On December 4, President Obama signed into law H.R. 22, the “Fixing America’s Surface Transportation Act” (FAST Act). Although a transportation bill on its surface, the bill also contains various provisions that are intended to provide regulatory relief to community banks and improve the efficiency of state financial regulation. Significant provisions in the bill include: (i) establishing a process that allows parties, including banks and other stakeholders, to petition the CFPB for “rural” or “underserved” designations in certain areas for the purposes of the CFPB’s ability-to-repay rule; (ii) expanding the CFPB’s ability to exempt creditors serving rural or underserved areas from escrow requirements; (iii) granting greater flexibility to the CFPB in regards to treating a balloon loan as a qualified mortgage, if a community bank or creditor operating in a rural or underserved area extended the loan; (iv) increasing the threshold for 18-month exam cycles for well-capitalized banks from $500 million to $1 billion; and (v) authorizing the Nationwide Mortgage Licensing System – which state regulators use to license various nonbank financial services industries, such as money transmitters, payday lenders, and debt collectors – to process background checks for non-mortgage license applicants.
On May 7, the CFPB issued a proposed rule that would provide financial institutions an alternative method for delivering annual privacy notices. The Gramm-Leach-Bliley Act (GLBA) and Regulation P require financial institutions to, among other things, provide annual privacy notices to customers—either in writing or electronically with consumer consent. Industry generally has criticized the current annual notice requirement as ineffective and burdensome, with most financial institutions providing the notices by U.S. postal mail. The proposed rule would allow financial institutions, under certain circumstances, to comply with the GLBA annual privacy notice delivery requirements by (i) continuously posting the notice in a clear and conspicuous manner on a page of their websites, without requiring a login or similar steps to access the notice; and (ii) mailing the notices promptly to customers who request them by phone. Read more…
Recently, the CFTC’s Division of Swaps Oversight issued Staff Advisory No. 14-21, which recommends best practices for CFTC-regulated intermediaries to comply with applicable Gramm-Leach-Bliley (GLB) Act privacy requirements, consistent with the Division’s intention to focus more resources on GLB privacy compliance. The advisory states that its recommendations are generally consistent with guidelines and regulations issued by other federal financial regulators, and the majority of the specific best practices are supported with references to prior rules and guidance. A number of the best practices cite the Interagency Guidelines Establishing Standards for Safeguarding Customer Information and Rescission of Year 2000 Standards for Safety and Soundness and a parallel FTC rule. Notably, several of the recommendations rely on a rule proposed by the SEC in 2008 but which has not yet been finalized. For example, the CFTC recommends based on that SEC proposal and the Interagency Guidelines that covered entities establish a breach investigation and notice process to alert potentially impacted individuals and to notify the CFTC. In addition, without referencing any other federal rule or guidance the Staff Advisory recommends that covered entities engage at least once every two years an independent party to test and monitor the safeguards’ controls, systems, policies and procedures, maintaining written records of the effectiveness of the controls.
Federal Reserve Board Proposes To Repeal Duplicative Regulations Amend Identity Theft Red Flags Rule
On February 12, the Federal Reserve Board proposed to repeal its Regulation DD, which implements the TISA, and Regulation P, which implements Section 504 of the GLBA because the Dodd-Frank Act transferred rulemaking authority for those laws to the CFPB, and the CFPB has already issued interim final rules implementing them. The Board also proposed to amend the definition of “creditor” in its Identity Theft Red Flags rule, which implements Section 615 of the FCRA. Generally, the Indemnity Theft Red Flags rule requires each financial institution and creditor that holds any consumer account to develop and implement an identity theft prevention program. The proposed revision will exclude from the foregoing requirements businesses that do not regularly and in the ordinary course of business (i) obtain or use consumer reports in connection with a credit transaction; (ii) furnish information to consumer reporting agencies in connection with a credit transaction; or (iii) advance funds to or on behalf of a person. The Board will accept comments on the proposal for 60 days from publication in the Federal Register.