Welcome to this week's newsletter, where we delve into crucial developments shaping the financial landscape.
There was plenty going on this week, like the big bank CEOs appearing at the Senate Banking Committee, or the OCC’s guidance on Buy Now, Pay Later Lending for National Banks and Federal thrifts that we could have highlighted, but seem well covered elsewhere. Instead, I wanted to highlight the important speech Fed Vice Chair of Supervision Michael Barr gave at the end of last week on liquidity risk management and his encouragement for firms to test their access to the discount window through test transactions in good times.
My colleague Mercedes Tunstall discusses the final segment of her four part series covering the Consumer Financial Protection Bureau's proposed rule on personal financial data rights.
Maurine Bartlett and Michael Gambro dive into the SEC's finalization of their rule prohibiting conflicts of interest in securitizations. Plus, Alix Prentice explores the UK's Financial Conduct Authority and how they are considering rule changes allowing overseas funds to market to UK retail customers, and Sukhvir Basran comments on the EU Council’s new green bond standard.
We’re always here for comments and questions. Just drop me a note here.
Daniel Meade
Partner and Editor, Cabinet News and Views
Last Friday, Michael Barr, the Federal Reserve Board’s (“FRB”) Vice Chair for Supervision, delivered remarks to the ECB Forum on Banking Supervision in Frankfurt, Germany entitled The Importance of Effective Liquidity Risk Management.
Vice Chair Barr summed up his own remarks as focusing “on how banks manage liquidity risk, the role of the central bank's discount window lending in this process, and the importance of robust liquidity planning for good times and bad.” He noted the bad times for some large regional banks this spring showed the impact that poor interest rate and liquidity risk management caused a lack of confidence among depositors that in turn caused “old-fashioned bank runs, the speed of which was anything but old fashioned.”
While acknowledging that the spring bank failures could not have been prevented just through better use of the Federal Reserve’s discount window, he said that one of the lessons learned was to be better prepared. He went on to note that “[g]reater operational readiness can provide for greater optionality when a bank hits a bout of turbulence. Ready access to sufficient liquidity provides breathing room for a bank to determine and execute its path forward.” He highlighted that one important step to readiness is pre-positioning collateral and testing discount window access through actual transactions. Vice Chair Barr recognized that some banks may be afraid of perceived stigma to actually using the discount window, even in just a test, or when it was a rational choice because it was the cheapest funding. He went on to state that in response to that perceived stigma (including among examiners), “we at the Federal Reserve have been underlining the point to banks, supervisors, analysts, rating agencies, other market observers, and the public, through numerous channels, that using the discount window is not an action to be viewed negatively. Banks need to be ready and willing to use the discount window in good times and bad.”
Vice Chair Barr’s speech in Frankfurt was an important reminder that for the discount window to be an effective source of liquidity in times of stress, adequate planning and pre-positioning need to take place. He also noted in response to a question afterward that it may be just as important for supervisors and policy makers to continue making the point that is often made in an emergency (e.g., 9/11/2001) – that the discount window is open and available – should be made in good times too, so that prudent testing of the channel is not viewed by the market as weakness.
This final installment of our coverage on the Consumer Financial Protection Bureau’s proposed rule regarding “personal financial data rights” builds upon concepts and concerns covered in our earlier posts. For an overview of the rule, read our first installment. To understand what entities would need to comply with the proposed rule, read our second installment. To better understand the obligations and technology requirements of the proposed rule, read our third installment.
As promised, this fourth and final installment picks up on a few issues not already discussed and highlights portions of the proposed rule that are likely to cause great conflict and consternation for the entities subject to the rule. First, and this is an issue that is ripe for conflict, is the compliance timelines included in the proposed rule. As ever, the CFPB continues to push for aggressive compliance timelines and to default on pushing the largest institutions to comply with the proposed rule first. In this case, the proposed rule requires full compliance for the largest data providers (i.e., depository institutions that hold at least $500B and nondepositories that generated at least $10B in revenue) within six months of the final rule being published; one year for smaller data providers (i.e., depository institutions that hold at least $50B, but less than $500B or nondepositories that generated less than $10B); and then two-and-a-half years ($850MM, but less than $50B) and four years (less than $850MM) for the smallest depository institutions. There are no timelines for compliance given for the “authorized third parties” and the “data aggregators,” indicating that the data provider institutions are expected to drive compliance by requiring these third parties to meet the new standards, reporting and protocols.
