Trending publication

Nutter Bank Report: March 2022

Print PDF
| Legal Update


  1. CFPB Announces Intention to Expand Enforcement Against Unfair Discrimination
  2. SEC Proposes Disclosure Requirements for Climate-Related Risks by Public Companies
  3. FDIC Publishes Guidance on Compliance with Computer-Security Incident Reporting
  4. OCC Final Rule Describes Criteria to Evaluate Requests for SAR Exemptions
  5. Other Developments: Mortgage Loans, Enforcement Actions, and Bank Mergers

1. CFPB Announces Intention to Expand Enforcement Against Unfair Discrimination

The CFPB has published an updated examination manual for evaluating unfair, deceptive, and abusive acts and practices (“UDAAPs”), which explains that the standard for unfairness under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) is that an act or practice by a bank or other consumer financial product or service provider is unfair when it “causes or is likely to cause substantial injury to consumers,” that they cannot reasonably avoid, and that harm is “not outweighed by countervailing benefits to consumers or to competition.” In its updated UDAAP exam manual released on March 16, the CFPB indicated that it will use its UDAAP authority to expand enforcement actions against financial institutions for discriminatory conduct even when fair lending laws do not apply to the conduct. For example, the updated UDAAP exam manual noted that denying access to or subjecting a consumer to different requirements to open a deposit account on the basis of a consumer’s race would be an unfair practice even where the Equal Credit Opportunity Act may not apply. Specifically, the CFPB announced that it “will examine for discrimination in all consumer finance markets, including credit, servicing, collections, consumer reporting, payments, remittances, and deposits.” Click here to access the CFPB’s updated UDAAP exam manual.

Nutter Notes:  The CFPB also recently announced progress toward rulemaking to address unfair discrimination in home mortgage lending by outlining options that are meant to “ensure that computer models used to help determine home valuations are accurate and fair.” The CFPB’s report of the Small Business Advisory Review Panel for Automated Valuation Model (AVM) Rulemaking issued on February 23 addresses a joint rule under development with the federal banking agencies that would impose quality control standards for AVMs, which are meant to prevent “algorithmic bias” in housing appraisals. AVMs employ algorithmic computer models that use large amounts of data to value homes in connection with home mortgage lending. According to the CFPB, both appraisals that are conducted in-person and those that rely on algorithmic appraisals “appear to be susceptible to bias and inaccuracy, absent appropriate safeguards.” The CFPB is in the process of reviewing its options for imposing quality control standards on AVMs to determine their potential impact on small businesses.

2. SEC Proposes Disclosure Requirements for Climate-Related Risks by Public Companies

The SEC has issued a proposed rule that would require publicly traded companies, including banking organizations, to make new disclosures about climate-related risks in their registration statements and periodic reports. The proposed rule released on March 21 would require the disclosure of information about a company’s climate-related risks “that are reasonably likely to have a material impact on its business, results of operations, or financial condition.” The required disclosures would include information about a company’s risk management processes relevant to climate-related risks and how any climate-related risks identified by the company have had or are likely to have a material impact on its business and consolidated financial statements over the short-, medium-, or long-term, among other things. In addition, the proposed rule would require that certain climate-related financial statement metrics be included in a note to audited financial statements. Public comments on the proposed rule will be due within 30 days after it is published in the federal register, which is expected shortly. Click here for a copy of the SEC’s proposed rule on climate-related risk disclosures.

Nutter Notes:  In a March 7 speech at the Institute of International Bankers’ Annual Washington Conference, Acting Comptroller Michael Hsu discussed the rulemaking in progress by the federal banking agencies that is focused on the climate risk management capabilities of large banks to identify, measure, monitor, and mitigate climate-related risks. The OCC requested public comments in December 2021 on draft principles for the identification and management of climate-related financial risks for large banks with more than $100 billion in total consolidated assets. Acting Comptroller Hsu indicated that the OCC is reviewing the feedback it received and is working with the FDIC and the Federal Reserve to finalize the climate risk management principles and to develop more detailed industry guidance. The FDIC on March 30 requested public comment on draft principles that would provide a high-level framework for the safe and sound management of exposures to climate-related financial risks, which are substantively similar to the draft principles issued by the OCC in December.

3. FDIC Publishes Guidance on Compliance with Computer-Security Incident Reporting

The FDIC has issued guidance on compliance with a joint final rule that establishes computer-security incident notification requirements for banking organizations and their bank service providers, which becomes effective on May 1, 2022. The guidance published on March 29 explained that an FDIC-supervised institution may comply with the requirements of the rule by reporting a computer-security incident to its FDIC case manager, or to any member of an FDIC examination team, if the event occurs during an examination. The guidance also provides an email address that may be used to provide notification to the FDIC of a computer-security incident if a bank is unable to access its supervisory team contacts. Click here for a copy of the guidance on compliance with computer-security incident notification requirements.

