Nutter Bank Report: November 2021Print PDF
- Federal Banking Agencies Publish Policy Road Map for Crypto-Asset Activities
- New Computer-Security Incident Notice Requirements for Banks, Vendors
- President’s Working Group, FDIC, and OCC Recommend Stablecoin Issuers Be Banks
- Federal and State Regulators Announce End of COVID-19 Regulation X Flexibility
- Other Developments: Pandemic-Related Forbearances; VC Fund Investments
1. Federal Banking Agencies Publish Policy Road Map for Crypto-Asset Activities
The federal banking agencies have issued a joint statement summarizing their interagency “policy sprints” focused on crypto-asset activities by banking organizations and providing a summary of the next steps they plan to take to provide supervisory guidance for crypto-asset activities. According to the Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps, published on November 23, the agencies plan to issue additional guidance throughout 2022 about whether certain crypto-asset activities conducted by banking organizations are legally permissible, and to clarify supervisory expectations for safety and soundness, consumer protection, and compliance issues. The agencies indicated that the crypto-asset activities they intend to address in future guidance will include crypto-asset safekeeping and custody services, ancillary custody services, the facilitation of purchases and sales of crypto-assets by customers, and loans collateralized by crypto-assets. According to the joint statement, the agencies also plan to provide guidance to banking organizations on the issuance and distribution of stablecoins, and activities related to a banking organization holding crypto-assets on its balance sheet. Finally, the agencies said that they plan to evaluate the application of capital and liquidity standards to crypto-assets next year. Click here for a copy of the joint statement on crypto-asset activities.
Nutter Notes: In a related development, the OCC issued an interpretive letter on November 23 clarifying how a national bank or federal savings association may secure permission from the OCC to engage in certain cryptocurrency, distributed ledger, and stablecoin payment activities. The November 23 interpretive letter explained that three prior OCC interpretations issued in 2020 and early 2021 established that national banks and federal savings associations may provide cryptocurrency custody services, hold dollar deposits as reserves backing stablecoins in certain circumstances, and use distributed ledger technology and stablecoins to engage in and facilitate certain payment activities. According to the OCC, a national bank or federal savings association must conduct such activities consistent with safety and soundness principles. In its November 23 interpretive letter, the OCC described the process by which a national bank or federal savings association may demonstrate to the OCC that it will engage in those activities in a safe and sound manner. Specifically, the institution must notify its supervisory office of its intent to engage in any of the described crypto-asset activities, and must obtain a written notification of the supervisory office’s non-objection before engaging in the activities. To obtain a non-objection, the institution must demonstrate to the OCC’s satisfaction that the institution has “established an appropriate risk management and measurement process for the proposed activities, including having adequate systems in place to identify, measure, monitor, and control the risks of its activities, including the ability to do so on an ongoing basis.” While the OCC’s interpretive letters apply to national banks and federal savings associations, a Massachusetts bank generally may engage in an activity that is permissible for a national bank or federal savings association, subject to the same limitations that apply federally, if the activity is not otherwise prohibited under Massachusetts law and the bank provides 30 days advance written notice to the Division of Banks under the Massachusetts parity statute.
2. New Computer-Security Incident Notice Requirements for Banks, Vendors
The federal banking agencies have issued a joint final rule that will require a banking organization to notify its primary federal regulator of certain “computer-security incidents” under certain circumstances, and will require service providers to notify affected banking organization customers of any such computer-security incident. The final rule released on November 18 defines a computer-security incident as an “occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” The final rule’s notification requirements are triggered by a computer-security incident that has “materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade,” a banking organization’s (i) ability to carry out banking operations or service a material portion of its customers, (ii) business line(s) in a manner that would result in “a material loss of revenue, profit, or franchise value,” or (iii) operations in a manner that would “pose a threat to the financial stability of the United States.” If a computer-security incident triggers the notice requirement, a banking organization must notify its primary federal regulator by email, telephone, or otherwise as the agency prescribes, as soon as possible, and no later than 36 hours after the banking organization determines that a notification is required under the final rule. The final rule will become effective on May 1, 2022. Click here for a copy of the final rule.
