, cybersecurity and fraud, to help identify, better understand and report on cyber threats. The advisory also highlights the statutory safe harbors under Section 314(b) of the USA PATRIOT Act available to financial institution participants to securely share cyber-related information regarding individuals, entities, organizations, and countries.
Financial institutions already view cybersecurity as a priority, but should take steps to ensure that cybersecurity is incorporated into their suspicious activity monitoring efforts. In response to the advisory, financial institutions should review SAR filing and related training protocols, enhance collaboration among operational units, and review data aggregation and information sharing methodologies. Overcoming the challenge of enhancing connectivity and sharing information among units may prove difficult for institutions, particularly smaller sized ones, which outsource cybersecurity functions. These efforts will not only assist financial institutions in staying abreast of existing and imminent cyber-related regulations, but will also assist law enforcement in their current efforts to fight financial crime.
OCC Issues Guidance on Foreign Correspondent Banking Risks
In October 2016, the Office of the Comptroller of the Currency (OCC) published guidance on the periodic risk re-evaluation of foreign correspondent banking, which is applicable to all OCC-supervised national banks that maintain these relationships. The OCC advises these financial institutions to routinely re-evaluate foreign correspondent banking portfolios. The OCC’s guidance follows the issuance of a progress report published by the Financial Stability Board (FSB) to assess and address the decline in foreign correspondent banking, as well as the issuance of a joint fact sheet by the Department of the Treasury and the federal banking agencies on foreign correspondent banking.
Foreign correspondent banking relationships involve domestic financial institution processing transactions for customers of a foreign financial institution (the respondent bank). Foreign correspondent banking relationships serve as a primary avenue for businesses in developing countries and emerging economies to access international trade and investment through cross-border payments and settlements. Thomas J. Curry, the U.S. Comptroller of the Currency, spoke out on de-risking in September 2016 and indicated new guidance was forthcoming to encourage firms to re-evaluate their risk profiles rather than pursue a policy of de-risking.
The flight to de-risk by way of exiting foreign correspondent banking relationships brings with it significant financial concerns and challenges to the global financial community. If the trend to reduce foreign correspondent banking relationships continues, an increasing amount of legitimate users of the financial system in developing regions may find it more difficult to access U.S. dollars, which in turn may marginalize the poorest of populations by restricting access to investments. Financial trade may be redirected toward non-U.S. dollars, reducing the allure of the dollar, but more importantly undermining financial transparency as legitimate financial transactions may be redirected to unregulated means of transferring cash. It remains to be seen whether the OCC’s recent guidance will have any meaningful impact on de-risking.
The OCC guidance emphasizes the importance of ongoing monitoring and taking a proactive approach to address inherent risks in maintaining foreign correspondent banking relationships. The OCC presents three primary practices for banks to consider when performing periodic risk re-evaluations:
- Defining processes to help ensure that risk re-evaluations are conducted on a periodic basis and informing foreign correspondent banking risk management practices.
- Implementing procedures to perform re-evaluations on an ongoing basis and making accounts closure decisions.
- Ensuring decisions to terminate or retain accounts are well-informed and derived from risk re-evaluations.
Additionally, the OCC’s guidance highlights best practices for account retention and termination recommendations. Specifically, the OCC suggests that financial institutions establish governance functions to review methods used to perform risk re-evaluations and the appropriateness of account closures and retention recommendations, ensure supporting rationale and analyses are documented, and enhance communication with foreign financial institutions to better understand their inherent risks and control environment.
Banks must consider and apply the OCC’s guidance to their own programs, and vary their approaches based on the size, nature and risk profile of their institution. Although the OCC’s guidance suggests that banks should establish procedures to address ongoing due diligence, firms are still struggling to understand to what extent they are expected to know your customers’ customer (KYCC), a term used to describe due diligence of customers of a respondent bank in a correspondent banking relationship. Banks should review methodologies used to onboard foreign correspondent banks, establish processes to perform risk re-evaluations, and develop more robust oversight practices in the customer maintenance processes to allow for more informed termination and retention decision-making.
First Wave of Department of Labor Fiduciary Rule Guidance Released
In October 2016, the Department of Labor (DOL) released the first in a series of frequently asked questions (FAQs) to provide guidance on the implementation of the requirements of its Fiduciary Rule issued in April 2016. The rule was issued as an investor protection measure to identify, eliminate and mitigate conflicts of interest potentially influencing investment advisers who might otherwise provide advice not aligned with the best interest of their clients.
The new rule modifies and expands the current definition of investment advice established under the Employee Retirement Income Security Act (ERISA) and Section 4975 of the Internal Revenue Code, and begins to take effect in April 2017, with a full compliance deadline in January 2018.
The new rule redefines how retirement investment advice is communicated to investors, what constitutes investment advice, how and when adviser relationships are established, and how adviser compensation on products and services is earned. Certain adviser conduct is now expected to meet fiduciary standards, which require recommendations to be impartial and investment advice to serve investors’ best interests. Accordingly, broker-dealers and financial institutions across the retirement industry are re-evaluating business lines, developing strategies, and implementing oversight and compliance monitoring programs to align with the new requirements.
Substantively, the FAQs address the following major points:
- Identifying the applicability of the best interest contract (BIC) exemption, which relieves the adviser and firm from the obligations of the new rule through an agreement between the firm and the client that binds the adviser to act in their client’s best interest. The BIC exemption applies under a variety of circumstances, including Investment Retirement Accounts (IRAs) and rollovers.
- Recognizing that “robo-advice” does not require the use of a BIC exemption, so long as the investment advice was communicated exclusively through a technology platform and without any personal interaction with an adviser.
- Establishing adviser compensation structures that avoid incentivizing advisers to recommend investment strategies that are not in clients’ best interests.
- Prohibiting signing bonuses linked to performance targets.
- Confirming that both the BIC exemption and another prohibited transactions exemption (PTE 84-24, an exemption to certain prohibited transaction provisions under ERISA) allow fiduciaries to receive commissions on certain annuities, including IRAs, under certain conditions.
While additional FAQs are anticipated to be released by the DOL, broker-dealers and financial institutions across the retirement industry should not wait to begin planning and developing internal controls platforms to help ensure compliance with the DOL’s new rule. With fewer than six months until fiduciary standards begin to take effect, the DOL has indicated its focus on supporting firms “working diligently and in good faith” to achieve compliance instead of enforcement. Recognizing the complexity and length of the new rule, firms and advisers continue to analyze and understand the full impact across the industry. Further clarity and insight on compliance with the new rule is expected in the next few months leading up to implementation deadlines.
It is important to note that this newsletter is provided for general information purposes only and is not intended to serve as legal analysis or advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.