February 8, 2024
In the latest issue of Cabinet News and Views, we delve into the multifaceted landscape of regulatory oversight, where authorities address a spectrum of issues spanning from international equivalency rulings to consumer protection advisories. From the UK government's confirmation of EEA UCITS equivalency under overseas funds regulation to the Consumer Financial Protection Bureau's directives on Fair Credit Reporting Act compliance, this edition underscores the broad purview of regulatory bodies. Join us as we explore the diverse remits and proactive measures of regulatory authorities within financial markets.
As always, your comments and questions are valued. Feel free to reach out to us anytime by dropping a note here.
Mercedes Tunstall and Alix Prentice
Partners and Co-Editors, Cabinet News and Views
When the Consumer Financial Protection Bureau (“CFPB”) took over responsibilities for interpreting the Fair Credit Reporting Act (“FCRA”) from the Federal Trade Commission (“FTC”) in 2011, the agency seemed to take a good amount of time figuring out the importance of this original privacy legislation dating all the way back to 1970. But, in the last two years, the CFPB has come into its own regarding the FCRA and accordingly has issued guidance, advisories and even updated the implementing regulation for the FCRA, Regulation V. And so 2024 started off with not one, but two, new advisories touching on FCRA issues and concerns.
The first advisory, on Background Screening, issued on January 11, 2024, addresses a suite of problems that arise mainly when consumer reports are used for housing or employment decisions. Consumer reports can be used for a variety of purposes (see the CFPB’s updated advisory opinion on permissible purposes), but are often conflated into just being “credit reports” used to make credit decisions. In this case, the specific kind of consumer report being addressed provides background information to potential employers, landlords and property management companies that focuses less on credit information, and more on things such as rental histories, utility payment histories, criminal records and eviction proceedings. Generally speaking, the FCRA requires that any negative information reported on a consumer report should remain on the report for no longer than seven years. This advisory opinion specifies that the seven year timeframe runs from the commencement of any proceeding, criminal, eviction or otherwise, and not from the disposition of the proceeding, and any updated proceedings on the same issue do not start a new seven year period running. In addition, the advisory opinion addresses data accuracy requirements of the FCRA and indicates that consumer reporting agencies providing these background screening consumer reports are “not using reasonable procedures to assure maximum possible accuracy” unless that have procedures in place to: 1) prevent reporting of information that is duplicative; 2) prevent reporting of information that has been expunged, sealed or legally restricted from public access; and 3) ensure that to the extent a disposition of a proceeding is available, such disposition is reported alongside the proceeding itself. In explaining the genesis of #2, the CFPB referenced state laws (e.g., in Pennsylvania and Virginia ) that forbid the disclosure of criminal history records for non-law enforcement purposes in timeframes much shorter than the FCRA’s seven year timeframe and observed reports that “in most states” the only disposition information available on a proceeding is when there is a conviction, but not when there is a dismissal or other kind of disposition.
The second advisory, on File Disclosures, also issued on January 11, 2024, focuses on reminding consumer reporting agencies that they must provide a consumer with full information on their own consumer report. This means that the complete file should be provided “with clear and accurate information that is presented in a way an average person could understand” and that the information should be presented such that consumers can easily identify inaccuracies and understand how to exercise their rights to dispute any incomplete or inaccurate information. The advisory also touches on an important issue that has affected the consumer reporting industry for many years – the proliferation of intermediaries and vendors that not only collect information for consumer reporting agencies, but that also offer users of consumer reports a variety of custom analyses, scoring and other features not typically supported by the large credit reporting companies. As the CFPB observes, “if a consumer identifies an error in an item of information in their file, but the consumer reporting agency has only disclosed to the consumer the original source of the information and not also the vendor source that directly provided the information to the consumer reporting agency and from which the error arose, the consumer would not be able to identify the source of the erroneous information and may not be able to correct it.” Accordingly, the advisory opinion directs consumer reporting agencies to disclose “to a consumer both the original source and any intermediary or vendor source (or sources) that provide the item of information.”
Both of these advisory opinions address points of pain that have affected consumers for many years; years during which the marketplace has not been spurred into action to resolve themselves. Although these advisory opinions are useful in prioritizing steps consumer reporting agencies should be taking regarding the information they gather and report on consumers, it will most likely take the industry months or even years to reliably be able to conform with the expectations indicated in these advisory opinions.
On December 21, 2023, the Financial Crimes Enforcement Network (“FinCEN”) published its final rule setting forth the circumstances under which beneficial ownership information reported to FinCEN pursuant to the Corporate Transparency Act (“CTA”) may be disclosed to authorized recipients, and how that information must be protected (the “Access Rule”).
