Nutter Bank Report, April 2018Print PDF
- Treasury Report Recommends Changes to Community Reinvestment Act Rules
- Budget Measure Protecting Medicinal Pot Renewed; New Support for Decriminalization
- FFIEC Issues Guidance on the Role of Cyber Insurance in Risk Management Programs
- FinCEN Publishes FAQs on Expanded BSA Customer Due Diligence Requirements
- Other Developments: Data Privacy and Commercial Appraisals
1. Treasury Report Recommends Changes to Community Reinvestment Act Rules
The U.S. Department of the Treasury has released a report recommending changes to the federal banking agencies’ rules that implement the Community Reinvestment Act (“CRA”), as well as changes to CRA assessment and examination processes. The report issued on April 3 to the FDIC, Federal Reserve, and OCC includes recommendations that the agencies update their rules defining geographic assessment areas, increase clarity for CRA eligibility determinations, increase timeliness and flexibility of CRA exams, and revise the ways in which consumer compliance violations impact CRA ratings determinations. The report recommends that the determination of geographic assessment areas should include not only areas where a bank has physical locations, but also low- and moderate-income communities in areas from which the bank draws deposits and does substantial business. The report also recommends that the agencies expand the types of loans, investments, and services eligible for CRA credit and establish clearer standards for eligibility for CRA credit, with greater consistency and predictability across each agency. The report criticizes the agencies for extended time periods between CRA exams and recommends that the agencies standardize their CRA examination schedules (currently, each agency sets its own exam cycles for Large and Intermediate Small Banks, and exam cycles for Small Banks are mandated by the Gramm-Leach-Bliley Act). Click here for a copy of the Treasury Department’s report.
Nutter Notes: The Treasury Department’s report also criticizes the agencies for downgrading some banks’ CRA ratings due to violations of consumer protection laws related to credit products that were not part of their CRA performance evaluations. The report recommends that the agencies adopt uniform CRA exam guidance, similar to that of existing OCC guidance, clarifying that consumer protection violations will be considered in a CRA exam only when there is a “logical nexus” between CRA lending activities and an alleged discriminatory or illegal credit practice, while also considering any remediation efforts undertaken by the bank. According to the report, the so-called logical nexus principle would consider whether a consumer protection violation would have a material impact on the bank’s ability to serve its entire community. The report illustrates the logical nexus principle by explaining that, for example, an unfair, deceptive, or abusive act or practice related to a credit product that was not considered as part of a bank’s CRA performance would not have a logical nexus to the bank’s CRA rating and should not affect the rating. But violations of consumer protection laws that involve evidence of redlining would be more likely to impact a bank’s CRA rating, because that would be inconsistent with serving the needs of the entire community, according to the report.
2. Budget Measure Protecting Medicinal Pot Renewed; New Support for Decriminalization
The Rohrabacher-Blumenauer Amendment, which protects certain state-licensed medical marijuana activity from interference by enforcement actions by the U.S. Department of Justice (“DOJ”), was renewed when President Trump signed an omnibus spending bill into law on March 23. The effectiveness of that federal budget provision extends until September 30, 2018. Meanwhile, Senate Minority Leader Chuck Schumer announced on April 20 that he plans to introduce legislation that would decriminalize marijuana at the federal level. A draft of the proposed bill has not yet been released, but Senator Schumer issued a press release explaining that the bill would allow each state to determine how it will treat marijuana possession while also allowing federal law enforcement to prevent marijuana trafficking from states that have legalized marijuana to those that have not. According to the announcement, the bill would maintain federal authority to regulate marijuana advertising in the same way that alcohol and tobacco advertising is regulated and prohibit state-licensed marijuana businesses from targeting children in their advertisements. Senator Schumer’s proposal would remove marijuana from the list of scheduled substances under the federal Controlled Substances Act, which would effectively decriminalize state-licensed marijuana businesses at the federal level. Click here for a copy of Senator Schumer’s press release.
