Insights from Winston & Strawn
In this edition, we discuss at length two recent developments in the area of bank regulation: first, the D.C. Circuit’s decision that the structure of the Consumer Financial Protection Bureau (“CFPB”) violates the U.S. Constitution; second, the federal bank regulators’ release last Wednesday of a joint advance notice of proposed rulemaking on enhanced cyber risk management standards.
On October 11, the U.S. Court of Appeals for the District of Columbia Circuit, in a majority decision, decided PHH Corporation v. CFPB, holding that the structure of the CFPB was unconstitutional because its Director was not removable at will by the President. Under the Dodd-Frank Act, the Director of the CFPB may only be removed for cause, i.e. “inefficiency, neglect of duty, or malfeasance in office.” Thus, the Court believed that the Dodd-Frank Act’s delegation of power to the Director to enforce 19 different consumer protection laws violated the separation of powers provisions of the U.S. Constitution vesting executive power in the President, who is to take care that the laws of the United States be faithfully executed. To do that, the President must appoint and control subordinate officers. In a 1926 case, the U.S. Supreme Court recognized the President’s authority to remove those subordinate officers at will. The D.C. Circuit in the PHH case, focusing on history and longstanding tradition, which is how the Supreme Court has resolved separation of powers cases, found that no executive agency exercising substantial authority has ever been held by a single person who was not subject to removal at will by the President, such person, thus, being unaccountable. The court distinguished multi-member independent agencies whose members can only be removed for cause, the constitutionality of which the Supreme Court upheld in 1935; in such cases, each of the various members of the agencies serves as a restraint on the other members, the court concluded. Rather than shut down the CFPB, the court remedied the constitutional flaw by severing the unconstitutional “for cause” provision from the statute, thereby conferring on the President the authority to remove the Director of the CFPB at will.
One consequence of the constitutional ruling is that if it becomes final, the CFPB would no longer be considered an independent agency, but would be deemed to be an executive agency whose proposed rules would be subject to cost-benefit review by the federal Office of Management and Budget (“OMB”). That could affect pending arbitration and payday rulemakings, a future debt collection rulemaking, and possibly even past rulemakings (the court did not consider the decision’s ramifications for past agency actions). Last Wednesday, House Financial Services Committee Chairman Jeb Hensarling (R-TX) suggested in a letter to the Director of the CFPB that the court ruling subjects current rulemakings to the OMB process.
PHH Corporation, a mortgage company, had been accused, in January 2014, by the CFPB of violating the Real Estate Settlement Procedures Act (“RESPA”) prohibition against payment of referral fees in connection with home mortgage loan transactions. An affiliate of PHH reinsured mortgage insurance purchased from third-party insurers by borrowers served by PHH, and the reinsurance affiliate received insurance premiums for doing so. Before the CFPB was established, RESPA enforcement fell to the U.S. Department of Housing and Urban Development, which had long interpreted RESPA to permit the payment of such insurance premiums despite the prohibition against the payment of referral fees. The CFPB rejected that view and undertook an enforcement action against PHH, and an administrative law judge ordered disgorgement of $6.44 million by PHH. PHH appealed that decision to the Director of the CFPB, who increased the amount to $109 million, in part ruling that RESPA’s three-year statute of limitations does not apply to administrative actions. Thus, the CFPB punished conduct that commenced 15 years earlier.
The court unanimously, without deferring to the CFPB, held that the CFPB must, in its administrative actions, abide by statutes of limitations. The court pondered why Congress, in imposing a statute of limitations, would distinguish between court actions and administrative actions and why it would not apply the statute of limitations to the administrative actions, thereby permitting enforcement actions to be brought decades after the fact. Firms that have settled with the CFPB for large penalties for violations older than the applicable statute of limitations may arguably have a basis for requesting a reduction in penalty. The day after the PHH decision, the American Banker published an article entitled, “Will CFPB Ruling Spur Banks to Reopen Old Enforcement Actions?” The consensus of experts cited in the article was that settlements are final and may not now be reopened; however, the court expressly stated in a footnote that it has not considered the legal ramifications of its decision for past agency actions.
This could also have ramifications for enforcement actions by other agencies, including the federal prudential regulators. Most bank regulatory enforcement actions are under the cease and desist authority provided in Section 8 of the Federal Deposit Insurance Act, which does not include a statute of limitations. However, the U.S. Code contains a general five-year statute of limitations.