The Access Rule is the second of three planned FinCEN rulemakings pursuant to the CTA. The first rule, setting forth the obligation for legal entities to file beneficial ownership reports with FinCEN, was issued in September 2022, and as of January 1, 2024, the registry for submitting such information has opened up. Legal entities required to file this information that were in existence prior to 2024 have until January 1, 2025 to submit their information to the registry. New legal entities formed in 2024 and going forward, have 90 days from being established to submit their information to the registry. (A third rule to harmonize the 2016 Customer Due Diligence rule with the CTA is expected, but has not yet been proposed.)
The CTA and the Access Rule establish the circumstances under which the information obtained by FinCEN’s registry may be disclosed to authorized parties and confirms that this beneficial ownership information (“BOI”) is confidential and may not be disclosed except as permitted.
The Access Rule authorizes six categories of recipients of BOI:
- Federal agencies engaged in national security, intelligence, or law enforcement activity;
- State, local, and Tribal law enforcement agencies;
- Official foreign requesters;
- Federal functional regulators;
- S. Treasury personnel; and
- Financial institutions subject to Bank Secrecy Act (“BSA”) customer due diligence requirements.
While financial institutions may access the BOI for purposes of complying with anti-money laundering (“AML”) obligations and sanctions administered by Treasury’s Office of Foreign Assets Control (“OFAC”), they may only do so if the reporting company has consented to the disclosure. (The other categories of authorized recipients may access the BOI regardless.) Accordingly, financial institutions that obtain BOI from FinCEN are required to implement reasonably designed data-protection safeguards; the Access Rule confirms that financial institutions will be able to satisfy these requirements by applying the same procedures used to protected customer nonpublic information in compliance with section 501 of the Gramm-Leach-Bliley Act and its implementing regulations, including the Safeguards Rule.
FinCEN plans to grant access to registry first to key Federal agencies in 2024. Additional categories of authorized recipients will be granted access in phases; financial institutions will be the last category of authorized recipients to be granted access.
In an interagency statement issued the same day to financial institutions, the FDIC, Federal Reserve, NCUA, OCC, state financial regulators, and FinCEN confirmed that for now the Access Rule creates no new regulatory requirements for financial institutions to affirmatively access BOI from the registry, and does not create a supervisory expectation that they do so. Further, they confirmed that the Access Rule does not presently necessitate changes to the BSA/AML compliance programs financial institutions have designed to comply with the 2016 Customer Due Diligence rule and other existing BSA requirements.
In January 2024, the Consumer Financial Protection Bureau ("CFPB") issued two proposed rules that, if implemented as written, would result in further whittling down overdraft or non-sufficient funds ("NSF") fees charged by financial institutions.
The first proposed rule, announced by the CFPB on January 17, 2024, but not yet published in the Federal Register, would apply only to “very large financial institutions” (i.e., those institutions that have more than $10B in assets) and is called “Overdraft Lending: Very Large Financial Institutions.” The proposed rule would “update” what the CFPB characterizes as, “several non-statutory exceptions in Regulation Z to extend consumer credit protections that generally apply to other forms of consumer credit to certain overdraft credit” solutions offered by the financial institutions. Interestingly (and perhaps fatally?), the proposal is to remove these “non-statutory exceptions” to the Truth In Lending Act ("TILA") from its implementing regulation, Regulation Z, only for the very large financial institutions, but to retain those exceptions for all other financial institutions until the CFPB understands how the market responds to the rule. On the one hand, the CFPB is justifying these changes to Regulation Z that have been in place since the Federal Reserve first promulgated the regulation in 1969 as not being core to the intent of the TILA, but on the other hand, the CFPB is proposing to introduce a new “non-statutory exception” by applying the changes only to very large financial institutions.
Stay tuned for a part two on this Overdraft Lending proposed rule in the next Cabinet News & Views that walks through the proposed rule in more detail, but for now, here is a summary of the proposed changes. To assist with understanding the proposed rule, the CFPB published a Fact Sheet, and a Report on the marketplace that endeavors to justify the reasons for the proposed rule.
Comments on the proposed rule are due to the CFPB on or by April 1, 2024.
- Courtesy overdraft protection can still be extended by covered financial institutions, but the only fees that may be charged for such protection is a “break-even” fee set by the financial institution or a “benchmark fee” that is set by the CFPB, based upon its understanding of market data, which the CFPB has predicted to be anywhere from $3 to $14, plus $.50 per overdraft transaction. The CFPB is not allowed to fix prices for fees, but by offering the alternative methodology of a “break-even” fee and leaving the choice up to the financial institution, they appear to be trying to side-step that limitation on their authority.
- More formal overdraft protection could be offered to customers on an opt-in basis, and would constitute an overdraft line of credit, subject to Regulation Z protections and disclosures, which consumers could choose to repay as they wish (i.e., the line of credit could not require automatic payments). In this case, consumers would apply for the line of credit, have their credit report pulled and be underwritten for the line of credit just like consumers are evaluated and underwritten for other forms of credit. Of course, these lines of credit for overdraft used to be very popular with banks, but the prudential regulators in the 2000’s found such lines of credit to pose safety and soundness concerns, primarily due to the amount of time consumers took to repay the lines of credit, and so most banks phased these lines of credit out.
