Our Take: financial services regulatory update – October 20, 2023 (2024)

On October 19th, the CFPBproposeda rule that would implement section 1033 of the Dodd-Frank Act, which requires that the CFPB put forth rules granting consumers access to their financial data. The proposal would require that financial institutions offering services such as deposit accounts, credit cards, and digital wallets provide customers and authorized third parties with access to their financial information. Notable specifications and protections in the proposal include:

• Limits on third party data usage.Third parties would be required to limit their collection, use and retention of data to what is reasonably necessary to provide the requested service. The proposal specifies that using customer data for the purposes of advertising, cross-selling other products or services, and selling information to other firms is not reasonably necessary to provide services.
• Consumer data rights.Consumers would have the right to revoke access to their data at any time. Upon a customer’s revocation, firms would be required to immediately discontinue their access and delete the customer’s data. Firms’ access to data would also be limited to one year without consumer reauthorization.
• Data access fees.Firms would not be permitted to charge fees for data access by consumers or third parties.
• Limited ability to deny requests.Firms would be able to deny requests for data access based on risk management concerns, including compliance with the Federal Deposit Insurance Act and Gramm-Leach-Bliley Act. The proposal highlights the failure of a third party to maintain adequate data security as an example of a reasonable risk management-related denial.
• Secure data transfer.Firms would be required to use a “machine-readable file” in a standardized format to transfer customer information. It specifically prohibits firms from providing information to other firms in a format that would require the receiver to enter the customer’s credentials - a process known as “screen scraping” - that the proposal describes as presenting data security and privacy risks. Firms would also be required to implement an information security program.
• Standardization of data transfer.The proposal calls for the development of a “qualified industry standard” by a “fair, open and inclusive standard-setting body” to be recognized by the CFPB. It notes that the agency had considered specifying a standard but decided that doing so may stifle innovation. In the absence of a technical standard, firms would be permitted to transfer data through a “widely used” existing method that otherwise complies with the rule.

Alongside the proposal, CFPB Director Rohit Chopraexplainedin a speech that the proposed rule is intended to allow consumers to more easily switch their accounts to competitors that offer more attractive rates or provide better services. He also stated that the CFPB will release guidance around the development of an industry standard for data transfer and intends to cover additional product types and industry participants in a future open banking rule.

The proposal sets forth staggered compliance deadlines under which (a) banks with $500b in total assets and nondepository institutions with over $10b in revenue the preceding year would be required to comply six months after the final rule; (b) banks with $50b to $500b in total assets and nondepository institutions that generated under $10b in revenue in the preceding year would be required to comply one year after the final rule; (c) banks with between $850m and $50b would be required to comply two and half years following the final rule; and (d) banks with under $850m would be required to comply four years after the final rule. The proposal is open for comment until December 29, 2023.

Our Take

This highly-anticipated proposal is sure to attract controversy due to its potentially significant impact on both financial institutions and third parties. Outside of likely pushback on the competitive implications of easier consumer data transfer, there are a number of aspects of the proposal that will raise further questions and comments from the industry. For example, banks will expect more clarity on standards for denying data requests, liability for data breaches, and the definitions of both a “data provider” and “third party.” Even without these details spelled out, it is apparent that the proposal would require significant effort for both data providers and third parties to enhance their compliance and monitoring programs to ensure that data is used and maintained appropriately. It would also impact banks’ assumptions about deposit stickiness which would affect their liquidity risk management and overall consumer banking strategies. While this rule is just at the proposal stage, all of these factors could lead to a drawn out rulemaking process with legal challenges consistent with what has occurred with the CFPB’s small business lending data collection rule.

