Financial Services Alert - April 16, 2013 April 16, 2013
In This Issue

SEC and CFTC Adopt Rules to Address FCRA Requirements for Identity Theft Programs and Credit Card Changes of Address

The SEC and CFTC (the “Commissions”) jointly issued final rules that will (a) require “financial institutions” and “creditors” subject to a Commission’s jurisdiction to develop and implement a written identity theft prevention program addressing identity theft in connection with certain existing accounts or the opening of new accounts and (b) establish special requirements under which a credit or debit card issuer subject to a Commission’s jurisdiction would have to assess the validity of change of address notifications.  The Commissions adopted the final rules because the Dodd-Frank Act amended the Fair Credit Reporting Act of 1970 (“FCRA”) to add the Commissions to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and card issuer rules regarding certain changes of address.  The final rules are substantially similar to identity theft rules and card issuer rules adopted in 2007 by the federal banking regulators and the FTC in response to prior amendments to FCRA.  The final rules do, however, contain some examples and minor language changes designed to facilitate compliance by entities under the Commissions’ jurisdiction.

Transfer of Enforcement Authority to the Commissions.  In broad terms, the primary effect of the final rules is to transfer to each Commission the enforcement of identity theft rules and card issuer rules as applied to the entities generally subject to that Commission’s enforcement authority.  The Commissions’ joint release relating to the final rules observes that “[t]he Commissions recognize that entities subject to their respective enforcement authorities, whose activities fall within the scope of the rules, should already be in compliance with” the other agencies’ rules.  The release adds that the final rules neither contain requirements not already included in the other agencies’ rules, nor expand the scope of those rules to include new categories of entities not already covered, although elsewhere in the release, as discussed below in greater detail, there is an expectation on the SEC’s part that certain investment advisers may determine in response to this rulemaking that they are subject to the SEC’s identity theft rule, Regulation S-ID.

Identity Theft Rules.  In broad terms, a Commission’s identity theft rules apply to “financial institutions” and “creditors” subject to its enforcement authority.  An entity that falls within either of these categories must periodically assess whether it maintains “covered accounts.”  If it determines that it does, the entity must adopt an identity theft program with respect to those accounts in accordance with the Commission’s identity theft rule. 

  • A “financial institution” is defined to include, in addition to certain banks and credit unions, “any other person that, directly or indirectly, holds a transaction account . . . belonging to [an individual].”  A “transaction account” is an “account on which the ... account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.”  
  • A “creditor” is “a person that regularly extends, renews or continues credit, or makes those arrangements, that “regularly and in the course of business … advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person,” except for a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.”
  • A “covered account” is: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers (which may be either individuals or entities) or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.

Regulation S-ID and Investment Advisers.  In a statement issued in connection with the SEC action adopting the final rules, SEC Commissioner Aguilar made the following observation:

There is one group of entities, however, that may not have existing identity theft red flag programs and will need to pay particular attention to the rules being adopted today. This group consists of investment advisers registered under the Investment Adviser Act — particularly the private fund and hedge fund advisers that are recent registrants with the SEC.  [The formal release adopting the final rules] offers a number of examples and illustrations that may assist those entities in understanding, whether they qualify, and, if they do, what their responsibilities are under Regulation S-ID.

The adopting release itself states that “SEC staff anticipates that the following examples of circumstances in which certain entities, particularly investment advisers, may qualify as financial institutions may lead some of these entities that had not previously complied with the Agencies’ rules to now determine that they should comply with Regulation S-ID.”   A related reference in the adopting release provides that, based on examination of IARD data, the SEC staff expects that certain private fund advisers could potentially be “financial institutions” and “creditors” subject to Regulation S-ID.

The adopting release provides (without further detail or explanation) the following examples of investment advisers that may fall within the definition of “financial institution” with respect to separate account and fund relationships:

  • “[A]n investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties” could fall within the meaning of the term “financial institution” because it holds transaction accounts belonging to individuals. 
  • “[E]ven if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account.”
  • “Registered investment advisers to private funds also may directly or indirectly hold transaction accounts.  If an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account. For example, a private fund adviser would hold a transaction account if it has the authority to direct an investor’s redemption proceeds to other persons upon instructions received from the investor.”

The adopting release provides the following example of circumstances in the private fund context under which an investment adviser could be acting as a “creditor”:

  • An investment adviser could potentially qualify as a creditor if it “advances funds” to an investor that are not for expenses incidental to services provided by that adviser.  For example, a private fund adviser that regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.

