Weekly RoundUp
July 16, 2020

Financial Services Weekly Roundup: Gone Phishing – The SEC’s OCIE Addresses Ransomware Attacks

In This Issue. The Securities and Exchange Commission (SEC) adopted amendments to its exemptive applications procedures under the Investment Company Act of 1940, as amended (the 1940 Act) and proposed to amend Form 13F to update the reporting threshold for institutional investment managers and make other targeted changes; the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert setting forth its observations of measures used by registrants to address ransomware attacks in the wake of reports of orchestrated phishing and other campaigns; the Small Business Administration (SBA) provided guidance on Paycheck Protection Program (PPP) Form 1502 reporting; the Consumer Financial Protection Bureau (CFPB) issued a final rule on small dollar lending, proposed a rule regarding escrow exemptions on certain high-priced mortgage loans and published its Spring 2020 Rulemaking Agenda; the Office of the Comptroller of the Currency (OCC) published its Semiannual Risk Perspective for Spring 2020, highlighting key risks for the federal banking system; the Federal Deposit Insurance Corporation (FDIC) and Board of Governors of the Federal Reserve System (Federal Reserve) provided information to the eight largest and most complex domestic banking organizations that will guide their next resolution plans, which are due by July 1, 2021; and the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement regarding risk management by financial institutions for the expected discontinuation of the London Interbank Offered Rate (LIBOR) reference rate. These and other developments are discussed in more detail below.

We also invite you to visit Goodwin’s Coronavirus Knowledge Center and Consumer Financial Services Industry COVID-19 Hub, which are updated regularly, to learn how cross-industry teams at Goodwin are helping clients to fully understand and assess the ramifications of COVID-19, navigate the potential effects of the outbreak on their businesses and evaluate whether and how to safely reopen.

Regulatory Developments

SEC Adopts Amendments to Exemptive Applications Procedures

On July 6, the SEC adopted: (i) amendments to Rule 0-5 under the 1940 Act to establish an expedited review procedure for routine exemptive and other applications that are substantially identical to recent precedent; and (ii) new SEC Rule of Practice 202.13, which establishes a new informal internal procedure for applications that would not otherwise qualify for expedited review.

To take advantage of the new expedited review process under amended Rule 0-5, an applicant must:

  • file an application that is substantially identical to two other applications for which an order granting the relief has been issued within three years of the date of the application’s initial filing; and
  • respond to SEC staff comments on the application within 30 days, otherwise the application will be deemed withdrawn.

If the new requirements under amended Rule 0-5 are followed, notice for the application will be issued no later than 45 days from the date of filing, unless the application is not eligible under other SEC rules or additional time is necessary for appropriate SEC staff consideration. Further, under amended Rule 0-5, an application outside of expedited review will be deemed withdrawn if the applicant does not respond to comments from SEC staff within 120 days.

For applications that do not qualify for expedited review, SEC Rule of Practice 202.13 establishes an internal timeframe for the SEC staff to take action on applications within 90 days of the initial filing and each of the first three amendments thereto, and within 60 days of any subsequent amendment.

These new procedures will become effective 270 days following their publication in the Federal Register.

SEC Proposes Amendments to Update Form 13F for Institutional Investment Managers; Amend Reporting Threshold

On July 10, the SEC announced proposed amendments to update the reporting threshold for Form 13F reports by institutional investment managers for the first time in 45 years, raising the reporting threshold from $100 million to $3.5 billion to reflect the change in size and structure of the U.S. equities market since 1975, when Congress adopted the requirement for these managers to file holdings reports with the SEC. Form 13F requires larger institutional managers to provide the SEC with data about their investment activities and holdings, so that their influence and impact could be considered in maintaining fair and orderly securities markets. The new threshold, reflecting proportionally the same market value of U.S. equities that $100 million represented in 1975 when the form was originally adopted, would retain disclosure of over 90% of the dollar value of the holdings data currently reported while eliminating the Form 13F filing requirement and its attendant costs for the nearly 90% of filers who are smaller managers.

The proposal includes specific requests for comment on the proposed threshold and whether an alternative method to adjust the threshold should be considered, as well as on the estimates of the burdens and costs to investment managers, particularly smaller managers, in preparing and filing Form 13F. The proposal would also direct the staff to review the Form 13F reporting threshold every five years and recommend an appropriate adjustment, if any, to the SEC. Additionally, the proposal would eliminate the ability of managers to omit certain small positions, thereby increasing the overall holdings information required from larger managers. Additionally, the proposal would require managers to report more numerical identifiers to enhance the usability of the information provided on the form, and amend the instructions relating to requests for confidential treatment of Form 13F information. Comments to the proposed amendments must be submitted to the SEC within 60 days after publication in the Federal Register.