The author has spent many years working with a wide variety of financial institutions over the years on technology-related issues, and is only too aware of how changing technology requirements, especially technology requirements relating to the collection, maintenance, reporting and use of protected information requires a lot of time to get right. Six months to completely change the handling of information designated as “covered data” according to this rule is an impossible timeframe, even just for internal changes, much less when the financial institution will have to ensure that third parties change how they do business to accommodate that financial institution’s need to comply with the law. For most financial institutions, but particularly the largest financial institutions, the sheer number of systems, databases and processes that would need to be involved in the changes contemplated by the proposed rule is daunting. The reason that the largest financial institutions have the greatest number of systems affected is due to the persistence of legacy systems in their system architecture. (Indeed, at one point along the way, the author worked with a financial institution that was managing its account records via a souped-up version of airline reservation software from the 1970’s. Several systems had been built like scaffolding around that core system, of course.) Without getting into too much technical discussion, the reason legacy systems persist is often because the amount of downtime and costs related to completing transition from that legacy system are both astronomical and operationally inconceivable. And the largest financial institutions are the ones that are most likely to have the most complex architectures that include multiple sets of legacy systems and their adjacent scaffolding. To this observer, even with their impressive resources, the largest financial institutions will not be able to meet a year-long compliance timeframe, much less a six-month compliance requirement.
Reasonable minds may question whether the technology changes needed internally to comply will actually be all that difficult. After all, financial institutions have been made to comply with privacy laws for many years and imposing a new set of requirements upon the disclosure and sharing of protected information should be expected and anticipated. At this point, it is useful to delve into the scope of “covered data” for purposes of the proposed rule. Covered data includes those data elements that are standard fare from a privacy perspective, including name, address, email address, phone number, and account number. However, the definition of covered data in the proposed rule also includes information that is not typically covered by privacy laws, such as the terms and conditions of products and services the customer has obtained, including fee schedules and whether the consumer has opted into overdraft coverage or opted out of an arbitration agreement. Further, the definition of covered data also extends to transaction-level information and tokenized account information, both of which may be accessed by third parties today, but only under the auspices of privacy policies maintained by those third parties and enforced against the third parties by the consumer, not under the financial institution’s own privacy policies and privacy and security-related obligations. The CFPB’s proposed rule therefore has the added dimension of increasing a financial institution’s privacy and security obligations and exposures under other laws, including, but not limited to, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and the Authentication Guidance from the Federal Financial Institutions Examination Council (“FFIEC”).
Layering on top of the “strange bedfellow” data elements in the definition of covered data are two additional issues that are likely to rankle the industry. First, is the proposed rule’s requirement that zero fees be charged to customers for providing this information. The CFPB has been very clear under the Biden administration that fees of any kind charged by banks for the services they provide in the retail sector are viewed suspiciously at best, and at worst, should not be charged at all. Thus, the proposed rule’s ban on fees is not unexpected. But given the scope of the proposed rule and the work that financial institutions must do internally and externally vis a vis the authorized third parties and data aggregators, banning fees outright is pouring salt in the wound. Second, the proposed rule prohibits financial institutions from limiting the number of times an authorized third party can request data except when the denial is reasonably related to risk management concerns, meaning “at a minimum, [the denial must] be directly related to a specific risk of which the data provider is aware, such as a failure of a third party to maintain adequate data security.” According to this characterization of what is “reasonable” a generic denial of requests for data that exceed a certain volume over time, such as the kinds of problems that lead to DDOS attacks, would not be sufficiently reasonable because it is not tied to a “specific risk” predicated upon knowledge the financial institution has of the requesting authorized third party. Even if the requests fall short of a DDOS attack, but are persistent and frequent – with authorized third parties refreshing their information every minute of the day, 24/7, for example – accommodating such volumes will require an extremely robust interface and intense security controls, all the more reason why there is likely to be much pushback regarding the proposed rule’s short compliance timeframes.
These points of conflict aside, the CFPB’s proposed rule presents an innovative framework for fostering an environment where consumers can freely move between financial service providers, a concept called “open banking” that gives consumers meaningful control over their data and allows them to “walk away from bad service.” By conceiving of categories for each participant in the open banking environment, the proposed rule introduces definitions and roles that have not been well articulated previously, but may now be used to help drive conversations and innovations.
On November 27, 2023, the Securities and Exchange Commission adopted Rule 192 under the Securities Act of 1933, a rule that is designed to prohibit “material conflicts of interest” in certain securitizations. Rule 192 implements Section 621 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, which was codified as Section 27B of the Securities Act.
Subject to certain exceptions, Section 27B prohibits certain participants in asset-backed securities securitization transactions from engaging in transactions within a designated time period that would involve or result in any “material conflict of interest.” Section 27B directed the Commission to issue rules implementing this prohibition no later than 270 days after the enactment of Dodd-Frank (i.e., within 270 days of July 21, 2010).
Further details are discussed in our recent Client & Friends Memo here authored by Maurine Bartlett and Michael Gambro.
The UK’s Financial Conduct Authority (“FCA”) is consulting on changes to its rules to allow funds domiciled outside the UK to market to UK retail customers.