The following significant events took place this week regarding digital assets:

• On October 13th, California Governor Gavin Newsom signed adigital assets billthat requires any firm engaging in digital asset activities in the state or with California residents to obtain a license and comply with certain expectations. Firms wishing to obtain a license will be required to follow extensive disclosure requirements, including those around fees and charges as well as maintain records of client activity for at least five years. The bill also grants authority to California’s Department of Financial Protection and Innovation (DFPI) to conduct examinations and enforce against violation of the bill. Firms holding a New York BitLicense will be able to obtain a conditional license to operate in the state before they obtain a California license. The law will take effect in July 2025.
• On October 17th, the Basel Committee on Banking Supervision (BCBS) released arequest for commenton proposed disclosure templates of banks' digital asset exposures. The template would seek qualitative information on banks’ activities related to digital assets and quantitative information on exposures to digital assets. They would also be required to provide details of the accounting classifications of their exposures to digital assets. The proposal is open for comment until January 31st, 2024.
• On October 19th, FinCENproposeda rule that would label digital asset mixers as a “class of transactions of primary money laundering concern.” Mixers are tools used to obfuscate the identity of parties to digital asset transactions through a variety of methods including pooling multiple transactions into a single transaction. By labeling mixers as a primary money laundering concern, FinCEN can require that financial institutions take special measures related to recordkeeping and reporting of suspected transactions involving mixers.
• Also on October 19th, New York Attorney General Letitia Jamesfiled a lawsuitagainst three affiliated digital asset firms for defrauding investors by advertising that their investment program was low-risk despite their internal analyses showing that their investments were risky, undersecured and highly concentrated.

Our Take

With chances of digital asset-related legislation passing in Congress dwindling, the regulatory agencies and states are continuing to use their existing authority to advance consumer protections and root out illegal activity. California’s lack of licensing requirements has made it the start-up location of choice, acting as a de facto sandbox and launch pad for new digital asset firms. Once the law takes effect in 2025, would-be entrants will face a more difficult path that will favor larger firms, particularly those with a New York BitLicense. The California law is less prescriptive than New York’s with respect to AML and cybersecurity requirements but does codify a requirement for a listing process for new digital assets, which New York has implemented through guidance. Depending on the final DFPI regulation, smaller start-ups that have not met New York’s standard would likely have more work to do before they can comply. However, the law permits DFPI to grant conditional licenses, which could ease the compliance transition for smaller firms.

Separately, the Basel Committee’s request for comment shows that the nexus between crypto and the banking system remains a concern for global banking regulators. Information gathering via disclosures is a crucial first step for regulators to understand banks’ exposure to digital assets and eventually to prescribe risk management requirements. Regulators have thus far relied on banks to prudently manage their own risks but this consultation could be a first step to formalize expectations in a globally consistent manner.

FinCEN’s proposal would add an additional layer of responsibilities for firms that offer products or services related to digital assets and would add to the chilling effect of the increasing regulatory expectations, from the federal banking agencies requiring pre-approval of any digital asset-related service to NYDFS’s strengthening of listing standards. Firms that continue to conduct digital asset-related transactions or enter the market will need to make sure their due diligence and reporting programs can handle the additional responsibilities, and they should also implement technology such as blockchain forensics and geolocation tools to better detect mixers. It is also noteworthy that this proposal is the first time FinCEN is designating a class of transactions rather than a specific entity, and we expect it will continue this expanded use of its designation ability going forward.

This week’s action from the NY AG continues New York’s crypto crackdown, following several other high-profile enforcement actions and NYDFS’srecent actionstightening standards for listing digital assets and removing most tokens from its greenlist. While the allegations involve common-sense best practices around disclosing risks to investors and concentration risk, NY’s continued enforcement streak shows yet again that both the AG and NYDFS have digital assets as a primary enforcement target and we can expect more actions to come.