The court also, again without deferring to the CFPB, ruled unanimously that the CFPB had misinterpreted RESPA and also violated the Due Process Clause by applying its interpretation of RESPA retroactively. On the due process point, the court characterized the CFPB’s penalizing PHH for engaging in conduct as to which PHH had no notice was, in the view of the CFPB, unlawful as violating “Rule of Law 101.”
The CFPB has until November 25 to seek en banc review by the entire D.C. Circuit and December 29 to file a petition for certiorari in the U.S. Supreme Court with a possible 60-day extension thereafter. As matters currently stand, the court’s mandate order would not take effect until at least seven days after an appeal is filed. Of course that mandate could be deferred in the event of an appeal.
On October 19, the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC invited comment on an advance notice of proposed rulemaking (“ANPR”) regarding enhanced cyber risk management standards for large and interconnected entities under their supervision and the service providers to such entities. The regulators’ purpose is to increase the operational resilience of these entities and reduce the impact of a cyber event at one of the large banking organizations. The ANPR addresses five areas: (1) governance of cyber risk; (2) monitoring and management of cyber risk within risk tolerances approved by the board of directors; (3) management of internal “dependencies” (i.e. the business assets such as workforce, data, technology, and facilities, upon which a firm depends to deliver services); (4) management of external “dependencies” (i.e. a firm’s relationships with outside vendors, suppliers, customers, and utilities that a firm depends on to deliver services); and (5) incident response, cyber resilience, and situational awareness. Consideration is being given to imposing more stringent standards (including substantial mitigation of the risk of a disruption due to a cyber event) on entities critical to functioning of the financial system, firms that the regulators call “sector-critical systems.” It is suggested that such systems would include any firm that consistently clears or settles five percent of the value of transactions in markets for federal funds, foreign exchange, commercial paper, U.S. Government and agency securities, and corporate debt and equity securities. The agencies are also considering whether a bank that holds five percent or greater of total U.S. deposits should be considered a sector-critical system. They ask whether substitutability and interconnectedness might also be considered as factors, as well as whether providers of key functionalities for which alternatives are limited or take excessive time to implement might also be considered to be sector-critical.
Of course, banks rely heavily on technology, and, as that reliance grows, opportunities for technology failures and cyber-attacks grow. Because the financial system is interconnected, an incident at one firm may affect others and have a potentially systemic effect on payments and credit. The federal bank regulators have long examined banks for information technology (“IT”) and also examine third-party service providers that support banks. Since 1978, the federal bank regulators have given banks and their technology service providers URSIT (Uniform Rating System for Information Technology)ratings. The new standards would not replace those ratings, but inform them. Since 2003, the Federal Financial Institutions Examination Council (“FFIEC”) has published handbooks to guide bank examiners on IT, and those handbooks would continue to be used. Just last year, the FFIEC issued a voluntary Cybersecurity Assessment Tool for financial institutions to use to self-assess cyber risks and preparedness. There have been many other developments in the area of cybersecurity that the agencies have taken into account in fashioning the proposed enhanced standards.
The enhanced standards would apply to banking firms with total consolidated assets of $50 billion or more on an enterprise-wide basis and to “systemically important financial institutions” as well as to third-party service providers to such covered firms. The agencies ask whether the scope of the standards should be determined by asset size or by number of connections to other financial firms and whether special consideration should be given to insurance and commercial companies that may be covered because they happen to be savings and loan holding companies. Higher expectations in four of the five categories of standards would apply to sector-critical systems.
In the area of cyber risk governance, the board of directors or a committee thereof would be responsible for approving a written cyber risk management strategy that is incorporated into the firm’s overall risk management strategy and for holding senior management accountable for policies consistent with that strategy. The cyber risk strategy would articulate how the firm will address cyber risk and maintain resilience, establishing cyber risk tolerances. To do this, the firm would need to identify its activities that give rise to cyber risks and assess them. The agencies are considering requiring cybersecurity expertise on boards or at least board access to such expertise. The agencies would expect boards to provide credible challenge to management in these matters. The agencies are also considering whether senior cyber management should be independent of line management with direct access to the board of directors.