Regulation S-ID and Exempt Reporting Advisers.  The adopting release states that Regulation S-ID does not include within its scope entities that are not themselves registered or required to register with the SEC (with the exception of business development companies and employees’ securities companies), even if they register securities under the Securities Act of 1933 or the Securities Exchange Act of 1934, or report information under the federal securities laws.  The adopting release cites investment advisers that rely on the venture capital fund and private fund adviser exemptions as examples of entities outside Regulation S-ID’s scope.

Credit Card Rules.  A Commission’s final credit card rules apply to a person subject to its enforcement authority that issues a debit or credit card (“card issuer”). The release adopting the final rules notes that “the CFTC is not aware of any entities subject to its enforcement authority that issue debit or credit cards and, as a matter of practice, believes that it is highly unlikely that CFTC-regulated entities would issue debit or credit cards.”  The adopting release goes on to observe that “the SEC understands that a number of entities within its enforcement authority issue cards in partnership with affiliated or unaffiliated banks and financial institutions, but that these cards are generally issued by the partner bank, and not by the SEC-regulated entity.  The SEC therefore expects that no entities within its enforcement authority will be subject to the card issuer rules.”

Compliance Deadline. The final rules becomes effective 30 days after their forthcoming publication in the Federal Register; compliance is required six months later.

Federal Court Rules That Failure to Meet Statutory 180-Day Deadline After Wells Notice Does Not Bar Filing of Enforcement Action

The United States District Court for the Eastern District of New York held that the 180-day deadline in Section 929U of the Dodd-Frank Act imposes only an internal deadline on the SEC to file enforcement actions after issuing a Wells Notice, and does not act as a statute of limitations for enforcement actions.  Section 929U provides that, within 180 days of providing a written Wells Notice to any person, the SEC “shall either file an action against such person or provide notice to the Director of the Division of Enforcement of its intent to not file an action.”  Section 929U also provides that, if the Director of the Division of Enforcement or his designee determines that a particular investigation is “sufficiently complex,” the SEC may extend this deadline for “one or more additional successive 180-day periods.”

In September 2011, the SEC filed an enforcement action against NIR Group, LLC and Corey Ribotsky for allegedly defrauding investors in connection with securities transactions.  Before filing this action, the SEC issued a Wells Notice and subsequently obtained extensions within which to file the complaint.  Defendants moved to dismiss the complaint based upon on the SEC’s failure to allege compliance with Section 929U, but Defendants abandoned their motion to dismiss after the SEC was granted leave to file an amended complaint.  Instead, Defendants moved to compel discovery of SEC counsel’s testimony, as well as internal SEC documents, related to the SEC’s requests for extension of the 180-day deadline.  Defendants argued that these documents are relevant to its claim or defense because the time limit under Section 929U acts as a “de facto statute of limitations on enforcement actions.”  In response, the SEC moved to quash Defendants’ subpoena.

Magistrate Judge Gary R. Brown granted the SEC’s motion to quash, holding that the information sought by Defendants is not relevant to any claim or defense in the enforcement action, because the SEC’s failure to comply with the 180-day provision in the statute would not be a defense to the action.  Citing Supreme Court authority addressing instances of untimely compliance with other statutory deadlines and a decision by the District Court for the Southern District of Florida representing the sole authority to date addressing the Section 929U deadline, the Court held that the expiration of the 180-day deadline in Section 929U does not create a jurisdictional bar to SEC enforcement actions.  The court noted, however, that although the statute does not  grant defendants the right to dismiss an SEC enforcement action that is brought more than 180 days after the issuance of a Wells Notice, the statute may allow targets of a Wells Notice to bring an administrative proceeding or file a declaratory judgment action seeking an order to compel the SEC to act.  Finally, the Court held that, even assuming that the requested documents were relevant, they would be subject to various protections, including the attorney work-product privilege.

SEC v. The Nir Group, No. CV 11-4723 (E.D.N.Y. Mar. 24, 2013).

