On June 17, the OCC, Federal Reserve, and FDIC (collectively, the Agencies) adopted a final rule to streamline regulatory reporting requirements for small institutions (Final Rule). The Final Rule expands the number of financial institutions that are eligible to submit the most streamlined version of the FFIEC 051 Call Report (Streamlined Call Report). Under the Final Rule, certain insured depository institutions with less than $5 billion in total consolidated assets that meet other criteria may use the Streamlined Call Report. The Final Rule also reduces the number of data items required to be included in the Streamlined Call Report for the first and third quarters of each year. The Agencies also announced that they are finalizing similar reduced reporting for certain uninsured institutions that they supervise with less than $5 billion in total consolidated assets that otherwise meet the same criteria. The Final Rule will become effective 30 days after it is published in the Federal Register.
On June 14, the Federal Reserve proposed changes to both its Freedom of Information Act (FOIA) procedures and its rules governing the disclosure of confidential supervisory information (CSI). The FOIA-procedure updates aim to harmonize the regulation with current practices and recent changes in law. These changes include updating definitions for expedited processing and requester categories, as well as clarifying terms and aiding users in understanding the process of filing a FOIA request. The CSI rule changes are intended to relax some inefficient restrictions and would, in part, allow a supervised financial institution to share CSI with a wider group of persons (including its affiliates, auditors and outside legal counsel, in addition to other banking regulators). These changes do not alter the scope of information that falls within the CSI definition. Comments to these proposed updates are due by August 16.
On June 5, the SEC adopted a long-awaited suite of rules, interpretive guidance and forms that, in the words of the accompanying press release, is “designed to enhance the quality and transparency of retail investors’ relationships with investment advisers and broker-dealers, bringing the legal requirements and mandated disclosures in line with reasonable investor expectations, while preserving access (in terms of choice and cost) to a variety of investment services and products.” The package consists of four elements, three of which had been proposed previously:
- Regulation Best Interest (Regulation BI), requiring a broker-dealer to act in the best interest of a retail customer when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer (Release No. 34-86031);
- Interpretive guidance regarding the standard of conduct for investment advisers (Release No. IA-5248);
- Rules for brokers and investment advisers creating a requirement to provide a new short-form relationship summary, in new Form CRS, for brokers, and in an amended Form ADV, for investment advisers (Release No. 34-86032 and IA-5247); and
- Interpretive guidance regarding the solely incidental prong of the broker-dealer exclusion from the definition of investment adviser (Release No. IA-5249). This guidance was not proposed previously but is, according to the release, consistent with prior SEC guidance and relevant case law.
On May 22, DFS announced a newly created Cybersecurity Division, which it claims is the first department within a banking or insurance agency that is tasked with protecting consumers and financial markets against cyber threats. Justin Herring, who previously served as chief of the U.S. Attorney’s Office of New Jersey’s Cyber Crimes Unit, will become the Executive Deputy Superintendent of the new division. According to the DFS press release, the Cybersecurity Division “will enforce the Department’s cybersecurity regulations, advise on cybersecurity examinations, issue guidance on DFS’s cybersecurity regulations (including the 2017 NYDFS Cybersecurity Requirements), and conduct cyber-related investigations in coordination with the Consumer Protection and Financial Enforcement Division.” Prior enforcement of DFS cybersecurity regulations, which was managed by the Department as a whole, was limited but notably included obtaining a consent order from Equifax following the 2017 data breach that exposed personal information of almost 150 million consumers. The Cybersecurity Division is also charged with helping the financial services industry protect itself “by disseminating trends and threat information about cyber-attacks.” While this move signals increased recognition and focus on cybersecurity issues by the Department, it is unclear whether it will also be followed by increased enforcement measures.
Enforcement & Litigation
On June 13, the Department of Justice (DOJ) announced that it filed a complaint and settlement agreement in the U.S. District Court for the Southern District of Indiana resolving allegations against a Midwestern bank based in Indiana. The DOJ alleged that the bank engaged in lending discrimination through “redlining,” or intentionally avoiding providing services in predominantly African-American neighborhoods in Indianapolis, in violation of the Fair Housing Act (FHA), 42 U.S.C. §§ 3601-3619, and the Equal Credit Opportunity Act (ECOA), 15 U.S.C. §§ 1691-1691f. The DOJ also alleged that the bank’s residential mortgage lending policy denied residents in African-American neighborhoods equal access to credit. Read the Enforcement Watch blog post.