The proposal is based around the operation of the Overseas Funds Regime (“OFR”), which enables the UK government to make equivalence decisions on qualifying jurisdictions based on: (a) adequacy of cooperation agreements between the FCA and the relevant overseas regulator; and (b) equivalent consumer protections. The FCA’s new rules put in place structures and process details that the FCA will use to register schemes as appropriate for distribution in the UK once an equivalence decision has been reached about a particular jurisdiction under the OFR. FCA decisions may be subject to certain conditions, and recognised funds will be subject to ongoing notification requirements as they change over time. The consultation also notes that the FCA’s Sustainability Disclosure Requirements ("SDR") (which set rules to stop exaggerated or misleading sustainability-related claims) do not apply to schemes domiciled abroad, but in order to ensure that all schemes marketed to UK investors are subject to the same requirements, the FCA will be working to understand options for extending the SDR to overseas recognised schemes.
Applying for Recognition
Following an equivalence determination, scheme operators in recognised jurisdictions may make an application for OFR recognition under Section 217A of the Financial Services and Markets Act 2000. The consultation sets out the data the FCA proposes to request from applicants and how it proposes to use that information. Given that the applicants will be established in a jurisdiction that already has been approved as equivalent, a proportionate approach will be taken to data collection, which will include basic details (name, address, legal structure and fund type, etc.), investment objectives, policy and strategy (including focus, if any, on ESG factors), fees and charges, connected parties, marketing and distribution plans and characteristics of the units available to UK investors. For umbrella funds, this will include information at umbrella and sub-fund level.
Notifying Changes
As they occur within the lifecycle of a fund, the FCA wants to know about changes to OFR recognised schemes’ most important features, chiefly in order to make sure that the schemes remain compliant with the conditions for recognition. Changes that will require notification prior to taking effect will include changes to legal structure, termination of a scheme in its home jurisdiction, home supervisory sanctions, suspension of dealing in the scheme’s units and matters that would have a significant negative effect on UK investors such as a material increase in fees or change in redemption terms.
Enhanced Disclosures
The Government has decided that investors in schemes accessing the OFR will not be able to complain to the Financial Ombudsman Service (“FOS”) or, in the event that the scheme is unable to meet its liabilities, access to the Financial Services Compensation Scheme (“FSCS”). The consultation’s proposals include requirements to clarify this scope in financial promotions, the fund prospectus and in point of sale disclosures such as the key investor information document or KIID.
Next Steps
Feedback is due by 12 February 2024 and a final policy statement with final rules expected in the first half of 2024.
On October 25, 2023, the European Council adopted the European Green Bond Standard (EU GBS), a new voluntary regime for green bonds that aims to solidify the EU's position as a leader in sustainable finance, reduce greenwashing, and enhance investor protections. The EU GBS is intended to be the "gold standard" for green bonds and requires that all bond proceeds be allocated in alignment with the EU Taxonomy for sustainable activities. Issuers from both within and outside the EU can issue and market their bonds as “European green bonds” (EuGBs) if they adhere to the requirements of the EU GBS.
The EU GBS was first proposed by the European Commission on July 6, 2021, setting out requirements for environmentally sustainable bonds marketed in the European Union as EuGBs, and has been the subject of extensive negotiations between the European Commission, the European Parliament, and the European Council. In February 2023, the legislators reached a “provisional agreement on European green bonds” and on May 10, 2023, a draft overall compromise was agreed to by the Council’s permanent representatives’ committee.
The Regulation
The key aspects of the regulation are as follows:
Next Steps
The regulation will enter into force 20 days from the date of publication in the Official Journal of the European Union and will start applying 12 months after its entry into force.
Final Thoughts
The EU GBS is an ambitious standard, surpassing existing guidelines and labels in the green bond market. It is expected to be initially utilized by EU institutions and “pure play” issuers, but broader adoption hinges on the usability of the EU Taxonomy. Challenges related to assessing criteria like Do No Significant Harm and Minimum Safeguards, data availability, and reliance on EU legislation raise concerns about the flexibility provided for issuers.
The EuGB label's relevance may primarily extend to EU issuers reporting in line with the Corporate Sustainability Reporting Directive, while non-EU issuers might be more inclined towards voluntary disclosures aligned with wider sustainable finance market standards. It is becoming increasingly common for such standards to be designed to be cohesive with one another, and this latest development will help towards closing any gaps. The success of the EU GBS depends on factors such as investor demand, pricing advantages, and incentives for issuers to shift from existing market practices.
The stricter penalties associated with the EU GBS will undoubtedly influence issuers, which are becoming increasingly aware of the reputational and legal risks involved in issuing EuGBs, including based on disclosures in the ESG bond prospectuses. While the EU GBS is the first formal effort to regulate the green bond market, the growing emphasis on accountability and transparency likely will lead other regulators to follow suit. The UK’s Financial Conduct Authority has stated that it will examine various approaches to ESG disclosure in prospectuses as part of UK prospectus reforms. It remains to be seen how this evolving regulatory landscape, along with shifting investor expectations, will impact the global sustainable bond market, and whether the EU GBS will eventually encourage issuers to adopt more ambitious strategies when seeking funding for their green projects.
(This article originally appeared in Cadwalader Climate, a weekly newsletter on the ESG market.)