In the area of cyber risk management, it is to be integrated into business units, independent risk management, and the audit function. Business units are to assess cyber risk on an ongoing basis, ensuring that information is shared and also being assured of resources to control cyber risk. Independent risk management would include cyber risk management and analyze it enterprise-wide, notifying the CEO and board of any concern, providing cyber risk independence, stature, authority, resources, and access to the board of directors. The audit function would be expected to assess whether the firm’s cyber risk management framework is adequate, incorporating that into its overall audit plan.
In the area of internal dependency management, this requires a current and complete awareness of a firm’s internal assets and business functions that support its cyber risk management. That would require an inventory of business assets prioritized by criticality, thereby facilitating prioritization of monitoring, incident response, and recovery. The agencies also are considering requiring periodic testing of back-ups.
As to external dependency management, this appears to encompass standard regulator vendor management expectations concerning due diligence, contracting and sub-contracting, onboarding, ongoing monitoring, change management, and off boarding. This would also entail creating inventories and risk-ranking. The agencies are also considering mandating identification and periodic testing of alternative solutions in case an external partner fails to perform as expected.
In the case of incident response, cyber resilience, and situational awareness, the agencies would expect firms to plan for, respond, contain, and recover from disruptions caused by cyber incidents. That would include plans to identify and mitigate cyber risks posed through interconnectedness to partners to prevent cyber contagion. Recovery strategies are to address potential for malware or corrupted data to replicate through connected systems and also the potential for multiple concurrent interruptions. Protocols for secure, immutable, off-line storage of critical records may be required. Critical records would include financial records of the firm, loan data, asset management account information, and daily deposit account records, including balances and ownership details, formatted using defined data standards to allow for restoration. Transition plans for transfer of business to another firm may also be expected. Specific testing, some joint with service providers, also may be expected.
Comments on the ANPR are to be filed by January 17, 2017. Of course, since this is an advance notice, the agencies would provide an opportunity to comment on whatever more detailed proposal they develop after receiving comments on the ANPR.
Feature: U.S. Federal Banking Regulators Seek Comment on Proposed Enhanced Cybersecurity Risk Management Standards
Taking “a more proactive than reactive approach” in their continuing efforts to help the nation’s largest banks withstand a major cyberattack, the Federal Reserve Board (“Board”), the Federal Deposit Insurance Corporation (“FDIC”), and the Office of the Comptroller of the Currency (“OCC”) (or collectively, “the agencies”) announced on October 19th that they have jointly approved an advance notice of proposed rulemaking (“ANPR”) requesting comment on a set of enhanced cybersecurity risk management standards for large and connected entities under their supervision, as well as services provided by third parties to those entities.
The Board, the FDIC and the OCC are looking to apply the enhanced cybersecurity risk management standards to depository institutions and depository institution holding companies that have total consolidated assets of $50 billion or more; the U.S. operations of foreign banking organizations with combined U.S. assets totaling $50 billion or more; and financial market infrastructure companies as well as nonbank financial companies that are supervised by the Board. The recommended enhanced cybersecurity risk management standards would not apply to community banks.
In order to benefit from comments on all facets of the potential enhanced cybersecurity risk management standards, the agencies issued the ANPR before drafting a more detailed proposal for consideration. The agencies disclosed five categories they hope to address by implementing the proposed rules: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness. Comments on the ANPR are due by January 17, 2017.
Pursuant to the proposal, banks would have to follow several steps which include:
- Cybersecurity maintenance and management: A bank’s board would have to guarantee that it has “adequate expertise in cybersecurity” as well as the capability to “maintain access to personnel with such expertise.” In addition, cybersecurity executives would need to bee independent from a bank’s high-ranking officials, as well as have “direct independent access” to the board.
- Retaining three lines of defense for banks in terms of internal management: Those who are tasked to make business decisions would be required to evaluate cybersecurity risks from the very beginning. Banks would also be required to have an “independent risk management function,” which would report to the Chief Risk Officer and board on the management of the company’s cybersecurity program. Also, banks would be required to have an audit function that would measure whether a company’s cybersecurity program is appropriate in relation to its size and risk profile.