FRB Issues Proposed Rule Concerning Annual Assessments on Largest Banking Organizations and on Nonbank Financial Companies Designated for FRB Supervision by FSOC

The FRB issued a proposed rule (the “Proposed Rule”) pursuant to Section 318 of the Dodd-Frank Act under which it would impose annual assessments on bank holding companies and savings and loan holding companies with total consolidated assets of $50 billion or more and on nonbank financial companies designated by the Financial Stability Oversight Council for supervision by the FRB.  The assessments are intended to equal the FRB’s estimate of the expenses that are “necessary or appropriate to carry out the [FRB’s] supervisory and regulatory responsibilities to be covered by the [applicable] assessment.”  The FRB estimates that for 2012 approximately 70 companies would be assessed and that aggregate assessments would total approximately $440 million. 

Comments on the Proposed Rule are due by June 15, 2013.

OCC Deputy Chief Counsel Testifies Before Senate Subcommittee Concerning Retention by Banks of Independent Consultants in Connection with OCC Enforcement Actions

On April 11, 2013, OCC Deputy Chief Counsel Daniel P. Stipano testified before the U.S. Senate Subcommittee on Financial Institutions and Consumer Protection (the “Subcommittee”) of the Committee on Banking, Housing and Urban Affairs concerning retention by banks of independent consultants in connection with compliance with the terms of OCC enforcement actions.  The Subcommittee conducted the hearing in the aftermath of the early termination as “failed” of independent foreclosure reviews, involving the use of independent consultants, required under OCC and FRB consent orders against banking organizations with major mortgage servicing operations (the “Independent Foreclosure Review”).

In his testimony, Mr. Stipano stated that the OCC has a longstanding practice, in appropriate cases, of using articles in enforcement agreements and orders that require banks to retain independent consultants.  He said that independent consultants are sought where they provide subject matter expertise, needed staff resources and/or objectivity that is not available at the applicable bank.  Mr. Stipano noted that absence of the needed expertise or staff resources (and the need to use independent consultants) is often found at community banks.  Mr. Stipano stated that the contexts in which the OCC often requires a bank to retain independent consultants include situations where a bank must:

  1. address deficiencies in Bank Secrecy Act/anti-money laundering compliance;
  2. review the quality of its loan portfolio;
  3. assess the accuracy and completeness of its books and records;
  4. perform its annual review of the adequacy of its allowance for credit losses; and
  5. review real estate appraisals, compensation, internal controls, and information technology systems.

Mr. Stipano stated that types of independent consultants involved in connection with banks’ compliance with OCC enforcement actions have included certified public accountants, lawyers, financial consultants, and information technology specialists, among others.  In general, Mr. Stipano said, the practice of using independent consultants has been effective and constructive.  “Through this practice,” said Mr. Stipano, “the OCC has caused banks to address effectively a variety of operating and management deficiencies, to come into compliance with laws, rules and regulations, and to operate in a safe and sound manner.

In his testimony, Mr. Stipano stressed that even though the bank selects and compensates the independent consultant, the OCC oversees the selection of, and performance by, the independent consultant.  A bank is required to submit the consultant’s qualifications to the OCC, and the OCC assesses the expertise and resources of the proposed consultant.  The OCC also considers whether the proposed independent consultant’s “existing and prior relationship with the bank and potential conflicts of interest” pose concerns that cause the OCC to object to (and thereby prevent) the use of the independent consultant in connection with the applicable enforcement action.  The OCC also often reviews a bank’s engagement agreement with the proposed consultant, oversees the consultant and its progress during the engagement.  Moreover, after the consultant presents its final report on the matter to the bank, the OCC may require that the consultant perform additional work to meet the full requirements of the enforcement action.  As part of its supervisory process, the OCC also takes steps to test and validate progress reported by the consultant and the bank.

Mr. Stipano also stressed that the use of an independent consultant does not relieve the bank or its Board of Directors of responsibility for “ensuring that all needed corrective actions are identified and implemented.

With respect to use of independent consultants by banks in the Independent Foreclosure Review, Mr. Stipano stated that the process did not work effectively and efficiently because of the “unprecedented” breadth, scale and scope of the file reviews and the large number of banks, independent consultants and legal counsel involved in the process.  In other words, Mr. Stipano suggested, the failure of the Independent Foreclosure Review process is an aberration and should not be used as a basis for rejecting the use of independent consultants by banks in connection with other OCC enforcement actions.

Mr. Stipano then noted that in the aftermath of the unsuccessful Independent Foreclosure review, the OCC is exploring ways to improve banks’ usage of independent consultants and the OCC’s supervision of banks’ usage of independent consultants “particularly for situations involving significant consumer harm or law enforcement implications.