Nutter Notes: The federal banking agencies issued a joint final rule on November 18, 2021 that will require a banking organization to notify its primary federal regulator of computer-security incidents under certain circumstances, and will require service providers to notify affected banking organization customers of any such computer-security incident. The final rule defines a computer-security incident as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” The final rule’s notification requirements are triggered by a computer-security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade,” a banking organization’s (i) ability to carry out banking operations or service a material portion of its customers, (ii) business line(s) in a manner that would result in “a material loss of revenue, profit, or franchise value,” or (iii) operations in a manner that would “pose a threat to the financial stability of the United States.” If a computer-security incident triggers the notice requirement, a banking organization must notify its primary federal regulator by email, telephone, or otherwise as the agency prescribes, as soon as possible, and no later than 36 hours after the banking organization determines that a notification is required under the final rule.

4. OCC Final Rule Describes Criteria to Evaluate Requests for SAR Exemptions

The OCC has issued a final rule amending its suspicious activity report (“SAR”) regulations to clarify the OCC’s authority to issue exemptions from SAR reporting requirements in response to requests from national banks and federal savings associations. The final rule released on March 16 specifies which criteria the OCC will consider when evaluating a SAR regulation exemption request, including whether the request is consistent with the purposes of the Bank Secrecy Act and safe and sound banking principles. According to the OCC, the final rule will also make it possible for the OCC to grant relief to depository institutions it supervises that “develop innovative solutions intended to meet Bank Secrecy Act requirements more efficiently and effectively.” The final rule takes effect on May 1, 2022. Click here for a copy of the final rule.

Nutter Notes:  The SAR reporting system is operated by the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN). The OCC’s final SAR rule provides that, for exemption requests that involve only OCC SAR requirements, a national bank or federal savings association will be required to seek an exemption only from the OCC. For exemption requests that will also require an exemption from FinCEN’s SAR rules (such as exemption requests related to SAR timing requirements imposed by FinCEN’s rules or related to SAR confidentiality), a national bank will need to seek an exemption from both the OCC and FinCEN. Both the Federal Reserve and the FDIC are considering similar amendments to their respective SAR regulations to allow them to issue exemptions upon request from banks they supervise, which are based on proposals issued by the federal banking agencies in January.

5. Other Developments: Mortgage Loans, Enforcement Actions, and Bank Mergers

Division of Banks Expects Banks and Other Mortgage Servicers to Participate in HAF

According to follow-up guidance issued on March 7 by the Massachusetts Division of Banks to an earlier Industry Letter, the Division expects that all mortgage servicers under the Division’s supervision, including banks, will participate in the state-administered Homeowner Assistance Fund (“HAF”) for eligible consumers as consumers exit pandemic-related forbearances. HAF was established to mitigate financial hardships associated with the COVID-19 public health emergency by “providing funds to eligible borrowers for the purpose of preventing mortgage delinquencies, defaults, foreclosures and displacements of eligible homeowners,” according to the Division’s guidance. Click here for a copy of the Division’s follow-up guidance on HAF.

Nutter Notes:  The Massachusetts HAF Program is now fully funded by the United States Treasury and fully operational through the Massachusetts Housing Partnership and MassHousing, according to the Division’s guidance. The Division also said that statewide public service announcements are underway to inform all qualifying and impacted households about the availability of home financing options through HAF.

Director of the CFPB Suggests Harsher Penalties for Repeat Violations by Large Firms

CFPB Director Rohit Chopra urged finance services regulators to consider using more “non-monetary, structural remedies” in enforcement actions against financial service providers, including banking organizations, to deter them from repeatedly violating laws the agencies are responsible for policing in a speech on March 28 at the University of Pennsylvania. Director Chopra, who is also a member of the FDIC’s Board of Directors, suggested that such measures may include terminating or limiting access to FDIC deposit insurance. Click here for a copy of Director Chopra’s speech.

Nutter Notes:  Director Chopra’s remarks were aimed at corporate recidivism among large financial institutions. He indicated that he sees a disparity between the ways in which enforcement actions are pursued against smaller institutions, and particularly their senior management officials, as compared with larger institutions. Director Chopra said that termination of senior management and directors, and lifetime occupational bans should “be more frequently deployed in enforcement actions involving large firms.”

FDIC Seeks Public Input on Review of Bank Merger Policy

The FDIC has requested information and comments from the public and banking organizations related to its reassessment of the regulatory framework governing review and approval of merger transactions involving banks. In its March 25 request, the FDIC said that it is interested in receiving comments about the effectiveness of the existing rules in meeting the requirements of the Bank Merger Act. Click here for a copy of the FDIC’s request for information.

Nutter Notes:  President Biden issued an Executive Order on July 9, 2021 that, in part, directs federal agencies to consider the impact that consolidation may have on maintaining a “fair, open, and competitive marketplace,” and on the welfare of workers, farmers, small businesses, startups, and consumers. The Executive Order directs the Attorney General to consult with the federal banking agencies and adopt a plan for “the revitalization of merger oversight” under the Bank Merger Act and the Bank Holding Company Act.

Nutter Bank Report
Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Heather F. Merton. The information in this publication is not legal advice. For further information, contact:

Thomas J. Curry

Tel: (617) 439-2087

Christine A. Docherty

Tel: (617) 439-2107

Kenneth F. Ehrlich

Tel: (617) 439-2989

Matthew D. Hanaghan

Tel: (617) 439-2583

Michael K. Krebs

Tel: (617) 439-2288


This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

More Publications >
Back to Page