The California Department of Business Oversight (DBO) has launched an inquiry into the increasingly popular marketplace lending industry. The stated purpose of the inquiry is “to assess the effectiveness and proper scope of [the DBO’s] licensing and regulatory structure as it relates to [marketplace] lenders.”

The DBO sent its online survey to 14 marketplace lenders and requested a variety of information, including the volume of business, types of loans, APR, delinquency rates, and investor funding or sale data. The survey requests data from January 1, 2010 through June 30, 2015. Responses to the survey are due by March 9, 2016. Although the DBO has not identified the 14 marketplace lenders that received the survey, reports confirm that the inquiry includes both consumer lenders and commercial and small business lenders.

The DBO’s inquiry follows the Department of the Treasury’s request for information earlier this year seeking public comments on marketplace lending. Given the growing popularity of marketplace lending platforms among consumers and small businesses, further regulatory interest and possible future regulatory action are likely.

Not every significant action taken by the federal banking agencies is accompanied by great fanfare. In this spirit, the FDIC has quietly issued a Financial Institutions Letter (FIL-59-2015) announcing revisions to its Compliance Examination Manual (Manual). The changes in question reflect FDIC and interagency supervisory guidance issued primarily over the past year.

Among the changes incorporated into the updated Manual are the following:

  • New guidance about the Matters Requiring Board Attention (MRBA) section of the Report of Examination (ROE)
  • Guidance on evaluating the impact of consumer harm on examination and supervisory activities, and a new "Assessment of Risk of Consumer Harm" (ARCH) that provides pre-examination planning and scoping guidance to FDIC examination staff
  • New and detailed guidance on retail sales of nondeposit investment and insurance products
  • Revised interagency examination procedures for the Truth in Lending Act/Real Estate Settlement Procedures Act Integrated Disclosure (TRID) rule
  • Revised guidance on unfair and deceptive practices under the Federal Trade Commission Act
  • Updated templates providing examples of a consumer compliance ROE and a Community Reinvestment Act (CRA) Performance Evaluation for a hypothetical, FDIC-supervised bank

Although the Manual is published as guidance for the FDIC’s compliance examiner staff, it provides important information and insights to FDIC-supervised banks (state nonmember banks) on the FDIC’s current examination activities, priorities, and expectations regarding financial consumer protection compliance issues. Therefore, the revisions to the Manual should be required reading for these banks.

Regulatory capital requirements are dynamic, not static, in nature. This fact of regulatory life was further demonstrated by the announcement today by the Basel Committee on Banking Supervision of its Second Consultative Document (Document) that proposes further changes to the Standardized Approach for credit risk under the Basel III regulatory capital accord.

The Document’s proposed changes draw distinctions between jurisdictions that permit the use of credit ratings for regulatory purposes and those that do not. Under the Dodd-Frank Act, the United States is in the latter (no external ratings reliance) category. Among the Document’s many proposed changes to the Standardized Approach that are relevant to US banking organizations are the following:

  • Requiring banking organizations to classify credit exposures into three different buckets (Grades A, B, and C), subject to downward due diligence-based adjustments
  • Assigning a 75% risk weighting to “investment grade” corporate exposures
  • Assigning an 85% risk weighting to “small and medium” corporate exposures
  • Using loan-to-value (LTV) ratios as the “main driver” for exposures secured by real estate, and creating a three-category, risk-based classification system for such exposures
  • Limiting the eligibility of financial collateral and guarantees (through supervisory “haircuts” and other means) as credit risk mitigants to “investment grade” mitigants
  • Introducing increased due diligence requirements for assessing counterparty credit risk

If the US Congress can deal with conflicts minerals in banking legislation as it did in the Dodd-Frank Act, surely there can be nothing odd about inserting banking legislation in a highway funding bill.

This is precisely what Congress has done today in passing the Fixing America’s Surface Transportation Act (H.R. 22) (FAST Act), the government’s long-term (and egregiously overdue) federal highway funding bill. The FAST Act, which has been sent to President Obama for signature, contains a number of provisions that provide varying levels of regulatory relief, primarily to smaller financial institutions. This relief, however, does not come free of charge, inasmuch as Congress has decided to ask the banking industry to help fund the FAST Act’s transportation-related appropriations.

On December 1, New York Governor Andrew Cuomo announced the proposal of a new Department of Financial Services (DFS) regulation that will require bank and nonbank financial institutions that are licensed to do business in New York to adopt and maintain a comprehensive transaction monitoring and filtering program (TMFP). The program would monitor transactions for possible anti-money laundering (AML) and Office of Foreign Assets Control (OFAC) violations and suspicious activity. Notably, the proposed TMFP regulation, if adopted, also will require senior financial institution compliance personnel to certify annually in writing that their institutions have sufficient systems in place to detect, weed out, and prevent illicit transactions and would subject certifying officials to civil and criminal penalties for “incorrect or false certifications.” The regulation would apply to New York–licensed banks, trust companies, and branches and agencies of foreign banking organizations, as well as New York–licensed check cashers and money transmitters.

The proposed regulation is designed to address what the New York DFS perceives as “serious shortcomings” in the TMFPs of financial institutions during the last few years and a lack of robust senior-level governance, oversight, and accountability at financial institutions. To this end, the proposed regulation specifies in detail the required elements of a satisfactory risk-based TMFP and prescribes a specific written certification that a financial institution’s chief compliance officer (or equivalent) must execute and submit on an annual basis.