- Monitoring all internal and external liabilities on a continuous basis: Internally, the firms would have to maintain a record of business assets, and set up “appropriate controls” to protect those assets. The companies would also have to occasionally review the cyber risks associated with its connections to third parties and “periodically test alternative solutions” in case those entities do not institute adequate cyber controls.
- Catastrophe planning: In addition to preparingfor potential cyber attacks, banks would also need to develop the ability to maintain their “core business functions,” even when there is a power outage or other critical event. Companies would be required to have their critical data protected in “secure, immutable, offline storage.” If necessary, this data would need to be formatted in such a way that it could be restored by another financial institution, a service provider, or the FDIC acting “as receiver.”
Furthermore, some financial institutions that are considered “critical” to the industry (such as clearing houses and large service providers) would face even higher standards, as they would have to implement “the most effective, commercially available controls” and be able to regain control of their critical systems within two hours of an attack.
The agencies noted that the proposed standards would not replace pre-existing policies and guidance, as they:
- would not replace the 1978 Uniform Rating System for Information Technology used by regulators to determine a firm’s cyber risks, although they might add to it;
- are not as broad as the National Institute of Standards and Technology’s cybersecurity structure since they would only apply to the largest firms;
- would be enforced more vigorously than the Federal Financial Institutions Examination Council’s (“FFIEC”) Cybersecurity Assessment Tool, which is voluntary; and
- would not affect the FFIEC’s 2003 IT handbook, which sets standards for examiners reviewing financial institutions.
Richard Cordray, head of the Consumer Financial Protection Bureau (“CFPB”) and a member of the FDIC board,stated that it is “kind of remarkable to sit and think that in the course of just a generation … we’ve gone from a situation where institutions had no dependence on IT to ... [what] feels like an utter dependence on IT.”
Banking Agency Developments
OCC Releases FAQs on FFIEC Cybersecurity Assessment Tool
OCC Hosts Risk Governance and Credit Workshops in Houston
On October 17th, the OCC announced that it will host two workshops in Houston, Texas, at the Royal Sonesta Hotel Houston, November 29-30, for directors of national community banks and federal savings associations supervised by the OCC. The Risk Governance workshop on November 29th will combine lectures, discussion, and exercises to provide practical information for directors to effectively measure and manage risks, and will focus on the OCC’s approach to risk-based supervision and major risks in the financial industry. The Credit Risk workshop on November 30th will focus on credit risk within the loan portfolio, such as identifying trends and recognizing problems, and will cover the roles of the board and management, how to stay informed of changes in credit risk, and how to effect change. This is the last Credit Risk workshop for 2016.
OCC’s Mutual Savings Association Advisory Committee Charter Renewed
On October 17th, the OCC announced that it has renewed the charter of its Mutual Savings Association Advisory Committee, which advises the agency on issues and opportunities facing mutual savings institutions. Federal Register Notice.
Securities and Exchange Commission
Corporation Finance Updates C&DIs on Securities Act Rule 701
On October 19th, the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance updated its Compliance and Disclosure Interpretations (“C&DIs”) on Securities Act Rule 701, which provides an exemption for securities offered by private companies pursuant to compensatory benefit plans and contracts. The Division revised C&DI 271.014 to address the application of Rule 701 to a private company’s outstanding options that are acquired by a non-exempt company as part of a merger transaction so that they become exercisable for shares of the acquiring company. The Division also published new C&DI 271.24, which addresses the timeframe in which an issuer must supply additional information required under Rule 701(e) following the sale of restricted stock unit awards.
Corporation Finance Offers Additional Guidance on Holding Period for Securities Issued Under Individually Negotiated Employment Agreements
On October 19th, the SEC’s Division of Corporation Finance revised its C&DIs on Securities Act Rule 144(d) concerning the holding period for restricted securities. The Division updated C&DI 532.06, which addresses the commencement of the Rule 144(d) holding period for restricted securities issued under an employee benefit, to explain how the rule applies to restricted securities issued as part of an individually negotiated employment agreement, including awards in which the vesting of securities is conditioned solely on continued employment and awards that require additional payment upon exercise, conversion or settlement. C&DI 532.06.
