The vast majority of this week's vendor risk related news stories cover regulatory reform and regulatory change. Read below to see which of the regulators continue to move forward with reform and the major changes from NAFCU.
Industry News for the Week of June 4
Regulatory reform has passed but the smaller banks won’t see much relief: Read here
Mulvaney suggests a more measured approach – based on expectations and number of transactions, among other things – when considering an enforcement action: Read here
Detailed information for SEC investment advisors on what the rollbacks in portions of Dodd Frank mean to them: Read here
Detailed information for community banks on what the rollbacks in portions of Dodd Frank mean to them: Read here
Can RegTech ease the burden of compliance? (Venminder is listed in the Vendor Management chart): Read here
JD Supra on the recent regulatory reforms – excellent legal summary: Read here
CFPB working to eliminate Consumer Advisory panels (full candor – I’ve enjoyed attending the first two subcommittee meetings made available for public participation): Read here
And Mulvaney did so on June 6: Read here
The CFPB says it’s considering a FinTech sandbox: Read here
3 steps to cybersecurity: Read here
New Jersey AG’s office opening new department for cybersecurity (kind of following NYDFS’s lead?): Read here
House Financial Services Committee hearing on CFPB (note: third party risk management mentioned around 20 min, 47 min, 52 min and 1 hr 27 min marks and regulatory lack of coordination in examinations around the 1 hr 4 min mark): Read here
Why are companies so bad at cybersecurity? Read here
Even if you write Visa, MasterCard, Discover, AmEx, etc, out of scope of actively managed vendors, you want to consider what they mean from a business continuity standpoint – case in point with Visa’s overseas outage as a clarion call to plan ahead: Read here
Terrific article on innovative banking helping Puerto Rico – Banco Popular: Read here
Bank boards struggle to add diversity – just one of a myriad of challenges facing the board when regulators expect them to be “on top of” every issue in the institution: Read here
Try to stay out of political angles but when a powerful Senator who was first head of the CFPB is calling for greater regulation and speculating over a Presidential run, it’s worth noting: Read here
What third party risk management is all about: Read here
Knowing when to keep or ditch third parties during a processor conversion: Read here
The clock is ticking – legal analysis of the 72 hour notification standard: Read here
Terrific short blog on effective reporting: Read here
A new frontier – DNA testing service hacked: Read here
How banking reform should look: Read here
NAFCU – as reported – what the changes mean and what they don’t (edited slightly for length):
Written by Brandy Bruyere, Vice President of Regulatory Compliance, NAFCU
With all the information circulating about recent regulatory relief from Congress, there has been some confusion on parts of S. 2155. Some news outlets have called this a "repeal" of Dodd-Frank, which is an overstatement. We have gotten many questions on the new law from credit unions, and we covered one in detail on Friday but there are a few areas that I wanted to clarify today.
HMDA – The Definition of "Financial Institution" is Unchanged
We have blogged before about the definition of "financial institution" under HMDA and NAFCU members can find a more detailed article here (although it predates an amendment that raised the threshold for open-end loans from 100 to 500). S. 2155 does not amend this definition. Rather, it adds a threshold for which financial institutions will be required to collect and report the data points that Dodd-Frank added to HMDA. In other words, if your credit union is a "financial institution" as defined by HMDA, some data collection and reporting is still required – specifically, the data that was required prior to January 1, 2018.
MBL Relief – the Cap, Not Maturity Limits
Many credit unions have asked whether S. 2155 changes the maturity limit for certain loans. Section 105 of the bill removes certain loans from the statutory Member Business Loan (MBL) cap – loans that are fully secured by a lien on a 1 to 4 family dwelling that is not the primary residence of the member. SB 2155 does not raise the maturity limit for these loans which is generally 15 years under the Federal Credit Union Act. While some loans can have a 20 year or even up to 40 year maturity limit under section 701.21 of NCUA's regulations, at this time these exceptions have certain conditions, including the home being the "member-borrower's residence" for 20 year maturities and the "principal residence of the member-borrower" for up to 40 year maturities.
On Friday, NCUA approved a rule amending its commercial lending rule to reflect this, which will become effective once the rule publishes in the Federal Register.
QM – Portfolio Loans
Dodd-Frank added a requirement for credit unions to consider a borrower's ability to repay (ATR) for certain residential mortgage loans, while loans meeting specified conditions are "qualified mortgages" with a presumption of compliance with ATR requirements. Section 101 of S. 2155 adds another safe harbor category of QMs to the applicable section of the Truth in Lending Act. This additional QM applies to loans made by insured depository institutions with under $10 billion in assets when certain conditions are met. Specifically, the loan must:
- Be originated and retained in portfolio by the credit union;
- Comply with existing provisions in the ATR/QM rule relating to prepayment penalties;
- Meet the 3% points and fees limitation; and
- Not have negative amortization or interest-only features.
- Additionally, the credit union will be required to consider and document "the debt, income, and financial resources" of the member.
Servicemembers Civil Relief Act – Foreclosure Time Period
There is one sentence in section 313 of S. 2155 that impacts the SCRA: Section 710(d) of the Honoring America's Veterans and Caring for Camp Lejeune Families Act of 2012 (Public Law 112–154; 50 U.S.C. 3953 note) is amended by striking paragraphs (1) and (3).
This references the provision of the SCRA that provides protection to service members from foreclosure for a year following active duty service. While the original SCRA provided for 9 months of protection, Congress had extended this to a year but with an expiration date that periodically was extended by law. Rather than continually reconsidering whether to extend this provision, section 313 deletes the expiration language.
Elder Abuse – Training Required
Section 303 of S. 2155 carves out immunity from a civil or administrative proceeding for individuals who disclose suspected exploitation of a senior citizen to certain entities if specific conditions are met, including receiving particular training. While section 303 does discuss content requirements for such training, this seems to be an area where regulatory guidance will be needed to provide a clearer pathway.
Implementation and Effective Dates
While NCUA was rather quick to finalize an amendment to the MBL rule, the agency was able to assert that this change did not require the notice and comment period typically required before rules can be finalized. Other changes from S. 2155 are not as clear and will need to be implemented by regulators. Also, some provisions have specific and varied effective dates – for example, amendments to the SAFE Act are effective 18 months after enactment.
Overall, the law provides regulatory relief that should help credit unions. However, NAFCU supports continued efforts to secure further regulatory relief for credit unions by continuing to work on our advocacy priorities.
It's a best practice to keep your vendor risk management program up-to-date with the issuance of major regulatory guidance.
Download our eBook to help guide you through making these changes in order to properly prepare for an examination.