The Consumer Financial Protection Bureau (CFPB) has issued its latest monthly report summarizing complaints made by the public to the CFPB regarding bank account and service issues. The CFPB asserts that “many consumers are experiencing problems opening up and managing accounts, while other consumers found their accounts closed without explanation.”

According to the report, the three primary areas for complaints are as follows:

  1. Account opening: Consumers complain that they are unable to open accounts and are unable to determine why they are unable to do so.
  2. Access to funds: Consumers complain that their access to deposited funds is restricted.
  3. Disputing transactions: Consumers complain that it is difficult to dispute transactions and receive refunds or credits when a dispute is sustained.

The CFPB names the financial institutions that received the most complaints and provides many other metrics based on information in its Consumer Complaint Database.

The Federal Financial Institutions Examination Council (FFIEC) has issued a joint statement warning financial institutions of the increasing frequency and severity of cyber attacks involving extortion, including ransomware, denial of service, and theft of sensitive customer information that is used to extort victims. In turn, financial institutions are advised to develop and implement effective programs to identify, protect, detect, respond to, and recover from these types of cyber attacks. Actions to be taken include conducting ongoing risk assessments, assuring the security of systems and services, protecting against unauthorized access, and a number of other specific measures. In addition, financial institutions that are victims of cyber extortion are advised to notify law enforcement agencies and their primary regulatory agencies, especially if sensitive customer information is accessed, and consider filing Suspicious Activity Reports.

While the joint statement specifically states that it does not purport to create any new regulatory expectations, in fact it recommends a series of specific measures that should be taken in cyber-extortion situations, and reminds financial institutions of their prudential and compliance obligations under current regulatory guidance. More generally, the joint statement underscores the financial agencies’ continuing – and perhaps increasing – concerns over cybersecurity and data breaches.

Financial institutions therefore should treat the joint statement as a regulatory directive on appropriate preventative and response strategies for cyber breaches involving extortion, as well as a reminder to make cybersecurity and data protection a top governance and operational priority that their regulators will regularly test during the examination and supervision process. The FFIEC statement contains links and references to existing guidance and resources from the FFIEC, FBI, and other agencies that, as a threshold manner, financial institutions should review and ensure have been incorporated into their compliance and risk management processes, as appropriate.

In a recent letter to the 18 members of the Financial and Banking Information Infrastructure Committee (FBIIC), Acting Superintendent of the New York Department of Financial Services (NYDFS) Anthony Albanese requested collaboration and regulatory convergence among the members on cybersecurity standards for financial institutions. FBIIC member organizations include the eight federal financial institution regulatory agencies, the US Department of the Treasury, two Federal Reserve Banks, the National Association of Insurance Commissioners, the Conference of State Bank Supervisors, and the Securities Investor Protection Corporation.

Acting Superintendent Albanese stressed the need for coordinated efforts with relevant state and federal agencies to develop a comprehensive cybersecurity framework, addressing the most critical issues while preserving flexibility to address NYDFS-specific concerns. In NYDFS’s view, potential regulations would require a financial institution to maintain a cybersecurity program covering 12 key areas:

  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority

Anthony Albanese, the Acting Superintendent of the New York State Department of Financial Services (NYDFS), recently announced his resignation after slightly more than four months in the position. Albanese was appointed as Acting Superintendent in June after Superintendent Benjamin Lawsky’s resignation. Albanese is expected to remain in his current position until the end of the year.

Albanese’s resignation comes amid rumors of ongoing tension between Albanese and New York Governor Andrew Cuomo. Sources have reported that Governor Cuomo, in response to request from the financial services industry, has asked that his office be allowed to review and comment on requests that NYDFS has sent to supervised institutions. Albanese has publicly denied that his resignation was prompted by any conflict, instead stating that his appointment was always intended to be temporary and that he was offered a new opportunity in the private sector.

In the last few years, the NYDFS has been an aggressive supervisory agency, initiating and participating in a number of high-profile enforcement actions, establishing the United States’ first “BitLicense” for virtual currency businesses, and pursuing enforcement actions and consent agreements with various third-party consultants to financial institutions. Both consumer groups (with the support of Senator Elizabeth Warren) and the financial services industry groups have reportedly weighed in with Governor Cuomo’s office over the last several months with indications of their preferred replacements. With less than two months until Albanese leaves office, these lobbying efforts are certain to increase.

The replacement for Albanese, yet to be announced, will signal the future direction of the NYDFS and whether it will continue its aggressive approach to financial services regulation and enforcement or choose to take a more moderate approach.

On October 15, 2015, the Consumer Financial Protection Bureau (CFPB) released the anticipated final rule amending Regulation C, 12 C.F.R. part 1003, which implements the Home Mortgage Disclosure Act (HMDA).

HMDA and Regulation C have long required covered lenders to collect and report certain data about mortgage applications, which the federal government uses to assess a covered institution’s fair lending risk. The new rule, which is intended to implement amendments made to HMDA by the Dodd-Frank Act, makes several important changes to Regulation C. These changes include:

  • dramatically broadening the data that covered institutions must collect (around 25 new data points are added and around a dozen existing data points are modified);
  • effectively expanding the scope of covered non-depository institutions and slightly narrowing the scope of covered depository institutions through implementation of loan-volume thresholds for triggering application of Regulation C; and
  • modifying the scope of covered products.