SEC’s OCIE Issues Risk Alert Regarding Cybersecurity: Ransomware Alert

On July 10, the SEC’s OCIE issued a Risk Alert in the wake of reports that one or more threat actors have orchestrated phishing and other campaigns designed to penetrate financial institution networks to, among other objectives, access internal resources and deploy ransomware, a type of malware designed to provide an unauthorized actor access to institutions’ systems and to deny the institutions use of those systems until a ransom is paid. In light of these cybersecurity threats, the OCIE encourages registrants, as well as other financial services market participants, to monitor the cybersecurity alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, including the updated alert published on June 30, 2020 relating to recent ransomware attacks.

The OCIE staff set forth its observations of measures used by registrants to address ransomware attacks. These measures include: (i) incident response and resiliency policies and procedures, such as contingency and disaster recovery plans, which are assessed, tested and periodically updated; (ii) determining operational resiliency, i.e., determining which systems and processes are capable of being restored during a disruption so that business services can continue to be delivered; (iii) providing specific cybersecurity and resiliency training, and considering undertaking phishing exercises to help employees identify phishing emails and heighten awareness of cyber threats such as ransomware; (iv) implementing proactive vulnerability and patch management programs that take into consideration current risks to the technology environment, and that are conducted frequently and consistently across the technology environment; and (v) implementing perimeter security capabilities (e.g., firewalls and intrusion detection systems ) that are able to control, monitor and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic. The OCIE staff further encourages registrants to share this information with their third-party service providers, particularly with those that maintain client assets and records for registrants.

SBA Provides Guidance on PPP Form 1502 Reporting

On July 13, the SBA released a PPP procedural notice, which informs PPP lenders of the reporting process through which they will report on PPP loans and collect the processing fee on fully disbursed loans that they are eligible to receive. Specifically, the procedural notice provides guidance on the monthly Form 1502 reports that lenders must file on unpaid or unforgiven PPP loans. The report is due on the 15th of each month, or on the next business day after the 15th if it falls on a weekend or holiday. For this month only, the SBA provided a two-day grace period, making the first monthly filing deadline Friday, July 17.

CFPB Issues Final Rule on Small Dollar Lending

On July 7, the CFPB issued a final rule concerning small dollar lending that eliminates the mandatory underwriting provisions of the 2017 rule. However, the final rule maintains, without alteration, the payments provisions of the 2017 rule, which (1) prohibits lenders from making a new attempt to withdraw funds from an account where two consecutive attempts have failed, unless a consumer consents to further withdrawals and (2) requires lenders to provide consumers with written notice before making their first attempt to withdraw payment from consumers’ accounts and before subsequent attempts that involve different dates, amounts or payment channels.

The payments provisions of the small dollar lending rule include debit and prepaid cards, as the CFPB denied a petition to commence a rulemaking to otherwise exclude debit or prepaid cards from the rule. The CFPB also issued guidance, clarifying the payments provisions’ scope to assist lenders in their compliance, and announced that it will conduct research to identify information that could be disclosed to consumers during the small dollar lending process to allow them to make the most informed choices.

Although the payments provisions are currently stayed by court order, the CFPB released a ratification of the payment provisions, acknowledging the Supreme Court’s recent decision in Seila Law, and plans to have the payment provisions go into effect with a reasonable period for covered entities to come into compliance. The CFPB offered reassurance that it will continue to monitor the small dollar lending industry and enforce the law against bad actors and reminded interest parties about its recently issued No-Action Letter (NAL) Templates for insured depository institutions and credit unions to apply for an NAL covering small dollar credit products.

CFPB Issues Proposed Rule on Escrow Exemptions for Certain High-Priced Mortgage Loans

On July 2, the CFPB commenced its final mandatory rulemaking to implement the Economic Growth, Regulatory Relief, and Consumer Protection Act (EGRRCPA) and reduce costs associated with escrow requirements. The CFPB’s notice of proposed rulemaking amends Regulation Z’s higher-priced mortgage loan escrow requirement to exempt any loan made by an insured depository institution or insured credit union and secured by a first lien on the principal dwelling of a consumer if:

  • the institution has assets of $10 billion or less;
  • the institution and its affiliates originated 1,000 or fewer loans secured by a first lien on a principal dwelling during the preceding calendar year; and
  • certain other criteria are met.

