Trending publication

03.30.2012 | Legal Update

Headlines

1. FDIC Warns That Copying Bank Records Could Be a Breach of Fiduciary Duty
2. Federal Reserve Outlines Criteria for Upgrading Supervisory Ratings
3. Consumer Sues for Violation of Massachusetts’ Information Security Regulations
4. CFPB Issues Guidance on SAFE Act Compliance
5. Other Developments: FHA Audit Requirements and Currency Transactions

1. FDIC Warns That Copying Bank Records Could Be a Breach of Fiduciary Duty

The FDIC recently released guidance advising bank directors and officers that it is a breach of their fiduciary duties to remove copies of institution and supervisory records from a bank in anticipation of litigation or enforcement activity against the director or officer personally. The FDIC guidance issued on March 19 (see FDIC Financial Institution Letter # 14-2012) reminds directors and officers that removing copies of certain bank records from bank premises may also violate applicable laws, regulations and the bank’s information security program. Such records include confidential material such as loan files and other records containing bank customer information, reports of examination and supervisory correspondence, employee records, and suspicious activity reports. Directors and officers have a fiduciary duty to act in the best interests of the bank, free of self dealing or conflicts of interest, according to the guidance. Those fiduciary duties generally prohibit directors and officers from using bank property or assets, including bank records, for their personal advantage. The FDIC’s guidance also reminds attorneys who represent banks of their duty to act in the best interests of the bank. The FDIC warned that it will investigate any matter that appears to violate bank confidentiality and, if appropriate, pursue enforcement action. 

    Nutter Notes: The FDIC takes the position that all bank records belong exclusively to the bank. Many such records are subject to federal and state privacy and information security requirements that restrict the manner and circumstances under which the records may be accessed by bank personnel, transported or transmitted, or shared with another person. FDIC regulations expressly prohibit the disclosure of examination reports and certain supervisory correspondence. The guidance reiterates the FDIC’s position that FDIC reports of examination and other supervisory documentation do not belong to a financial institution, but remain the property of the FDIC. Federal law prohibits the disclosure of suspicious activity reports because they contain information that could impede law enforcement efforts or cause damage to individuals named in a report if made public. In the case of a failed bank, the FDIC as receiver has the unrestricted and sole right to possess and use the books, records, and assets of the failed bank. The Federal Deposit Insurance Act gives the FDIC the authority to pursue enforcement actions against directors, officers, and institution-affiliated parties who knowingly or recklessly engage in a violation of law or a breach of fiduciary duty.

2. Federal Reserve Outlines Criteria for Upgrading Supervisory Ratings

The Federal Reserve has issued guidance describing the standards that supervisors will apply to evaluate whether a banking organization with $10 billion or less in assets is eligible for an upgrade of a supervisory rating. The guidance released on March 12 (see Federal Reserve Supervision and Regulation Letter #12-4) provides criteria for determining whether or not a community banking organization’s ratings could be upgraded consistent with interagency rating guidance and the Federal Reserve’s risk management rating guidance. According to the Federal Reserve, the guidance was issued to ensure that upgrades occur in a timely manner when a banking organization has made the requisite progress in addressing any supervisory concerns that had prompted a lower rating. To be eligible for an upgrade, a banking organization is expected to demonstrate, among other things, improvement in financial condition and risk management, as well as show that such improvement is likely to continue. According to the guidance, the Federal Reserve will evaluate the strength of core financial components, overall risk management, and, in particular, the quality of oversight by the organization’s board of directors in assessing whether an upgrade is warranted. 

    Nutter Notes: Specific considerations that the Federal Reserve said would impact any consideration of an upgrade include the extent to which the organization’s capital levels and capital planning process is appropriate relative to its risk characteristics, the extent and sustainability of improvements in core earnings, and the extent to which asset quality has improved and is expected to continue to improve. The Federal Reserve said it would also consider whether liquidity and interest rate risk positions generally are managed prudently and in a manner consistent with applicable supervisory guidance, and whether management’s projections and assumptions related to the core financial factors referred to above are reasonable and subject to regular review and oversight by the organization’s board of directors. Other relevant factors in the consideration of an upgrade include improvements in risk management capabilities to address the primary weaknesses that contributed to prior ratings downgrades, policies and procedures that have been implemented that focus on sustainable improvement proportionate with the organization’s risk profile, and whether the organization’s board provides strategic review and oversight of core financial components and risk management and actively engages in the process of correcting deficiencies.

3. Consumer Sues for Violation of Massachusetts’ Information Security Regulations

The U.S. Court of Appeals for the First Circuit on February 28 dismissed a consumer’s claims against a third-party vendor doing business with the consumer’s securities brokerage firm that were based on the vendor’s alleged failure to comply with the Massachusetts information security requirements. The Court of Appeals decision affirmed the decision of the lower court to dismiss the case because the consumer did not state a claim for relief based on an actual data security breach, among other factors. The vendor provides an electronic service to the consumer’s brokerage firm that gives subscribing financial organizations (such as investment firms) access to information about market dynamics and customer accounts. The brokerage firm provided a disclosure statement to the consumer describing how it made her account information accessible to subscribers of the electronic service. The consumer claimed that the vendor failed to notify her of unidentified security breaches as required by Chapter 93H of the General Laws of Massachusetts and failed to conform to the minimum security standards required by the Massachusetts information security regulations (201 C.M.R. 17.00) to protect her account information. She claimed that, as a result of those alleged violations, she was forced to purchase identity theft insurance and that her nonpublic personal information was vulnerable to misuse. The federal appeals court found that the consumer did not identify an incident in which her nonpublic personal information had actually been accessed by any unauthorized person. Because she failed to identify an actual data security breach, the court ruled that she could not sue the vendor even if the vendor had not complied with the minimum information security standards required by the Massachusetts regulations. 