Nutter Notes: Senator Schumer’s proposal follows the announcement on April 11 that former Speaker of the House John Boehner and former Massachusetts Governor Bill Weld are joining the board of advisors of a business that is involved in cannabis cultivation, processing, and dispensing across several states. Boehner, who once said he was “unalterably opposed” to decriminalizing marijuana, announced that his “thinking on cannabis has evolved,” in part because marijuana may have a role to play in fighting the opioid epidemic. On April 13, Senator Cory Gardner announced that President Trump had promised to support federal legislation protecting state-licensed marijuana businesses in return for Senator Gardner ending his opposition to the President’s DOJ nominees. Senator Gardner had opposed all DOJ nominees in response to Attorney General Jeff Sessions’s rescission of the DOJ’s guidance to federal prosecutors on marijuana enforcement priorities (known as the Cole Memo). It also has been reported that Senator Gardner and Senator Elizabeth Warren are working together on a bipartisan proposal to decriminalize marijuana at the federal level. If the proposals described by Senator Schumer or Senators Gardner and Warren were enacted, each state would still have the authority to outlaw marijuana for recreational and/or medical use. While such a federal law would significantly reduce the risks that banks face in providing financial services to state-licensed marijuana businesses, banks would still need to have robust risk management policies and practices in place to conduct initial due diligence and ongoing monitoring of such businesses for compliance with applicable state laws.
3. FFIEC Issues Guidance on the Role of Cyber Insurance in Risk Management Programs
The FFIEC has issued guidance on the factors that depository institutions should consider when assessing the possible role of cyber insurance in risk management programs. The guidance issued on April 10 clarifies that, while cyber insurance may be an effective tool for reducing financial risks associated with cybersecurity incidents, banks are not required to maintain cyber insurance. The guidance points out that, without a special endorsement, traditional insurance coverage for general liability or basic business interruption may not fully cover or may completely exclude cybersecurity related losses. According to the guidance, even traditional insurance policies that do include some coverage for cybersecurity incidents sometimes do not cover incidents caused by or originating with outside vendors. The guidance warns, however, that purchasing cyber insurance coverage does not replace sound internal information security policies and procedures. The guidance recommends that banks consider cyber insurance as a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure. Click here for a copy of the FFIEC’s cyber insurance guidance.
Nutter Notes: The FFIEC’s cyber insurance guidance recommends that a bank’s approach to considering the costs and benefits of cyber insurance should include multiple stakeholders across the institution, including legal, enterprise risk management, operational risk management, finance, information technology, and information security management. The guidance advises banks to assess the sufficiency of existing information security controls to address the potential impact of cyber risk exposures and consider any attestation requirements for a cyber insurance policy. According to the guidance, proper due diligence of cyber insurance coverage should include a review of the scope of any existing coverage to identify gaps, understand cyber insurance policy terms, coverage, exclusions, and costs for cyber events, and assess the financial strength and claims paying history of insurance providers. The guidance recommends that banks consider how cyber insurance coverage is triggered, whether certain types of incidents (such as terrorism or cyber extortion) are excluded from coverage, coverage limits, and coverage against direct expenses versus protection against third-party claims made by customers, partners, or vendors. Finally, the guidance advises banks to include their boards of directors in the assessment of these and other factors in insurance program reviews.
