Another summer week and more significant guideline announcements from the CFPB, the FTC, the FRB and the CFTC. We're paying attention, and encouraging you to take a closer look in this week's Cabinet News and Views.
In the heat of summer, the nation’s top consumer protection agencies have issued startling and transformative statements and rules regarding data practice.
First up, the Consumer Financial Protection Bureau issued a so-called “interpretive rule” (which means that no one was provided advance notice of the rule nor had the ability to challenge rule provisions) that concluded that digital marketing companies, particularly those that have major search engines on which companies can buy advertising, are “service providers” for purposes of the Consumer Financial Protection Act (“CFPA”). This rule means that such companies can, and presumably will, be held liable for violations of consumer financial services laws for advertisements that do not carry the proper disclosures or for marketing tactics that are deemed to be unfair, deceptive or abusive by the CFPB. Director Chopra noted in an accompanying speech that the “growing interest from Big Tech companies to find new ways to harvest and monetize our personal financial data” were behind the reason for the rule, referencing in particular a lawsuit HUD brought against Facebook alleging violations of the Fair Housing Act, because Facebook’s systems help advertisers limit the audience for ads and target specific groups of people, to the exclusion of protected classes.
Next, the CFPB issued a circular that reminded the consumer financial services industry about its obligations to protect data and ensure security for sensitive consumer information. The circular is written in a question-and-answer format and includes the CFPB’s conclusion that failures to reasonably protect consumer information can and should constitute an unfair, deceptive or abusive act or practice under the CFPA. Largely referencing precedent from the Federal Trade Commission (“FTC”), the CFPB identified at least the following as basic elements for data protection (none of which are new): multi-factor authentication for customers to access their data; adequate password management internally (i.e., requiring employees to change their passwords regularly and to use strong passwords); and timely software updates to any programs that have access to or that process customer data.
Finally, on August 11, the FTC issued an advance notice of proposed rulemaking (“ANPR”) regarding whether “new trade regulation rules or other regulatory alternatives concerning the ways in which companies (1) collect, aggregate, protect, use, analyze, and retain consumer data, as well as (2) transfer, share, sell, or otherwise monetize that data in ways that are unfair or deceptive” are needed. The initial comment period for industry to address 95 separate areas of inquiry is sixty (60) days, and the FTC will hold a public forum on September 8 to discuss the ANPR.
This week, the Federal Reserve Board (“FRB”) made two announcements of particular interest to the crypto-asset sector. First, on August 15, the FRB announced its final guidelines establishing factors for Reserve Banks to use in reviewing requests to access FRB accounts and payment services. Second, on August 16, the FRB issued SR/CA Letter 22-6 regarding engagement in Crypto-Asset-Related Activities by Federal Reserve-Supervised Banking Organizations.
FRB Account Guidelines
While the guidelines on approving access to FRB accounts is not just applicable to crypto-asset firms, those firms, along with other fintech firms, are particularly interested in the guidelines. As we noted in March when the FRB re-proposed the guideline, many crypto-currency exchanges or custodians seek access to Reserve Bank accounts and services to better integrate with the payments system. The FRB stated that the final guidelines are “substantially similar” to the proposals and that it would keep the three-tier framework for the review process for different types of institutions.
Tier 1 review would generally be less intensive and more streamlined. It would only be available to consist of eligible institutions that are federally insured.
Tier 2 review would generally be an intermediate level of review. It would apply to eligible institutions that are not federally insured but (i) are subject (by statute) to prudential supervision by a federal banking agency; and (ii) any holding company subject to Federal Reserve oversight (by statute or by commitments).
Tier 3 review would generally be the strictest level of review. Tier 3 institutions consist of eligible institutions that are not federally insured and not subject to prudential supervision by a federal banking agency at the institution or holding company level.
Crypto-Asset-Related Supervisory Letter
The FRB issued a supervisory letter giving guidance to state-member banks and bank holding companies engaged in or interested in engaging crypto-asset-related activities. The theme for the FRB this week may just be “substantially similar,” as in addition to the final guidelines noted above being substantially similar to the proposals, the FRB’s supervisory letter is substantially similar to letters issued by the OCC and FDIC (which we discussed in April).
As required by the FDIC and the OCC, the FRB will also require FRB-supervised organizations to “notify its lead supervisory point of contact at the Federal Reserve prior to engaging in any crypto-asset-related activity.” Institutions already engaged in crypto-asset-related activities should also provide notice to its point of contact. The FRB also encouraged state-member banks to notify their state regulator.
On August 12, the Commodity Futures Trading Commission (“CFTC”) issued a final rule amending its Regulation 50.4(a) clearing requirements for swaps.
The latest in a series of rulemaking that is supportive of the financial industry’s transition away from interbank benchmarks, the new final rule adjusts CFTC clearing requirements to reflect this change.
(1) Effective 30 days from publication in the Federal Register:
- interest rate swaps referencing certain LIBOR rates (GBP LIBOR, CHF LIBOR, JPY LIBOR, EUR LIBOR and EONIA) no longer require clearing to a registered or exempt derivatives clearing organization (DCO);
- interest rate swaps referencing certain alternative reference rates (CHF Swiss Average Rate Overnight, JPY Tokyo Overnight Average Rate, and EUR Euro Short Term Rate (€STR)) will require clearing by a DCO;
- the termination date range is extended for GBP Sterling Overnight Index Average overnight index swaps.
(2) Effective October 31:
- overnight index swaps referencing USD Secured Overnight Financing Rate (SOFR) and SGD Singapore Overnight Rate Average (SORA) require clearing by a DCO.
(3) Effective July 1, 2023:
- interest rate swaps pegged to USD LIBOR and SGD Swap Offer Rate (SOR-VWAP) no longer require clearing.
CFTC Chairman Rostin Behnam remarked that the new rule provides “legal certainty and regulatory transparency for DCOs, market participants, and our fellow international authorities,” and Commissioners Kristin N. Johnson and Christy Goldsmith Romero issued supportive statements.
Notably, Commissioner Caroline D. Pham concurred, but set the stage for no-action relief requests in her statement, emphasizing the importance of “international harmonization and a practical approach” to rulemaking, suggesting that the effective date should coincide with the Bank of England’s proposed effective date of October 31 and that the CFTC should hold off on clearing requirements for interest rate swaps tied to Swiss and Singaporean rates until their respective regimes have published their own swap-clearing requirements.