The second proposed rule, announced on January 24, 2024, is called the Fees on Instantaneously Declined Transactions rule and would apply to all “covered financial institutions” regardless of size, with the proposed definition meaning any “financial institution” that holds “accounts” as defined by Regulation E. The CFPB explains that while today most consumers are not charged a fee by their financial institution when the transaction is declined at the point of sale for non-sufficient funds, that result is generally because of consumer protections in place for debit card transactions. However, there have been numerous technology innovations that allow for instantaneous or near-instantaneous transactions to occur at the point of sale using other methods of payment, such as automated clearinghouse ("ACH") transactions or even electronic check transactions, and, as the CFPB observes, “banks have previously increased fees when technology provided an opportunity.” Put another way, the reason that there are only debit card consumer protections against NSF fees was because of the speed of transactions debit cards provided, compared to other payment methods. But, now that transactions nearly as speedy can be conducted through payment methods other than debit cards, the CFPB is seeking to ensure that all such speedy transactions have the same consumer protections.
Comments are due on this proposed rule by or on March 24, 2024.
To address the limitations of the current temporary marketing permission regime (“TMPR”), which permits EEA funds marketed in the UK before Brexit to continue to access the UK market, the UK government introduced the overseas funds regime (“OFR”). The OFR allows for investment funds domiciled overseas to be offered to UK retail investors following the end of TMPR.
In a continued show of its commitment to ensuring that, post-Brexit, the UK facilitates access to the domestic market for certain overseas funds, the UK Economic Secretary has announced the UK Government's decision regarding the OFR and its assessment of European Economic Area ("EEA") states. This follows the FCA publishing its consultation on 4 December 2023 on ‘Changes to Allow Recognition of Overseas Funds’ which is due to close on 12 February with the FCA intending to publish a policy statement with final rules in Q1. See here for our note on the consultation.
The statement confirms the equivalence of EEA states, including EU member states, under the OFR. The government notes its aim is to streamline the process for marketing overseas investment funds to UK investors without additional UK requirements. The government’s decision applies to funds structured as UCITS (i.e., regulated funds available to retail investors) with the exception of money market funds, which are excluded due to ongoing regulatory developments.
The government has also committed to regularly monitor this equivalence determination, taking into account both UK and EEA regulatory changes. The government also intends to conduct consultations on broadening sustainable disclosure requirements to encompass OFR-recognised funds. Additionally, the extension of the TMPR until the end of 2026 will enable specific EEA investment funds to continue marketing in the UK, and facilitates the transition to the OFR. The Economic Secretary highlighted that implementing this decision will require secondary legislation, pending parliamentary availability.
Following up on a consultation in July 2023 here, the post-Brexit replacement of Regulation (EU) 2017/2402 of the European Parliament and of the Council ("Sec Reg"), the UK Securitisation Regulations 2024 (SI 2024/102) ("SI") was made final on 29 January 2024. While certain of the SI’s provisions are in force as of that date, they will come fully into force alongside the new Financial Conduct Authority ("FCA") and Prudential Regulation Authority ("PRA") firm-facing rules on securitisations, the final version of which is expected in Q2 following the conclusion of the consultation period, and the repeal of retained EU law on securitisation.
To recap, the SI creates a new framework within which the FCA and PRA can make rules and switches on the FCA’s powers to do so in a way that speak to both the regulated and unregulated in relation to the ‘designated activities’ described in Regulation 4. This maintains the Sec Reg status quo that all providers of securitisations are subject to its requirements. On the regulatory perimeter, the SI leaves this largely untouched with the exception of moving non-UK alternative investment fund managers outside the definition of institutional investor. On transitional provisions, the explanatory note to the SI clarifies that the FCA and PRA are responsible for most firm-facing requirements for securitisations which existed before the revocation of Sec Reg, while the SI now restates certain relevant transitional measures.
On January 25, 2024, the Commodity Futures Trading Commission (“CFTC”) published, first, Release No. 8854-24, a customer advisory cautioning the public to beware of artificial intelligence (“AI”) scams (the “AI Advisory”), and second a Request for Comment (“AI RFC”), in which it began to articulate its regulatory approach to AI and the use of this emerging technology by CFTC-regulated entities. Following on the heels of Biden’s Executive Order on AI at the end of 2023, the CFTC wants to determine: (1) how AI is already being used by commodity market participants; (2) the inherent risks of use of this technology by such participants; (3) what the CFTC can and should do in response to the proliferation of AI; and (4) how AI and the use of AI fits within the existing regulatory framework established by the CFTC, the National Futures Association (“NFA”) and prevailing market practices. Combined, the AI Advisory and the AI RFC are the CFTC’s first regulatory involvement in AI.
