Financial Services Alert - December 23, 2008 December 23, 2008
In This Issue

FRB, OTS and NCUA Approve Final Credit Card Rules and Proposed EFT Overdraft Rules

The FRB adopted final amendments (the “Final Rules”) to Regulation AA (Unfair or Deceptive Acts or Practices), Regulation Z (Truth in Lending) and Regulation DD (Truth in Savings) that impose new requirements on issuers of credit cards and charge cards.  The FRB also approved proposed amendments (the “Proposed Rules”) to Regulation E (Electronic Fund Transfers) relating to overdraft fees.  The OTS and the NCUA approved substantially similar rules.  A summary of the major final and proposed rule amendments follows.

New Credit Card Requirements.  For accounts whose balances are subject to different annual percentage rates (“APRs”), the Final Rules require banks to allocate payments exceeding the minimum payment to the balance with the highest rate first or pro rata among all of the balances.  A 45-day advance notice requirement will apply to changes in terms, including an increase in the APR charged due to the consumer’s delinquency or default or as a penalty. The Final Rules impose new format and content requirements for information on credit and charge card applications, solicitations, account-opening disclosures and periodic statements and eliminate the requirement to disclose an “effective APR.”  Under the Final Rules, creditors also must set reasonable cut-off hours governing when receipt of cardholder payments will be considered timely (5:00 p.m. on the payment due date is deemed a reasonable time). 

New Credit Card Prohibitions.  The Final Rules impose restrictions on changes in the interest rates disclosed at account opening during the first year an account is open.  The Final Rules also prohibit banks from treating a payment as late for any reason unless the consumer has a reasonable time to make a payment; a safe harbor applies to periodic statements sent at least 21 days prior to the payment due date.  Two-cycle billing is also prohibited under the Final Rules.  Regarding so-called “subprime” credit cards, the Final Rules (1) prohibit banks from financing security deposits and fees for credit availability if charges assessed during the first twelve months would exceed 50% of the initial credit limit, (2) limit the security deposits and fees charged at account opening to 25% of the initial credit limit, and (3) require any additional amounts (up to 50%) to be spread evenly over at least the next five billing cycles.

Final Overdraft Rules.  Under the Final Rules, all institutions are required to disclose on periodic statements the aggregate dollar amounts charged for overdraft fees and for returned item fees for the statement period and year-to-date, regardless of whether the institution promotes or advertises the payment of overdrafts.

Proposed Amendments to Regulation E.  Comments are solicited in the Proposed Rules on two approaches regarding the payment of overdrafts, each of which is limited to the payment of overdrafts for ATM withdrawals and one-time debit card transactions: (1) institutions could charge a fee for overdraft payments only if the consumer were given the opportunity to opt out of the payment of overdrafts; or (2) institutions could charge a fee for overdraft payments only if the consumer opted in to the institution’s overdraft service.  The Proposed Rules also would prohibit institutions from imposing an overdraft fee when the account is overdrawn because of a hold placed on funds in the consumer’s account that exceeds the actual transaction amount, for example, when the consumer makes a pay-at-the-pump fuel purchase or a meal purchase at a restaurant.

Withdrawn Proposals.  The banking regulators withdrew rule proposals that would have (a) required certain disclosures from banks that made firm offers of credit and advertised a range of APRs or credit and (b)  prohibited banks from imposing a fee on an account when its credit limit was exceeded solely because the institution placed a hold on available credit. 

A copy of the FRB staff memorandum regarding the Final Rules and the Proposed Rules is available at  The effective date of the Final Rules is July 1, 2010.  The effective date of the Proposed Rules would be January 1, 2010.  There will be a 60-day comment period for the Proposed Rules after publication in the Federal Register.

Federal Banking Agencies Finalize Rule Permitting Banking Organizations to Deduct Goodwill Net of Associated Deferred Tax Liabilities from Regulatory Capital

The FRB, FDIC, OCC and OTS (the “Agencies”) issued a final rule (the “Rule”) under which banks, bank holding companies and savings associations (“Banking Organizations”) may reduce the amount of goodwill that a Banking Organization must deduct from Tier 1 capital by the amount of any deferred tax liability associated with that goodwill.  Under the Agencies’ previous regulatory capital rules, Banking Organizations may net the value of associated deferred tax liabilities from many assets, but such netting is generally not permitted for goodwill.  The Agencies did not, however, adopt the proposed change that would have extended the new capital treatment to any deferred tax liability associated with other intangible assets acquired in a taxable business combination.  The Rule is effective 30 days after its publication in the Federal Register, but Banking Organizations may elect to apply the Rule for purposes of the regulatory reporting period ending on December 31, 2008.

