Financial services is perhaps the most regulated industry in the world, and the intersection between financial services, technology, and law remains a complicated and evolving space. A team of Morgan Lewis lawyers recently attended the 2023 Money 20/20 conference and previewed some major themes and trends that the industry can expect in 2024.
The Board of Governors of the Federal Reserve System (Federal Reserve) took another tepid step into the digital asset space on August 8, announcing that it has established a program to “enhance the supervision of novel activities conducted by banking organizations supervised” by the Federal Reserve. In addition, the Federal Reserve issued guidance explaining the supervisory nonobjection process for state member banks “seeking to engage in certain activities involving tokens denominated in national currencies and issued using distributed ledger technology or similar technologies to facilitate payments.”
The Federal Deposit Insurance Corporation (FDIC) continued the focus shown over the last several months, and especially since the March 2023 failure of Silicon Valley Bank (SVB) and associated events, by the federal banking agencies on uninsured deposits when it issued a Financial Institution Letter (FIL), Estimated Uninsured Deposits Reporting Expectations, on July 24, 2023.
The Consumer Financial Protection Bureau (CFPB) recently issued a notice of proposed rulemaking to amend Regulation Z (the Proposal), which implements the Truth in Lending Act (TILA), to better ensure that late fees charged on credit card accounts are “reasonable and proportional” to late payments as required under the Credit Card Accountability and Disclosure Act of 2009 (Card Act).
For the second time in a month, the Consumer Financial Protection Bureau (CFPB) has proposed a new rule that would require businesses to report already public information and thereby increase the burdens on, and risks to, the nonbank financial services industry, which may ultimately increase costs to consumers or slow the proliferation of new products that benefit consumers.
The FDIC Board of Directors issued a proposal on December 13 amending and updating the rules regarding the use of the official FDIC sign and advertising statements to better reflect the modern consumer banking landscape. As noted in a memorandum from the FDIC staff, the update is also meant to address the growth of the fintech sector and partnerships between banks and fintechs. The proposed rule also seeks to clarify instances when FDIC deposit insurance coverage is being misrepresented to consumers.
On January 5, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a report detailing consumer complaint deficiencies by the national credit reporting agencies (NCRAs). Specifically, the CFPB found that, in 2021, the NCRAs together reported relief in response to less than 2% of covered complaints, down from nearly 25% of covered complaints in 2019. The CFPB noted three fact patterns believed to lead to inaccurate consumer credit reporting and thus potentially the denial of credit or offer of credit on less favorable terms.
The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.
As highlighted previously, three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) recently issued proposed risk management guidance regarding third-party relationships (Proposed Guidance). Among other things, the Proposed Guidance specifies that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.
The proposed guidance also identifies principles that are applicable to each stage of the third-party risk management life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner. The proposed guidance provides extensive details on all the above identified principles.