CFPB Spring 2020 Rulemaking Agenda

On June 30, the CFPB published its Spring 2020 Rulemaking Agenda, the bureau’s semiannual update of its rulemaking agenda. The CFPB indicated that, because the planning process begins months before publication in the Federal Register, the CFPB set its goals before the COVID-19 pandemic emergency. In addition to previously announced rulemaking items, the CFPB plans to undertake the following key rulemaking initiatives during the remainder of 2020 through the spring of 2021:

  • Implementing Section 1071 of the Dodd-Frank Act, which amended the Equal Credit Opportunity Act to require, subject to rules prescribed by the CFPB, financial institutions to collect, report and make public certain information concerning credit applications made by women-owned, minority-owned and small businesses.
  • Two new rules under the Home Mortgage Disclosure Act (HMDA). One of these proposed rules follows up on a May 2019 advance notice of proposed rulemaking concerning certain data points that are reported under the 2015 HMDA rule and coverage of certain business or commercial purpose loans. The second addresses the public disclosure of HMDA data, in light of consumer privacy interests.
  • Final action with regard to the May 2019 proposed rule that would prescribe rules under Regulation F to govern the activities of debt collectors, as that term is defined under the Fair Debt Collection Practices Act.
  • A proposed rule recommending a new “seasoning” definition of a “qualified mortgage” (QM). This definition would create an alternative pathway to QM safe-harbor status for certain mortgages when the borrower has consistently made timely payments for a period.

OCC Report Highlights Risks Facing National Banks and Federal Savings Associations

On June 29, the OCC issued its Semiannual Risk Perspective for Spring 2020, which highlights the risks facing national banks and federal savings associations. The report presents data in four main areas: the operating environment, bank performance, special topics in emerging risk and trends around key risks. It focuses on issues that pose threats to those financial institutions regulated by the OCC and is intended as a resource to the industry, examiners and the public. The fallout from the COVID-19 pandemic figures prominently in the report, including risks relating to: (1) profitability impacted by higher credit losses (and related allowances), increasing overhead expenses and lower net interest income; (2) credit risk management stressed by high levels of unemployment and business closures; (3) operational, compliance and business continuity risks arising from new processes and procedures, including remote work, branch closures and technological dependencies (including fraud and cyber risks); and (4) elevated compliance risks related to new government relief programs and an institution’s corresponding policies, procedures and staff reassignments, including Bank Secrecy Act, fair lending and others implicated by high transaction volumes. The report also flags the LIBOR transition as an additional source of risk institutions should continue to manage.

FDIC and FRB Issue Joint Release on Resolution Plans and Critical Operations Review

On July 1, in a Joint Agency Release, the FDIC and Federal Reserve (Agencies) released information to the eight largest and most complex domestic banking organizations regarding their next resolution plans due to be submitted by July 1, 2021. An organization’s resolution plan, or living will, is required to describe the firm’s strategy for rapid and orderly resolution in bankruptcy in the event the organization undergoes an event of material financial distress or failure. In December 2019, the Agencies published a final rule which introduced a new “Targeted Resolution Plan” aimed at requiring a subset of the requirements under a full resolution plan. This will be the first year in which Targeted Resolution Plans may be submitted. In addition, the 2021 plans are required to include core elements of the organization’s resolution plan, including capital, liquidity and recapitalization strategies, as well as how the organization has integrated changes and lessons learned from its response to the COVID-19 pandemic. Separately, the Agencies announced in the Joint Agency Release, the completion of their review of “critical operations” of those organizations whose failure or discontinuance could threaten U.S. financial stability. Those organizations have been notified of the Agencies’ findings. The Agencies plan to conduct another “critical operations” review by July 2022.

FFIEC Issues Statement Regarding LIBOR Transition Management

On July 1, the FFIEC issued a joint statement regarding risk management by financial institutions for the expected discontinuation of LIBOR. The statement encourages institutions to continue preparing for LIBOR’s discontinuation and cautions that the failure to do so could lead to financial, legal, operational and consumer protection risks. The LIBOR transition is expected to affect nearly every institution, with the biggest potential impacts on large institutions and those that engage in significant capital markets activities, such as interest rate swaps, derivatives and hedging transactions. The statement advises institutions to assess their LIBOR risk exposure; scrutinize contractual fallback language that might address only temporary (rather than permanent) LIBOR disruptions; assess potential consumer risks arising from loans referencing LIBOR without adequate replacement provisions; and evaluate risks related to third-party service providers (including the provider’s own preparedness and transition planning) that may provide modeling, document preparation, accounting, valuation or pricing services, or other services utilizing or relying on LIBOR. According to the FFIEC, the statement does not contain new regulatory expectations.

OCC Updates UDAAP Section of Comptroller’s Handbook

The OCC has released an update to its Comptroller’s Handbook regarding Unfair or Deceptive Acts and Practices(UDAP) and Unfair, Deceptive, or Abusive Acts or Practices (UDAAP). The update includes expanded procedures to assist examiners in evaluating UDAP and UDAAP risks and in assessing associated risk management (including evaluating a bank's compliance management systems). The update also provides an appendix of “red flags” that warn of potential UDAP/UDAAP concerns, such as customer complaints, whistleblower referrals, high levels of fee income and high volumes of charge-backs or refunds.

