On August 10, the CFPB finalized certain amendments to Regulation P that will allow financial institutions that meet certain criteria to be exempt from the requirement of sending annual privacy notices to their customers, which is otherwise generally required by the Gramm-Leach-Bliley Act (GLBA). Under the GLBA, when financial institutions share customers’ nonpublic personal information with unaffiliated third parties, customers must also be provided with the right to “opt out” of such sharing. In December 2015, the GLBA was amended to allow a financial institution to qualify for an exemption from having to send annual privacy notices if (1) such institution limits its data sharing so that the customer does not have an opt-out right and (2) the privacy notice has not changed from the one previously provided to the customer. The CFPB’s new rule amends Regulation P to implement these changes to the GLBA and establishes deadlines by which an institution must resume annual privacy notices if it ceases to qualify for the exemption.
On May 16, as discussed in the May 23 edition of the Roundup, FinCEN issued a 90-day limited exceptive relief effective through August 9, 2018, to covered financial institutions from the obligations of the Beneficial Ownership Rule for Legal Entity Customers (Beneficial Ownership Rule) for certificate of deposit or loan accounts that were established before the Beneficial Ownership Rule’s applicability date of May 11, 2018. FinCEN issued this 90-day limited exception in order to determine whether, and to what extent, a further exception would be appropriate for such products and services. On August 8, FinCEN further extended this limited exception for an additional 30 days effective through September 8, 2018, for the rollover or renewal of certificate of deposit or loan accounts that were established before May 11, 2018, to further consider the issue.
On August 8, the NYDFS issued a press release reminding all regulated entities covered by the NYDFS cybersecurity regulation that the third transitional period for the cybersecurity regulation ends on September 4, 2018. Beginning on that date, banks, insurance companies, and other financial services institutions regulated by the NYDFS will be required to have:
- commenced mandatory annual reporting to the board by the Chief Information Security Officer concerning critical aspects of the cybersecurity program
- established an audit trail designed to reconstruct material financial transactions sufficient to support normal operations in the event of a breach
- implemented policies and procedures to ensure the use of secure development practices for IT personnel that develop applications for the covered entity
- implemented encryption to protect nonpublic information held or transmitted by the company
- developed policies and procedures to ensure secure disposal of information that is no longer necessary for the business operations
- implemented a monitoring system that includes risk-based monitoring of all persons who access or use any of the company’s information systems or who access or use the company’s nonpublic information
The NYDFS also reminded regulated entities that, under the cybersecurity regulation, they must evaluate the risk that any third-party service providers pose to the security of their systems and data and ensure that such systems and data are protected by March 1, 2019.
CFPB Releases File Format Verification Tool for HMDA Filings
On August 9, the CFPB released its file format verification tool for Home Mortgage Disclosure Act (HMDA) data collected in 2018 that will be submitted in 2019. The file format verification tool allows filers to test whether a file meets certain formatting requirements specified in the HMDA Filing Instructions Guide, specifically that the file is pipe-delimited; has the proper number of data fields; and has data fields formatted as integers, where necessary.
The Mortgage Bankers Association brings together inside and outside counsel, compliance officers, company executives, government relations professionals, policy directors, and quality assurance professionals to discuss current topics impacting the mortgage industry’s regulatory environment for this three-day conference. Goodwin is a sponsor and Tony Alexis, partner in Goodwin’s Financial Industry practice and head of the Consumer Financial Services Enforcement practice, will be speaking on the “Applied Compliance: Trends in RESPA Section 8 Compliance” track. Sabrina Rose-Smith, partner in Goodwin’s Financial Industry and Consumer Financial Services Litigation practices, will be speaking on the “Emerging Compliance Risk: Navigating State UDAP Laws” track. For more information, visit the event website.
Goodwin partner Michael Isenman will be a panelist at the Fiduciary Investment Advisors (FIA) 2018 Annual Conference. Mike will be a speaker on the panel “401(k)/403(b) Mock Deposition: How to Protect Against & Prepare for Defined Contribution Litigation.” For more information, visit the event website.