4. FinCEN Publishes FAQs on Expanded BSA Customer Due Diligence Requirements
The Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) has issued new guidance in the form of answers to frequently asked questions (“FAQs”) about the scope of expanded Bank Secrecy Act customer due diligence requirements imposed under FinCEN’s final rule published on May 11, 2016, and amended on September 29, 2017 (the “CDD Rule”). The new FAQs released on April 3 expand on an earlier set of FAQs on the CDD Rule that FinCEN released in 2016. For example, the new FAQs address the interaction of the beneficial ownership threshold under the CDD Rule with other anti-money laundering program obligations. The CDD Rule requires collection of information about beneficial owners of legal entity customers where a person owns, directly or indirectly, 25% or more of the equity interests of the customer. The new FAQs advise that there may be circumstances when a bank or other covered financial institution may determine that collection and verification of beneficial ownership information at a lower equity interest than 25% may be warranted based on the institution’s risk assessment of the customer. The new FAQs also provide guidance on applying the threshold to determine beneficial ownership for legal entity customers with complex ownership structures involving individuals with indirect interests through multiple layers of legal entity owners. Compliance with the CDD Rule becomes mandatory for banks and other covered financial institutions on May 11, 2018. Click here for a copy of FinCEN’s new FAQs.
Nutter Notes: FinCEN’s new FAQs also clarify beneficial ownership recordkeeping requirements under the CDD Rule. Generally, a covered financial institution must identify and verify a legal entity customer’s beneficial ownership information for each new account opened by the customer, regardless of the number of accounts opened. According to the new FAQs, however, an institution that has already obtained a beneficial ownership certification form may rely on that information to fulfill the beneficial ownership due diligence requirements for subsequent accounts as long as the legal entity customer certifies or confirms (verbally or in writing) that the information is up-to-date and accurate at the time each subsequent account is opened, and the institution has no knowledge of facts that would reasonably call into question the reliability of that information. The institution in such circumstances would need to maintain a record of each subsequent certification or confirmation. In addition, the new FAQs clarify that identifying information, including a beneficial ownership certification form, must be maintained for five years after a legal entity customer’s account is closed, and all verification records must be retained for at least five years after the record is made. For example, if an institution relies on a pre-existing beneficial ownership certification form when opening a new account for a legal entity customer, the institution should maintain the original records, and any updated information and confirmation of pre-existing information, until five years after the closing of the new account.
5. Other Developments: Data Privacy and Commercial Appraisals
- European Union Data Protection Rule Becomes Effective Next Month
The General Data Protection Regulation (the “GDPR”) adopted by the European Union (the “EU”) is scheduled to go into effect on May 25, 2018, and may apply to businesses, including U.S. banks, that do not have a physical presence in the EU, but have customers who are EU residents. Compliance with GDPR may involve, among other things, data privacy audits, changes to privacy policies and consents, naming of a data protection officer, security enhancements, and implementation of certain personal information rights for individuals.
Nutter Notes: Whether the GDPR applies to a U.S. bank with no physical presence in the EU depends in part on whether the bank targets EU residents or uses technology to track or profile EU data subjects regardless of where the bank is based. Because the GDPR’s requirements have not yet become effective, it is unclear how European regulators or courts will seek to enforce the GDPR’s requirements on banks and other businesses located outside of the EU. Click here to access the EU’s GDPR website.
- Final Rule Exempts CRE Transactions of $500,000 or Less from Appraisal Requirements
The federal banking agencies have issued a final rule that increases the threshold for commercial real estate transactions that require an appraisal from $250,000 to $500,000. The final rule, which became effective on April 9, allows a bank to use an evaluation, rather than an appraisal, for commercial real estate transactions exempted by the $500,000 threshold. Evaluations provide a market value estimate of the real estate pledged as collateral, but do not have to comply with the Uniform Standards of Professional Appraiser Practices and do not require completion by a state licensed or certified appraiser.
Nutter Notes: The final rule defines commercial real estate transaction as a real estate-related financial transaction that is not secured by a single 1-to-4 family residential property. The definition excludes all transactions secured by a single 1-to-4 family residential property, so that construction loans secured by a single 1- to-4 family residential property are excluded. Click here for a copy of the final rule.
Nutter Bank Report
Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at ChambersandPartners.com. The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Seth Berman and Heather F. Merton. The information in this publication is not legal advice. For further information, contact:
Thomas J. Curry
Tel: (617) 439-2087
Tel: (617) 439-2989
Michael K. Krebs
Tel: (617) 439-2288
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.