Fair Lending Considerations in a COVID-19 World: Rules Still in Play

The U.S. banking regulators and state attorneys general have issued several appeals to the financial services industry to assist borrowers in financial distress due to the COVID-19 pandemic. While these agencies have publicly stated that they will provide regulatory flexibility regarding accounting, reporting, and regulatory capital rules; credit reporting requirements; billing error resolution timeframes; and electronic credit card disclosure obligations, their approach regarding other rules remains seemingly unchanged. Read the Office of the Comptroller of the Currency (OCC) National Risk Committee’s Spring 2020 Semiannual Risk Perspective, released on June 29, for highlights on compliance with fair lending laws and regulations and other consumer protection requirements, and our Goodwin client alert focusing on several other rules that are still in play and must be addressed, including ability-to-pay determinations for card accounts, advance notice and safety and soundness requirements.

U.S. Federal Agencies Finalize Revisions to Volcker Rule Covered Funds Restrictions

The five U.S. federal regulatory agencies responsible for implementing the Volcker Rule — the Federal Reserve, OCC, FDIC, SEC and Commodity Futures Trading Commission — have issued a final rule (Final Rule) revising their regulations implementing the covered funds aspects of the Volcker Rule. The Final Rule modifies existing exceptions from the definition of covered fund, adds new exclusions from the definition of covered fund, and provides relief in other areas. Read the client alert for a summary of the changes made by the Final Rule, which becomes effective October 1, 2020.

Enforcement & Litigation

CFPB Files Suit Against Financial Services Company for Alleged UDAAP Violations

On July 6, the CFPB announced that it filed a lawsuit against a Delaware financial services company and the company’s founder in the Southern District of New York. The complaint alleges that the company engaged in deceptive acts and practices under the Consumer Financial Protection Act, 12 U.S.C. § 5531, through its Healthcare Finance Savings CD Accounts program. Read the Consumer Finance Enforcement Watch blog to learn more about the CFPB’s complaint.

CFPB Settles with Florida Student Debt Relief Company for $6.8 Million

On July 8, the CFPB announced that it reached a settlement with a Florida-based student debt relief company and three of the company’s officers. The complaint, which was filed in the Southern District of Florida, alleges that from 2016 through October 2019, the company violated the Telemarketing Sales Rule, 16 C.F.R. 310, and the Consumer Financial Protection Act, 12 U.S.C. § 5536, by charging consumers seeking student loan debt relief illegal advance fees. Read the Consumer Finance Enforcement Watch blog to learn more about the allegations and proposed settlement.

Agent Fee Suits and PPP Loans: Clarity Could Be Coming

On June 30, Treasury Secretary Steven Mnuchin hinted during a House Financial Services Committee (HFSC) oversight hearing that clarification may be coming on whether agents helping small businesses apply for PPP loans are entitled to automatic fee reimbursements from PPP lenders. This clarification comes on the heels of class-action lawsuits alleging that lenders issuing PPP loans have been improperly withholding fees from accountants and other agents assisting small businesses with their PPP applications. Read the LenderLaw Watch blog to learn more about the lawsuits and the potential impacts of the clarifying measures the Treasury will take in response to the competing views of agents and lenders.

Goodwin News

Madden Fix and True Lender: A Webinar on the OCC’s Final Rule on Permissible Interest on Sold Loans and the True Lender Doctrine

July 16th 2:00 – 3:00 pm ET

In this webinar, the Goodwin Team will discuss recent OCC and FDIC rules on permissible interest on loans sold by a national bank or insured state bank (a.k.a the “Madden Fix”) and the latest on the true lender doctrine. Goodwin will also cover state usury and interest exportation basics to set a good foundation for the discussion. This webinar is intended for the entire Fintech lending community, including Fintechs and banks in lending partnerships, servicers, credit facility providers and investors. Register for the webinar here.

What’s Next? A Path Forward in Uncertain Times

In light of the recent global pandemic, Goodwin’s interdisciplinary team of lawyers presents various types of financings and investment structures applicable in current market conditions in a new webinar series, “What’s Next? A Path Forward in Uncertain Times”. This multi-part series explores the financing transactions and topics that are most relevant for companies and investors at a time where valuations are uncertain and companies across industries need capital. Visit the website to learn more, register for upcoming webinars and access previous events.

This week’s Roundup contributors: Josh Burlingham, Alex Callen, Jessica Craig, Viona Harris, and Mac Laban.