    Nutter Notes: In its ruling, the court expressly declined to decide whether a consumer may bring a private lawsuit for a violation of the data security breach notification requirements under Chapter 93H, or whether such a claim may only be made by the Massachusetts Attorney General. Chapter 93H generally requires that a business notify consumers in Massachusetts in the event that an unauthorized person has accessed a record containing certain nonpublic personal information of consumers held by the business (i.e., a data security breach). Chapter 93H also directed the Massachusetts Office of Consumer Affairs and Business Regulation to adopt a rule establishing universally applicable information security standards, which resulted in the information security regulations at 201 C.M.R. 17.00. Chapter 93H permits the Massachusetts Attorney General to enforce Chapter 93H by treating a violation of the statute or a violation of the information security regulations as a violation of the Massachusetts consumer protection statute, Chapter 93A of the General Laws of Massachusetts. While Chapter 93A allows consumers to sue businesses for unfair or deceptive business practices, it remains unclear whether a consumer may sue a business for a violation of Chapter 93H or the information security regulations.

4. CFPB Issues Guidance on SAFE Act Compliance

The CFPB has issued an interagency examination manual for depository institutions under the Secure and Fair Enforcement for Mortgage Licensing Act of 2008 (“SAFE Act”). The examination manual released on March 12 provides guidance for complying with residential mortgage loan originator (“MLO”) registration and other requirements of the SAFE Act applicable to every depository institution that is regulated by one of the federal banking agencies (each a “covered financial institution”). The SAFE Act mandates a nationwide licensing and registration system for MLOs, and generally prohibits any employee of a covered financial institution from engaging in the business of an MLO without obtaining and maintaining annually a registration as an MLO and a unique identification number. The SAFE Act also requires that federal MLO registration and state MLO licensing and registration be accomplished through the same online registration system, the Nationwide Mortgage Licensing System and Registry (“Registry”). The CFPB’s SAFE Act regulations provide one exception to the federal MLO registration requirements for any employee of a covered financial institution who has never been registered or licensed through the Registry as an MLO if the employee only acts as an MLO for 5 or fewer residential mortgage loans in any 12-month period. 

    Nutter Notes: The CFPB’s SAFE Act regulations require covered financial institutions to conduct independent tests annually to assess compliance with the SAFE Act. The SAFE Act examination manual includes guidance on the written policies and procedures that covered financial institutions are required to implement. According to the examination manual, a covered financial institution’s SAFE Act policies and procedures must be appropriate for the nature, size, complexity, and scope of the institution’s mortgage lending activities and should apply only to those employees acting within the scope of their employment at the institution. The policies and procedures must also establish a process for identifying and confirming registration of MLOs who are required to be registered, require that MLOs receive SAFE Act compliance training, and establish procedures to comply with the MLO identification number disclosure requirements. The CFPB’s SAFE Act regulations require that a covered financial institution’s policies and procedures provide for appropriate disciplinary actions if an employee fails to comply and provide for monitoring of vendor compliance with the SAFE Act.

5. Other Developments: FHA Audit Requirements and Currency Transactions 

• FHA Waives Annual Audit Requirements for Small Lenders

The Federal Housing Administration (“FHA”) announced on March 13 that it has extended a waiver of the requirement that small lenders submit annual audited financial statements for FHA lender approval or renewal. Small lenders are defined as those with less than $500 million in assets. The waiver will expire on April 7, 2013.

    Nutter Notes: For annual recertification, small FHA lenders must submit a copy of their unaudited regulatory report that aligns with their fiscal year-end call reports. According to the FHA announcement, small lenders will not be required to submit a report on internal controls related to HUD-assisted programs or a report on compliance with specific requirements applicable to HUD programs until further guidance is issued. 

• FinCEN Provides Guidance on Aggregating Currency Transactions

The Financial Crimes Enforcement Network (“FinCEN”) issued guidance on March 16 to clarify when multiple transactions conducted by businesses under common ownership should be aggregated for currency transaction reporting purposes. A financial institution must aggregate multiple currency transactions if it has knowledge that multiple transactions totaling more than $10,000 in one business day were conducted by or on behalf of the same person.

    Nutter Notes: In general, it is presumed that separately incorporated entities are independent persons for currency transaction reporting purposes even if they share a common owner. However, that presumption is rebuttable and it is up to the financial institution to determine whether multiple businesses with a common owner are being operated independently based on the facts and circumstances.

Nutter Bank Report

Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. The 2009 Chambers and Partners review says that a “real strength of this practice is its strong partners and . . . excellent team work.” Clients praised Nutter banking lawyers as “practical, efficient and smart.” Visit the U.S. rankings at ChambersandPartners.com. The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Lisa M. Jentzen. The information in this publication is not legal advice. For further information, contact:

Kenneth F. Ehrlich
kehrlich@nutter.com 
Tel: (617) 439-2989

Michael K. Krebs
mkrebs@nutter.com
Tel: (617) 439-2288

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.