On October 16th, the SECreleasedits2024 examination priorities. Top priority areas include:

• Conduct standards.The 2024 priorities confirm that SEC examiners will continue to focus on both broker-dealers and investment advisers’ obligations under Reg BI and other fiduciary standards with a focus on completeness of disclosures, consideration of alternative recommendations, management of conflicts, and alignment with investors’ goals and account characteristics. For investment advisers, examiners will assess whether disclosures are sufficient for a client to provide informed consent. In addition, the priorities note that examinations may focus on recommendations regarding products that are 1) complex, such as derivatives and ETFs, 2) high cost and illiquid, such as variable annuities, 3) proprietary, 4) designed to address rising interest rates, 4) microcap securities and 5) targeted to retirement investors.
• Private funds.The Division of Examinations remains focused on private fund advisers’ compliance programs, calculation and allocation of fees and expenses, custody, alignment with the amended marketing rule, conflicts of interest, and the use of alternative data. Examiners will also review risk management practices as well as portfolio strategies, recommendations and allocations with a focus on conflicts and disclosures. Examiners will focus on private funds “experiencing poor performance, significant withdrawals and valuation issues” as well as more leverage, illiquid assets and exposure to high interest rates.
• Registered investment companies.In addition to consistent focus areas such as registered investment companies’ compliance programs, governance practices, disclosures and SEC reporting, the 2024 examinations will evaluate their advisers’ compensation for services, board processes for approving fund fees, particularly for funds with weaker performance relative to peers. Examiners will also review registered investment company valuation practices, particularly for those addressing fair valuation practices, and the effectiveness of derivatives and liquidity risk management programs. They will also have a specific focus on funds that utilize “turnkey” infrastructure solutions, mutual funds that converted to ETFs, non-transparent ETFs, loan-focused funds, and medium/small funds that have experienced excessive staff attrition.
• Cybersecurity, operational resilience and third-party risk.Another repeat topic in the 2024 priorities is a continued focus on broker-dealers and advisers’ practices to manage heightened risk of cyber threats and service disruptions including through third-party vendors. Examiners will evaluate whether firms’ policies, procedures and security practices are effective in protecting consumer information, including through identity theft prevention. In addition, exams will continue to assess compliance with Regulation Systems Compliance and Integrity (Reg SCI), including policies and procedures around the software development lifecycle, third-party dependencies, network segmentation, and reliance on external applications. Examinations of investment advisers will also include their policies and procedures for selecting and using third-party service providers.
• Technology and digital assets.2024 examinations will continue to focus on the use of emerging technologies, including those used for compliance, marketing, account servicing and automated investment advice. Examiners also will scrutinize firms that offer sales, recommendations or advice around digital assets and whether these practices align with standards of conduct, disclosures, and risk management practices. The 2024 priorities provide more detail on this scrutiny, noting that examiners will review compliance practices with respect to digital asset wallets, custody, valuation, risk disclosures, and operational resiliency practices as well as technological risks associated with the use of distributed ledger technology.
• T+1 settlement.A new topic in the 2024 priorities is assessing broker-dealers’ preparedness for the May 28, 2024 compliance date for the shortening of the settlement cycle from two days after the trade date (T+2) to one day after the trade date (T+1).

Our Take

Coming just eight months after the publication of its 2023 priorities, there are few additions in the latest list. Perhaps most notable is what the 2024 priorities exclude. Specifically, there is7 no mention of environmental, social, and governance (ESG) focused investing after being included in the Division of Examination’s priorities for the last three years. The priorities also omit digital engagement practices and electronic communications recordkeeping, which were both covered in the 2023 priorities. This does not mean that examiners will ignore these areas entirely but does signal a shift in focus to other areas that may have caused more concern over the course of this year. In particular, the priorities most heavily focus on the SEC’s bread-and-butter concerns around conflicts of interest, fees and disclosures. Although the SEC’s expectations in these areas are not new, the extensive attention in this latest priorities list indicates that examiners remain concerned with the soundness of firms’ compliance practices. Both broker-dealers and investment advisers should carefully review their policies, procedures and actual practices around identifying, disclosing and mitigating conflicts of interest. Firms should also prepare for closer scrutiny into the adequacy of their disclosures and whether they are demonstrating reasonable care and diligence to make sure recommendations are in line with customers’ investment portfolios and risk appetites, particularly if they have added new offerings such as digital assets.