Separately, at the Subcommittee Hearing, Senator Jack Reed (D-RI) stated that, in his view, the bank regulatory process would be improved if an independent consultant were selected and compensated by the OCC (or another regulatory agency) rather than by the applicable bank since, in Senator Reed’s opinion, an independent consultant has an economic incentive to please its bank client.

Furthermore, at the Subcommittee Hearing, Mr. Stipano said that the OCC would welcome a legislative change that would enhance the federal bank regulatory agencies’ authority to take enforcement actions directly against independent consultants.  Financial services industry and independent consultant reactions to this request have included statements that: (1) the bank regulatory agencies already have significant power over a bank’s relationship; and (2) such enhanced authority could threaten the ability of consultants to remain “independent.”

FRB Issues Final Retail Forex Rule

As required by a Dodd-Frank Act amendment to the Commodity Exchange Act to enable state member banks, bank holding companies, savings and loan holding companies, Edge Act and agreement corporations and uninsured, state-licensed branches and agencies of foreign banks (“Banks”) to continue to engage in certain off-exchange transactions in foreign currency with retail customers, the FRB issued a final rule (the “Final Rule”) authorizing Banks to continue to engage in such activities.  The Final Rule covers foreign exchange transactions that are futures or options on futures, over-the-counter options on foreign currency, so called “rolling spot” transactions and certain other types of transactions.  The Final Rule, among other things, sets requirements for risk disclosures to customers, recordkeeping, business conduct, and documentation for retail foreign exchange transactions.  The Final Rule is substantially the same as a proposed version of the Final Rule that was discussed in the August 2, 2011 Financial Services Alert.

The Final Rule becomes effective on May 13, 2013.

CFTC Extends Reporting Requirement Compliance Date for End-Users

The CFTC’s Division of Market Oversight (the “Division”) issued a no-action letter that extends the date by which a swap counterparty that is not a swap dealer or a major swap participant (a “Non-SD/MSP”) must be in compliance with certain of its swap data reporting obligations under the CFTC’s recordkeeping and reporting rules.  In the absence of the relief, Non-SD/MSPs would have been required to comply with the rules by April 10, 2013.  The relief applies differently depending on whether the Non-SD/MSP in question is a “financial entity” as defined in the Commodity Exchange Act. 

Financial entities.  The letter states that the Division will not recommend that the CFTC take enforcement action against a financial entity for failing to report swap transaction data with respect to equity swaps, foreign exchange swaps, and “other” commodity swaps under the CFTC’s real-time public reporting rules (Part 43 of the CFTC’s regulations) and the CFTC’s recordkeeping and swap data repository reporting requirements (Part 45 of the CFTC’s regulations) until May 29, 2013.  No relief was provided from these regulations to financial entities with respect to interest rate swaps and credit swaps.  As a condition of the relief, a financial entity relying on the relief must, by June 29, 2013, report to a swap data repository all swap transaction data for the period from April 10, 2013 to May 29, 2013 that it would have had to report under the Part 45 rules in the absence of the relief.  In addition, financial entities were given until September 30, 2013, to report historical swaps data for all asset classes under the CFTC’s Part 46 rules.

Non-financial entities.  Non-financial entities received more extensive relief.  The letter states that the Division will not recommend that the CFTC take enforcement action against a non-financial entity for failure to report swap transaction data pursuant to either Part 43 or Part 45 of the CFTC’s regulations until July 1, 2013 (for interest rate swaps and credit swaps) and August 19, 2013 (for equity swaps, foreign exchange swaps, and other commodity swaps).  With respect to interest rate and credit swaps, non-financial entities availing themselves of the relief must, by August 1, 2013, report to a swap data repository all swap transaction data for the period from April 10, 2013 to July 1, 2013, that it would have been required to report pursuant to Part 45 in the absence of the relief.  With respect to equity, foreign exchange, and other commodity swaps, the non-financial entity must report by September 19, 2013 all swap transaction data for the period from April 10, 2013 to August 19, 2013 that it would have been required to report pursuant to Part 45 in the absence of the relief.  Non-financial entities were given until October 31, 2013 to report historical swaps data for all asset classes under the CFTC’s Part 46 rules.

*  *  *

The letter explicitly states that other provisions of the CFTC rules, including the recordkeeping obligations of Non-SD/MSPs, are not affected by the relief.