Weekly RoundUp
December 2, 2021

Agencies Approve Final Rule: Computer-Security Incident Notification

In This Weekly Roundup Issue. The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC) and the Board of Governors of the Federal Reserve System (together, the Agencies) issued a final rule regarding computer-security incident notification; the Agencies issued a joint statement summarizing the Agencies’ recent “policy sprints” on crypto-assets; the OCC Chief Counsel issued an interpretive letter regarding cryptocurrency activities; the U.S. Securities and Exchange Commission (SEC) is proposing a rule on the reporting of securities loans, and updates to electronic recordkeeping requirements; and the OCC issued a bulleting reminding banks that they are prohibited from making most equity investments in venture capital funds. These and other developments are discussed in more detail below.

Regulatory Developments

Agencies Approve Final Rule: Computer-Security Incident Notification

On November 18, the Agencies issued a final rule (Final Rule) that requires banking organizations to inform their primary federal regulator no later than 36 hours after a determination that a “computer-security incident” has reached the level of a “notification incident.” The Final Rule defines a “computer-security incident” as any incident resulting in harm to the confidentiality, integrity or availability of an information system, including the information processed, stored or transmitted by the system. A “notification incident” is a “computer-security incident” that has or is reasonably likely to disrupt or degrade a banking organization’s ability to conduct or deliver banking operations and products, including but not limited to disruption of operations that would result in a material loss of revenue for the banking organization or pose a threat to the financial stability of the United States.

Additionally, the Final Rule requires bank service providers to notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the service provider determines that it has experienced a “computer security incident” that is reasonably likely to cause, or has caused, a material service disruption or degradation for four or more hours. Compliance with the Final Rule is required by May 1, 2022.

Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps

The Agencies issued a joint statement providing an overview of the Agencies’ recent “policy sprints” and their plans to provide greater clarity on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection and compliance with existing laws and regulations related to:

  • Crypto-asset safekeeping and traditional custody services
  • Ancillary custody services
  • Facilitation of customer purchases and sales of crypto-assets
  • Loans collateralized by crypto-assets
  • Issuance and distribution of stablecoins
  • Activities involving the holding of crypto-assets on balance sheet

OCC Issues Interpretive Letter Addressing Banks Engaging in Cryptocurrency Activities

The OCC Chief Counsel issued an interpretive letter addressing the authority of national banks and federal savings associations (together, banks) to engage in certain cryptocurrency activities, and the authority of the OCC to charter a national trust bank. Before engaging in cryptocurrency activities that the OCC has previously determined are permissible (such as cryptocurrency custody services on behalf of customers; holding deposits that serve as reserves for stablecoins that are backed on a 1:1 basis by a single fiat currency and held in hosted wallets; and using independent noted verification networks, such as distributed ledgers, to facilitate payments transactions for customers), a bank must notify its supervisory office in writing of the proposed activities and receive written notification of the supervisory non-objection. To obtain supervisory non-objection, the bank should demonstrate that it has established an appropriate risk management and measurement process for the proposed activities, including having adequate systems in place to identify, measure, monitor, and control the risks of its activities, including the ability to do so on an ongoing basis.

The interpretive letter also clarifies the OCC’s standards for chartering national trust banks. Specifically, the letter states that the OCC retains discretion to determine if an applicant’s activities that are considered trust or fiduciary activities under state law are considered trust or fiduciary activities for purposes of applicable federal law.

“Providing this clarity will help ensure that these cryptocurrency, distributed ledger, and stablecoin activities will be conducted by national banks and federal savings associations in a safe and sound manner.” 
- Acting Comptroller Michael Hsu

SEC Proposes Rule for Securities Lending Transactions Reporting and Disclosure

On November 18, the SEC proposed Rule 10c-1 under the Securities Exchange Act of 1934, which would require lenders of securities to provide the material terms of securities lending transactions to a registered national securities association (RNSA), which would then make the material terms of the securities lending transaction available to the public.

To facilitate transparency in the securities lending market, proposed Rule 10c-1 would require lenders to report specified data elements to an RNSA, including (1) the legal name of the security issuer, and the Legal Entity Identifier (“LEI”) of the issuer, if the issuer has an active LEI; (2) the ticker symbol, ISIN, CUSIP or FIGI of the security, if assigned, or other identifier; (3) the date the loan was affected; (4) the time the loan was effected; (5) for a loan executed on a platform or venue, the name of the platform or venue where executed; (6) the amount of the security loaned; (7) ) for a loan not collateralized by cash, the securities lending fee or rate, or any other fee or charges; (8) the type of collateral used to secure the loan of securities; (9) for a loan collateralized by cash, the rebate rate or any other fee or charges; (10) the percentage of collateral to value of loaned securities required to secure such loan; (11) the termination date of the loan, if applicable; and (12) whether the borrower is a broker or dealer, a customer (if the person lending securities is a broker or dealer), a clearing agency, a bank, a custodian or other person. The public comment period will remain open for 30 days following publication of the proposal in the Federal Register.

SEC Proposes Updates to Electronic Recordkeeping Requirements

On November 18, the SEC published amendments to its electronic recordkeeping and production of records requirements applicable to broker-dealers, security-based swap dealers (SBSDs) and major security-based swap participants (MSBSPs). The current rule, in place since in 1997, requires that records be preserved exclusively in a non-rewriteable, non-erasable format (also known as “write once, read many”). The proposed amendments are intended to add an audit-trail alternative in order to make the rule more technology neutral and facilitate SEC inspections and examinations.

Among other changes, the amendments require that 1) in order to meet the audit-alternative, a broker-dealer’s electronic recording system must preserve electronic records in a manner that permits the recreation of an original record if it is altered, over-written or erased; 2) nonbank SBSDs and MSBSPs preserve electronic records using either the original “write once, read many” method or the new audit-trail method also available to broker-dealers; and 3) broker-dealers, SBSDs and MSBSPs produce electronic records to securities regulators in a reasonably usable electronic format.

OCC Reminds Banks of Prohibitions from Investing in Venture Capital Funds

On November 23, the OCC issued a bulletin to remind banks that they are prohibited from making most equity investments in venture capital funds. Equity investments in venture capital funds may be permissible if they are public welfare investments or investments in small business investment companies. The bulletin also stated that qualifying for the Volcker rule's venture capital fund exclusion does not make a fund a permissible investment for a bank. Impermissible and inappropriate investments expose the bank and its institution-affiliated parties to enforcement actions and civil money penalties, and national bank directors may be personally liable for an impermissible investment’s losses.

New Rules for Proxy Contests: SEC Adopts Mandatory Universal Proxy Rules

On November 17, the SEC approved mandatory “universal proxy rules.” The final rules will apply to contested director elections at shareholder meetings held after August 31, 2022. The SEC also approved amendments that will clarify the shareholder voting options in all director elections. When the universal proxy rules become effective on September 1, 2022, they will significantly change the proxy mechanics for contested director elections.

Read the client alert to learn more.

Check Out Goodwin’s Latest Industry Insights

FinReg + Policy Watch Blog
Stay on top of developments affecting the financial services community.

LenderLaw Watch Blog
Stay on top of news and legal issues in the consumer finance industry.

Consumer Finance Enforcement Watch Blog
Stay on top of enforcement actions, trends and issues.

Digital Currency + Blockchain Perspectives Blog
Stay on top of digital currency industry news, regulatory developments and issues.

Nicole Griffin
Samantha M. Kirby
William E. Stern

Joanna Jiang
Serene Qandil
Nico Ramos