FINRA Issues Guidance Regarding Credit for Extraordinary Cooperation

The Financial Industry Regulatory Authority (“FINRA”) issued a Regulatory Notice 08‑70 (the “Regulatory Notice”), which provides guidance regarding circumstances in which FINRA may provide credit to firms or individuals for “extraordinary cooperation” in FINRA investigations.  The Regulatory Notice indicates that while the FINRA Sanction Guidelines, which govern the decisions of FINRA adjudicators in contested matters, have served as the basis for the guidance in the Regulatory Notice, that guidance applies only to the factors considered by FINRA Enforcement in the context of settlement discussions when deciding what sanctions to assess.  The broad categories of conduct that may be considered extraordinary cooperation include the following:  (1) self-reporting before regulators become aware of the violation (i.e., before regulatory inquiry into the conduct at issue has begun and before the violation otherwise comes to the regulator’s attention); (2) extraordinary efforts to correct deficient procedures and systems; (3) extraordinary remediation to customers; and (4) providing substantial assistance to FINRA’s investigation.  The Regulatory Notice includes additional detail for each category with examples and discussion of issues such as the waiver of attorney/client privilege.

The Regulatory Notice makes clear that for conduct to be considered extraordinary cooperation it must be well beyond that which a firm or an individual is otherwise required, obligated or even prompted to undertake.  The credit provided for extraordinary cooperation may include reductions in fines imposed, eliminating the need for or otherwise limiting an undertaking, including language in settlement documents and press releases that notes the cooperation and its positive effect on the final settlement and, in unusual cases, determining to take no disciplinary action at all.  FINRA makes clear that the level of cooperation in an investigation is just one factor to be considered in determining the appropriate disciplinary action and sanctions.  While FINRA notes that the extent of extraordinary cooperation will be an “important factor” in determining the appropriate regulatory response, other factors will also affect the choice of enforcement action to be taken in any matter, including the nature of the conduct, the extent of customer harm, the duration of the misconduct and any prior disciplinary history.

Massachusetts Regulators Respond to Industry Questions on New Data Security Requirements; Goodwin Procter to Host Webinar on Massachusetts Data Security Regulations

In response to questions from the Investment Company Institute, a trade organization for the mutual fund industry, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) provided some responses in an effort to clarify certain information in the Massachusetts data security regulations, most provisions of which go into effect May 1, 2009.  As the regulators have made clear in verbal presentations, the responses say that the security standards promulgated are to be seen as a “minimum,” and entities are free to use their own written information security programs in lieu of the small business guide put out by the state, as long as the customized security program or best practices meet at least these minimum standards.  One helpful clarification is OCABR’s indication that particular suggested vendor certification language that certified compliance “to the best of our reasonable knowledge and belief” would be compliant.  On encryption and the question of whether state-of-the-art technology may be a better alternative to encryption, e.g., a “kill pill” that disables a device, the OCABR emphasized that the effectiveness of the protection matters more than the novelty of the technology.

In the responses, the OCABR deferred to the Attorney General’s office all questions involving enforcement, and chose not to clarify here whether an entity has an obligation, for example, to determine the state of residency of a person about whom one retains data if the data held does not identify their state of residence.  Similarly, for those industries where there are not “industry standards” promulgated by any regulator as to data security, the OCABR would not say to what standards an entity should look to determine if its data security is “reasonably consistent with industry standards.”  In the absence of any guidance on enforcement, it appears likely that enforcement by the AG would be triggered when a breach occurs and the requisite filing is made with the AG’s office, assuming an investigation is conducted by the AG at that point. 

The regulators also deflected many of the questions in favor of the statutory wording, for example, for the definitions of terms such as “financial account” and “personal information.”  In sum, the OCABR’s responses underscore the state’s intent to create a higher bar in data security regulation.  At the same time, the responses indicate that OCABR chose not to address some of the industry’s widespread concerns, including the scope of information requiring protection and which parties are third-party service providers that trigger the regulations’ contractual and certification requirements, as well as what precisely will constitute a portable device requiring encryption, among other issues.