In the AI Advisory, the CFTC analyses AI-related schemes through the lens of its division of enforcement. Technically, proliferation of these scams has nothing to do with serious uses of AI, as these scams are the same as regular fraud where a proprietor makes outlandish claims of potential profits through the use of new popular technology and then simply misappropriates customers’ money, oftentimes without even trading or employing any AI-related technology. The CFTC explains that no matter how innovative the technology may be, AI neither has the ability to “predict the future” nor to foresee “sudden market changes” – in other words, these scams are tantamount to Ponzi schemes that are dressed up in AI marketing.
Separately, the AI RFC marks the first time the CFTC is meaningfully engaging with AI technology from the regulatory perspective. Specifically, the AI RFC has posed 20 detailed questions about various aspects of AI, including how to identify risks relating to market safety and customer protection, what kind of governance would be appropriate for the use and development of AI solutions, what impacts AI will have on data privacy and cybersecurity concerns, special considerations necessary for the use of third-party service providers for AI solutions, and how to best mitigate AI’s known tendency towards bias. The CFTC’s questions focus on many practical considerations that all market participants should be thinking about when evaluating AI strategies and solutions.
For example, similar to unregistered, decentralized autonomous organizations (“DAOs”) platforms that may qualify as commodity exchanges or brokers or clearing houses, should unregistered autonomous AI bots be deemed to be commodity trading advisers or introducing brokers; and if the answer is “yes”, how and where should such entities be registered and regulated, and who should be responsible for regulatory compliance? Or, would a compliance department of a CFTC registrant meet its statutory duties if it extensively used AI in market surveillance or contracted with third-party service providers who rely upon AI in providing such services? Or, should the NFA require its members to disclose to their clients that they are using AI, similar to what the NFA already requires with respect to digital assets? The AI RFC identifies these numerous practical considerations.
The AI RFC is not the first time the CFTC has addressed emerging technologies – in 2015, for example, the CFTC proposed, but never finalized, its automated trading rule, partially in response to the development of high-frequency trading technologies. Of course, had that rule been finalized, it would be completely obsolete by now. AI is probably going to be relevant for many decades to come, in contrast. In contrast to the enforcement where the CFTC attempted to formulate its policy with respect to DAOs, it is commendable that with respect to the AI, the CFTC offered for public comment its regulatory concerns.
Given the types of questions asked, the resulting guidance from the CFTC will likely address at least the following topics:
- the extent of the use of AI technology by market participants today and projected going forward;
- the types of AI-assisted or AI-initiated conduct that would qualify as “regulated” and therefore subject to CFTC’s and NFA’s oversight;
- whether traditional categories of registrants and regulated entities would capture this conduct; and
- surveillance, compliance and ethical considerations for the commodity derivatives industry as a whole.
Several industry associations will be responding to the AI RFC, partly because many individual market participants may be reluctant to comment individually due to competition considerations that may not be fully addressed by confidential treatment under Title 17 of CFTC Regulations. Comments are due by April 24, 2024.
In edition 76 of Market Watch, its newsletter on market conduct and transaction reporting issues, the UK’s Financial Conduct Authority ("FCA") has shared its observations and issued some warnings about the risk of harms involved in ‘flying’ and ‘printing’ on a variety of markets and platforms.
Flying is the practice of communicating to clients or market participants, using any means, that a firm has bids or offers that are not supported by, or sometimes even derived from, an order or instruction. Printing involves communicating that a trade has been executed at a specified price and/or size when the trade has not actually occurred. Both activities entail creating a false impression of liquidity and/or price, and clearly form a false or misleading basis on which to make investment decisions.
The FCA has warned about flying and printing in the past (see Market Watch 57 published in November 2018), and the potential for market abuse when firms publish incorrect (and sometimes fictitious) volume and price data. Market Watch 57 flagged the importance of appropriate oversight and systems and controls in preventing these abuses. Market Watch 76 notes that the FCA is continuing to see possible flying and printing events across fixed income, commodities and currency markets, including via the entering of prices in lit markets to generate orders in dark markets. The FCA is concerned that management is failing to react appropriately to the risks involved, and therefore is not putting in place the right kind of surveillance to identify and report misconduct. The FCA wants to see adequate and robust policies, procedures and training, as well as surveillance systems that can spot relevant indicators like order cancellation rates and order to trade ratios all backed up by appropriate risk assessments and clear and consistent disciplinary procedures.
The fact that the FCA considers it necessary to reiterate past concerns about these practices, and its assertion that it will not hesitate to intervene to protect markets, indicates that firms should re-examine their systems and controls in place to prevent and identify flying and printing.