Corporation Finance Offers Guidance on Pay Ratio Disclosure Requirements under Regulation S-K
On October 18th, the SEC’s Division of Corporation Finance published five new C&DIs on Item 402(u) of Regulation S-K, which concerns new requirements for a public company to disclose the pay ratio of its chief executive officer to the median compensation of its employees. The new C&DIs address questions about alternative consistently applied compensation measures (“CACM”) to identify the median employee, the impact of furloughed employees on the identification of the median employee, and the circumstances in which an employee can be considered an independent contractor under the rule. Regulation S-K C&DIs.
Speeches and Statements
Wyatt Says OCIE Will Boost Its Oversight of FINRASpeeches and Statements
In a keynote address to the National Society of Compliance Professionals 2016 National Conference on October 17th, SEC Office of Compliance Inspections and Examinations (“OCIE”) Director Marc Wyatt discussed the objectives of the National Exam Program, which include improving compliance, preventing fraud, monitoring risk, and informing policy. Wyatt noted that OCIE will enhance its oversight of the Financial Industry Regulatory Authority (“FINRA”) as it shifts resources to its investment adviser examination program and relies more heavily on FINRA for examinations of broker-dealers. Wyatt Remarks.
SEC Will Consider Proposals on Disclosures in Director Elections and Intrastate Securities Offerings at Open MeetingOther Developments
The SEC will hold an Open Meeting on October 26, 2016, to determine whether to propose amendments to the proxy rules relating to the use of universal proxy cards and disclosure about voting options and voting standards in director elections. The SEC will also consider whether to adopt rule amendments related to Securities Act Rules 147 and 504 to facilitate intrastate and regional securities offerings and whether to repeal Securities Act Rule 505. SEC Meeting Notice
Melissa Hodgman will serve as Associate Director of the SEC’s Division of Enforcement, according to an announcement by the SEC on October 14th. Hodgman will succeed Stephen L. Cohen, who left the agency last June. SEC Press Release
Commodity Futures Trading Commission
Proposed Rules Published on Cross-Border Application of Registration Thresholds and External Business Conduct Standards
On October 18th, the Federal Register published the Commodity Futures Trading Commission’s (“CFTC”) proposed rules addressing the cross-border application of certain swap provisions of the Commodity Exchange Act (“CEA”). The proposed rule defines key terms for purposes of applying the CEA’s swap provisions to cross-border transactions and addresses the cross-border application of the registration thresholds and external business conduct standards for swap dealers and major swap participants, including the extent to which they would apply to swap transactions that are arranged, negotiated, or executed using personnel located in the U.S. Comments must be received by December 19, 2016.
DSIO Issues Advisory Regarding Investments in Money Market Mutual Funds
On October 18th, the Division of Swap Dealer and Intermediary Oversight (“DSIO”) issued an advisory to futures commission merchants in response to inquiries regarding the practical application and effect of the DSIO’s August letter granting no-action relief regarding investments in money market funds.
Final Order Issued Exempting Certain Transactions of Southwest Power Pool
On October 18th, the CFTC announced its unanimous approval of a final order in response to a petition from Southwest Power Pool, Inc. (“SPP”), a Regional Transmission Organization regulated by the Federal Energy Regulatory Commission. The final order exempts certain transactions of SPP from the CEA and CFTC regulations, with the exception of the CFTC’s general anti-fraud and anti-manipulation authority, and scienter-based prohibitions. The final order will expressly exempt such transactions from private actions under CEA section 22. Q&A. See Chair Massad Statement. Also see Commissioner Giancarlo Statement.
Federal Rules Effective Dates
October 2016 – December 2016
Click here to view table.
Exchanges and Self-Regulatory Organizations
BATS Global Markets
SEC Seeks Comments on BZX’s Proposed Changes to Company Listing Fees and New LMM Partnership Program
On October 14th, the SEC suspended approval of and instituted disapproval proceedings regarding Bats BZX Exchange, Inc.’s (“BZX”) proposal to amend the fees applicable to securities listed on BZX as well as to amend the fee schedule applicable to Members and non-Members of BZX. Under the proposal, series of Portfolio Depository Receipts, Index Fund Shares, Trust Issued Receipts, and Managed Fund Shares listed on BZX would no longer be eligible to receive payments under the Issuer Incentive Program. BZX also proposed a new LMM Partnership Program in which the Lead Market Maker (“LMM”) in a fund would receive a payment from BZX based on the consolidated average daily volume of the fund. Comments should be submitted on or before November 10, 2016. Rebuttal comments are due on or before November 25, 2016. SEC Release No. 34-79103.