Nutter Notes: The bank service provider notification requirements under the final rule are triggered when the service provider determines that a computer-security incident has occurred that “has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services” for four or more hours. The final rule defines covered services as services that are subject to the Bank Service Company Act, which include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, and other clerical or similar functions, such as data processing, or internet or mobile banking services. When a banking organization receives a computer-security incident notification from a service provider, the final rule requires the banking organization to make its own assessment of whether the incident triggers its notification requirement to its primary federal regulator. The final rule clarifies that the bank service provider notification requirements do not apply to any scheduled maintenance, testing, or software update that has been communicated in advance to a banking organization. The final rule’s computer-security incident notification requirements do not change any notification obligations that a banking organization may have if a computer-security incident also triggers any notice requirement under the Bank Secrecy Act/anti-money laundering rules or the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
3. President’s Working Group, FDIC, and OCC Recommend Stablecoin Issuers Be Banks
The President’s Working Group on Financial Markets, together with the FDIC and OCC, have published a report on stablecoins that recommends, among other things, legislation that would require stablecoin issuers to be insured depository institutions. The November 1 report defines stablecoins as a type of digital asset that is generally designed to maintain a stable value relative to the U.S. dollar. The report’s authors recommended that federal law should require that only insured depository institutions be permitted to issue or redeem stablecoins, or maintain reserve assets for stablecoins to address risks associated with the use of stablecoins as a means of payment and to protect against stablecoin runs. The report recommends that such legislation should provide for supervision of stablecoin issuers on a consolidated basis, should include prudential standards and should provide for, “potentially, access to appropriate components of the federal safety net,” possibly suggesting that stablecoin deposits be considered for eligibility for federal deposit insurance coverage – at least to some extent. Click here for a copy of the stablecoin report.
Nutter Notes: The stablecoin report recommends that federal law should impose activities restrictions on stablecoin issuers—which the report recommends be limited to insured depository institutions—that would limit a stablecoin issuer’s affiliation with “commercial entities” and limit use of stablecoin users’ transaction data. In addition to the stablecoin report’s recommendations for stablecoin issuers, the report recommends that federal law should require stablecoin custodial services (or “wallet”) providers to be subject to “appropriate federal oversight,” and should empower any federal agency that supervises a stablecoin issuer with the authority to require any business entity that “performs activities that are critical to the functioning of the stablecoin arrangement” to comply with certain risk-management standards. According to the report, regardless of any future legislation addressing stablecoin activities, the federal financial regulatory agencies intend to take regulatory action that is within their current authority to address risks posed by stablecoins, and to coordinate and collaborate on “issues of common interest,” such as the promotion of investor and market protections, including user disclosures, protections against fraud and manipulation, and other risks.
4. Federal and State Regulators Announce End of COVID-19 Regulation X Flexibility
The federal banking agencies, together with the CFPB, NCUA and the state financial regulators, have issued a joint statement advising mortgage servicers, including banks, that the temporary supervisory and enforcement flexibility provided in the April 2020 Joint Statement on Supervisory and Enforcement Practices Regarding the Mortgage Servicing Rules in Response to the COVID-19 Emergency and the CARES Act (“April 2020 Joint Statement”) no longer applies. According to the November 10 joint statement, the agencies recognize that the COVID-19 pandemic continues to impact consumers and mortgage servicers, but the agencies believe that the temporary measures provided under the April 2020 Joint Statement are no longer necessary because “servicers have had sufficient time to adjust their operations by, among other things, taking steps to work with consumers affected by the COVID-19 pandemic and developing more robust business continuity and remote work capabilities.” The joint statement also announced that the agencies will apply their usual supervisory and enforcement standards to address compliance issues with mortgage servicing rules that occur after November 10. Click here for a copy of the joint statement on temporary COVID-19 supervisory and enforcement flexibility.