* * * * * *

Goodwin Procter Webinar on Massachusetts Data Security Regulations

Goodwin Procter invites you to attend a free webinar on the new Massachusetts Data Security Regulations, which apply to any business in possession of personal information of Massachusetts residents, whether or not that business maintains a presence in the state, and are scheduled to go into effect on May 1, 2009.  The webinar will be  held on January 15, 2009 from 12:30-2:00 EST.  This webinar will address the practical implications of these regulations for businesses nationwide.  Attorneys from Goodwin Procter’s Privacy & Cybersecurity Practice will examine the scope and requirements of the new rules; analyze the interrelationship between the Massachusetts rules and other information security requirements; explore best practices for information security policy development and implementation; and share views on current trends in this area, including other states that may be considering similar legislation.

SEC Approves New Interactive Data Tagging Requirements for Public Company Financial Statements by Public Companies and for Mutual Funds

At its open meeting last week, the SEC voted to approve additional requirements regarding the use of interactive data in SEC filings by public companies and mutual funds.  Interactive data tags labels the elements of an electronic filing with unique computer-readable “tags” that make the information more searchable on the Internet and more readable by spreadsheets and other software.  Because the SEC has not issued formal adopting releases, this summary is based on the SEC press release announcing action at the open meeting and published remarks of the SEC staff from the open meeting.

Public Companies.  Under the new requirements, public companies will be required to use interactive data in financial statements that are part of their (a) periodic annual and quarterly reports, (b) reports on forms 8‑K and 6-K that contain updated or revised versions of financial statements that appeared in a periodic report and (c) registration statements under the Securities Act of 1933, as amended (the “1933 Act”).  The disclosure in interactive data format will supplement, but not replace or change, disclosure using the traditional formats for electronic filings with the SEC.

A company will have to file its tagged financial statements with the SEC and post them on its website at the same time as the related report or registration statement, subject to a thirty day grace period for first time filers.  Tagged financial statements will have to remain posted on company websites for 12 months.  Filers that fail to provide a post required interactive data will be deemed not current with their reports under the Securities Exchange Act of 1934, as amended and (the “1934 Act”), as a result, would not be eligible to use the short form registration and will not be deemed to have available adequate current public information for purposes of the resale extension safe harbor provided by Rule 144 under the 1933 Act until they make the required filing or posting.  Interactive data files will be excluded from the officer certification requirements under 1934 Act rules, and issuers will not be required to obtain auditor assurance on their interactive data financial statements.

Domestic and foreign large accelerated filers using U.S. GAAP with a public float above $5 billion will be required to comply with the new requirements starting with their first quarterly report for fiscal periods ending on or after June 15, 2009.  The remaining large accelerated filers using U.S. GAAP will be required to comply with the new requirements on a phased-in schedule over the next two years.  All remaining companies using U.S. GAAP and foreign private issuers using International Financial Reporting Standards issued by the International Accounting Standards Board will be required to comply with the new requirements starting with fiscal years ending on or after June 15, 2011.  Public companies may choose to meet the new interactive data requirements in advance of their respective compliance dates. 

Mutual Funds.  Mutual funds will be required to begin including data tags in their public filings that include information on objectives and strategies, risks, performance, and costs.  Mutual funds will also be required to post this interactive data on their websites.  The impact of this rulemaking depends to a significant extent on the precise details of the changes to the mutual statutory prospectus recently adopted by the SEC as part of its summary prospectus initiative (see the November 25, 2008 Alert) because the portions of the mutual fund prospectus proposed to be submitted in interactive data format were the ones affected by the summary prospectus disclosure changes, for which an adopting release detailing those changes has not been issued.

SEC Adopts Rules Relating to Equity-Indexed Annuity Contracts

At its open meeting last week, the SEC voted 4-1 to adopt new Rule 151A under the Securities Act of 1933, as amended (the “1933 Act”), which will require registration of certain equity-indexed annuity contracts.  The new rule provides that certain contracts are not considered an “annuity contract” or an “option annuity contract” excluded from the 1933 Act’s registration requirements under Section 3(a)(8) of the 1933 Act. The SEC announced that Rule 151A will apply only to equity-indexed annuities issued on or after January 12, 2011.  The SEC also approved new Rule 12h-7 under the Securities Exchange Act of 1934, which will provide a conditional exemption from the Act’s periodic reporting requirements for insurance companies issuing equity-indexed annuities and certain other contracts.  At the open meeting, the SEC staff stated that the final rule includes a provision designed to avoid conflicts relating to state laws.  The Alert will provide additional coverage once the SEC publishes a formal adopting release for the new rules.