Financial Industry Regulatory Authority
SEC Approves FINRA’s Amended Proposal on Reporting Requirements for Transactions in U.S. Treasury Securities
On October 18th, the SEC issued an order granting accelerated approval to FINRA’s proposed rule change that would require FINRA members to report secondary market transactions in U.S. Treasury securities to the Trade Reporting and Compliance Engine (“TRACE”). The SEC also requested comments on FINRA’s amendment to the proposed rule, which revised the proposal to indicate that the “.S” modifier must be used if a transaction is part of a series of transactions and may not be priced based on the current market. Comments on the amendment should be submitted within 21 days of publication in the Federal Register, which is expected the week of October 24, 2016. In a separate Regulatory Notice, FINRA announced that the implementation date for the new rule will be July 10, 2017. SEC Release No. 34-79116.
FINRA Announces Changes to TRACE Reporting Rules for CMO Transactions
FINRA published a Regulatory Notice on October 17th that offers guidance on recently approved amendments to the TRACE rules and dissemination procedures, which provide for the dissemination of transactions in collateralized mortgage obligations (“CMOs”) based on transaction size and level of trading activity; reduce the timeframe for reporting transactions in CMOs executed after issuance; and simplify the reporting requirements for pre-issuance CMO transactions. The rule amendments will become effective on March 20, 2017. FINRA Regulatory Notice 16-38.
FINRA Prepares Members for New Capital Acquisition Broker Rules
In a Regulatory Notice published on October 17th, FINRA offered guidance to members regarding new rules for firms that meet the definition of “capital acquisition broker” (“CAB”), which includes firms that engage in a limited range of activities such as advising companies and private equity funds on capital raising and corporate restructuring, and acting as placement agents for sales of unregistered securities to institutional investors under limited conditions. The new rules will become effective on April 14, 2017, except for the rules on CAB membership application and associated person registration, which will become effective on January 3, 2017, to provide new CAB applicants with sufficient time to apply for FINRA membership. FINRA Regulatory Notice 16-37.
International Swaps and Derivatives Association
ISDA Publishes Research on Clearing for Small Derivatives Users
On October 17th, the International Swaps and Derivatives Association (“ISDA”) published a research note entitled “Key Trends in Clearing for Small Derivatives Users.” The note analyzes publicly available data on clearing to assess concerns about clearing access for smaller derivatives users in the U.S. and the EU. ISDA Research Note.
SEC Grants Accelerated Approval to NYSE MKT’s Amended Proposal on FLEX Options
On October 19th, the SEC issued an order granting accelerated approval to NYSE MKT LLC’s (“NYSE MKT”) proposed amendments to its rules related to Flexible Exchange (“FLEX”) Options that would allow FLEX Options in Binary Return Derivatives contracts (“ByRDs”), make available additional settlement styles, modify how exercise prices and premiums are expressed, and change certain provisions relating to floor-based trading. The SEC also requested comments on two amendments to the proposal that, among other things, provide greater clarity regarding the operation of FLEX ByRDs, remove a proposal to allow cash settlement of FLEX Options, and eliminate a proposal to allow a settlement price calculated from the all-day Volume-Weighted Average Price of the composite prices of the underlying security on the expiration date (“VWAP”) for FLEX Equity Options generally, although VWAP settlement would still be used for FLEX ByRDs. Comments should be submitted within 21 days of publication in the Federal Register, which is expected the week of October 24, 2016. SEC Release No. 34-79125.
Study Finds That Granting Stock Options Deters Whistleblowing
According to a new study, which is expected to be published in an upcoming issue of the Journal of Accounting and Economics, companies offer stock options to their employees to deter them from reporting financial misconduct. On October 21st, CFO reported that firms involved in financial reporting violations granted more stock options during periods of misreporting than a control sample and that those firms were more likely to avoid whistleblower claims.
Volcker Not Convinced that Breaking Up Banks Would Improve Financial Stability
On October 18th, the Wall Street Journal reported on former Federal Reserve chairman Paul Volcker’s remarks at a WSJ Pro Financial Regulation conference that he was “not convinced” that breaking up big Wall Street banks and ramping up oversight of large asset managers would improve financial stability.