On January 5, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a report detailing consumer complaint deficiencies by the national credit reporting agencies (NCRAs). Specifically, the CFPB found that, in 2021, the NCRAs together reported relief in response to less than 2% of covered complaints, down from nearly 25% of covered complaints in 2019. The CFPB noted three fact patterns believed to lead to inaccurate consumer credit reporting and thus potentially the denial of credit or offer of credit on less favorable terms.
The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.

FINRA recently filed a proposed rule change with the US Securities and Exchange Commission (SEC) on November 12, 2021 that would seek to once again delay the effective date of changes to FINRA Rule 4210 that were previously implemented on December 15, 2016. The amendments were supposed to become effective on January 26, 2022 and the proposed changes would move the effective date to April 26, 2022.

FINRA is proposing to extend the ability of firms to have remote inspections until June 30, 2022. As discussed in the rule filing, FINRA Rule 3110.17 provide firms the option of satisfying their inspection obligations under Rule 3110(c) remotely for calendar years 2020 and 2021, subject to specified conditions. The rule was to automatically sunset on December 31, 2021. FINRA has extended the rule in light of the COVID-19 delta variant, inconsistent vaccination rates, and an uptick in infections. The filing includes a request for immediate effectiveness, with the rule change being operative on January 1, 2022.
As highlighted previously, three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) recently issued proposed risk management guidance regarding third-party relationships (Proposed Guidance). Among other things, the Proposed Guidance specifies that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.
FINRA filed a proposed rule change with the US Securities and Exchange Commission (SEC) on August 26, 2021 to delay the effective date of changes to FINRA Rule 4210 that were previously implemented on December 15, 2016.
The proposed guidance also identifies principles that are applicable to each stage of the third-party risk management life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner. The proposed guidance provides extensive details on all the above identified principles.

Congress has enacted and President Joseph Biden has signed a joint resolution of disapproval under the Congressional Review Act (CRA) of the Office of the Comptroller of the Currency’s (OCC’s) “true lender” rule, which, as we previously discussed, had provided that a national bank is as a matter of law the lender on any loan for which it is the named lender or for which it provides the loan funding.

The Basel Committee on Banking Supervision (Basel Committee), a committee of global central bankers and regulators, issued a Consultative Document on June 10 on the prudential treatment of cryptoasset exposures for international banks (the Proposal). The Basel Committee has asked for comments by September 10, 2021.
On April 27, 2021, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a final rule formally delaying the mandatory compliance date for the rule defining a “qualified mortgage” (QM) (the General QM Final Rule) from July 1, 2021 to October 1, 2022.