On October 18th, the Treasury Department’s Office of Foreign Assets Control (OFAC)announcedthat it has eased certain sanctions against Venezuela in response to an agreement between the Venezuelan government and opposition parties to implement demographic reforms including elections to come in 2024. Specifically, OFAC (a) issued a six-month license authorizing oil and gas sector transactions; (b) issued a general license authorizing dealings with Venezuela’s state-owned gold mining company; and (c) amended two licenses to remove the secondary trading ban on certain Venezuelan debt and equity.

Our Take

In the wake of OFAC dialing back sanctions imposed on Venezuela, financial institutions are once again tasked with rapidly interpreting changes in sanctions regulations. It is important to note the sanctions changes are for a limited amount of time and are conditional. Said differently, they are dependent upon Venezuela staying its path on the agreed upon electoral roadmap. Financial institutions should examine their risk appetite and consider the impacts of conducting business with Venezuela given the nature of the sanctions changes and how quickly they could be revoked. In addition, the sanctions changes are limited to certain activities, so it is important to not only interpret the general licenses but also theFAQs.

These notable developments hit our radar this week:

• Proposed rules on large bank capital requirements comment period deadline extended.On October 20th, the agencies extended thecomment perioddeadline to January 16, 2024 (originally November 30, 2023) for the voluminous proposal issued on July 27th, to implement the final components of theBasel III agreement,also known as Basel III endgame, as well as to adjust the calculation of the capital surcharge for global systemically important banks (G-SIBs) and the Systemic Risk Report (FR Y-15). While the original 120-day comment period was longer than usual, it was still considered to be a tight timeframe for banks to digest the proposal and determine how it affects them.
• Fed issues Financial Stability Report.On October 20th, the Fed issued its semi-annualFinancial Stability Reporthighlighting valuation pressures, borrowing by businesses and households, leverage in the financial sector and funding risks.
• Barr speaks on stress testing. On October 19th, Fed Vice Chairman for Supervision Michael Barrspokeon the ways that the stress testing process could be enhanced for better supervision and overall firm risk management going forward. He highlighted how the use of exploratory stress scenarios and shocks - that would not be used to set a firm’s stress capital buffer requirements - could provide room to explore a wider range of vulnerabilities to better inform risk based supervision.
• Senate votes to overturn CFPB small business data collection rule.On October 18th, the Senate voted to overturn the CFPB’s rule to implement Section 1071 of the Dodd Frank Act. The rule was issued on March 30, 2023 and requires covered financial institutions to collect and report data on applications for credit for small businesses, including data on whether the businesses are owned by women or minorities. While the House still has to vote to overturn the rule and President Biden has threatened to veto the resolution, there are other outstanding lawsuits challenging the rule as well as thepending Supreme Court decisionon the constitutionality of theCFPB’s funding structure.
• SEC proposes rule to address volume-based transaction pricing.On October 18th, the SECproposeda new rule that would prohibit national securities exchanges from offering volume-based transaction pricing in connection with the execution of agency or riskless principal (“agency-related”) orders in certain stocks. The proposal would also require the exchanges to have written policies and procedures and disclose certain information on a monthly basis, including the total number of members that qualified for each volume tier during that month. The comment period will remain open until 60 days after the date of publication in the Federal Register.
• CFTC releases enforcement advisory on penalties, monitors and admissions.On October 17th, the CFTC’s Division of Enforcement issued anadvisorydesigned to give enforcement staff guidance on future enforcement resolution recommendations. In particular, the advisory provides guidance for CFTC staff on determining whether proposed civil money penalties are sufficient; when the imposition of a corporate compliance monitor or consultant is appropriate; what the duties and responsibilities of monitors and consultants should be; and whether admissions should be recommended in a particular enforcement action.