Nutter Notes: The April 2020 Joint Statement clarified the application of the Regulation X mortgage servicing rules and announced a policy that – until the agencies provided notice otherwise – they would not take supervisory or enforcement action against a mortgage servicer for a failure to meet certain timing requirements under the mortgage servicing rules, as long as the servicer had made good faith efforts to meet the applicable requirements. According to the November 10 joint statement, the agencies still may consider the continuing impact of the COVID-19 pandemic on mortgage servicers and may take those issues into account when considering any supervisory and enforcement actions. The agencies also indicated that they will consider the time it will take mortgage servicers to adjust to the policies announced in the November 10 joint statement.
5. Other Developments: Pandemic-Related Forbearances; VC Fund Investments
Massachusetts Division of Banks Provides Guidance on Consumers Exiting Pandemic-Related Forbearances
The Massachusetts Division of Banks issued an industry letter on November 19 to provide guidance to mortgage servicers, including banks, on consumers exiting pandemic-related forbearances. According to the letter, the Division expects mortgage servicers to comply with the CFPB’s 2021 mortgage servicing rule regarding additional assistance for borrowers experiencing a COVID-19-related hardship.
Nutter Notes: The industry letter also encourages Massachusetts banks and other supervised financial institutions to participate in the Homeowner Assistance Fund, a federal assistance program established under the American Rescue Plan Act and administered by the state. Click here for a copy of the industry letter, and click here for a copy of the CFPB’s 2021 mortgage servicing rule.
OCC Issues Guidance on Equity Investments in Venture Capital Funds
The OCC released a bulletin on November 23 to remind national banks and federal savings associations that they are prohibited from making most equity investments in venture capital funds, with certain exceptions (such as public welfare investments and investments in small business investment companies). In particular, the bulletin clarifies that a venture capital fund investment that qualifies for the Volcker rule’s exclusion for venture capital funds does not mean that national banks and federal savings associations necessarily have the authority to make such investments under their respective enabling statutes and the rules issued under those statutes.
Nutter Notes: Part 362 of the FDIC’s regulations, which implements Section 24 of the Federal Deposit Insurance Act, generally limits the investments – including the types of venture capital fund investments discussed in the OCC bulletin – that Massachusetts and other state-chartered banks may make as principal to the kinds of investments that would be permissible for a national bank. Click here for a copy of the OCC bulletin.
Nutter Bank Report
Nutter Bank Report is a monthly electronic publication of the Banking and Financial Services Group of the law firm of Nutter McClennen & Fish LLP. Chambers and Partners, the international law firm rating service, after interviewing our clients and our peers in the profession, has ranked Nutter’s Banking and Financial Services practice among the top banking practices in the nation. Visit the U.S. rankings at chambers.com. The Nutter Bank Report is edited by Matthew D. Hanaghan. Assistance in the preparation of this issue was provided by Heather F. Merton. The information in this publication is not legal advice. For further information, contact:
Thomas J. Curry
Tel: (617) 439-2087
Christine A. Docherty
Tel: (617) 439-2107
Kenneth F. Ehrlich
Tel: (617) 439-2989
Matthew D. Hanaghan
Tel: (617) 439-2583
Michael K. Krebs
Tel: (617) 439-2288
This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.
SubscribeGet the latest from Nutter >
- 617.439.2246 | Email
- 617.439.2270 | Email
- 617.439.2223 | Email
- 617.439.2135 | Email
- 617.439.2177 | Email
- 617.439.2418 | Email
- 617.439.2989 | Email
- 617.439.2858 | Email
- 617.439.2269 | Email
- 617.439.2583 | Email
- 617.439.2304 | Email
- 617.439.2237 | Email
- 617.439.2116 | Email
- 617.439.2461 | Email
- 617.439.2683 | Email
- 617.439.2288 | Email
- 617.439.2490 | Email
- 617.439.2105 | Email
- 617.439.2698 | Email
- 617.439.2324 | Email
- 617.439.2720 | Email
- 617.439.2309 | Email
- 617.439.2342 | Email
- 617.439.2091 | Email
- 617.439.2449 | Email
- 617.439.2949 | Email
- 617.439.2147 | Email
- 617.439.2827 | Email
- 617.439.2035 | Email
- 617.439.2848 | Email
- 617.439.2980 | Email
- 617.439.2775 | Email
- 617.439.2130 | Email