The following significant federal regulatory initiatives were addressed recently and are of interest to the bank and thrift industry:
On Oct. 25, 2007, the federal agencies issued rules implementing the “Fair and Accurate Credit Transactions Act of 2003” to provide consumers with an opportunity to “opt out” of allowing an institution to use information provided by an affiliated company to market its products and services to the consumer.
The opt-out may not apply where affiliates have preexisting business relationships with the consumer and for other situations, including certain employment functions, consumer-initiated request and authorizations, and the use of service providers.
The rules are effective Jan. 1, 2008, and institutions must comply no later than Oct. 1, 2008. This will necessitate the imposition of further controls and disclosures for multi-affiliate organizations to avoid inadvertent violations, and other sharing restrictions that still apply under the FCRA. Fortunately, the rules include “safe harbor” forms for use by institutions in facilitating the notice and opt-out requirements.
Institutions should take care to review any structures which entail proposed sharing of consumer information with other organizations in order to avoid compliance pitfalls.
Examination Cycles for Small Institutions
On Oct. 24, 2007, the federal financial institution regulatory agencies adopted final rules permitting institutions with up to $500 million in total assets (and that meet certain other criteria including a 1 or 2 CAMELS composite rating) to qualify for an 18- month (vs. 12-month) on-site safety and soundness examination cycle.
Other qualifying criteria include being well-capitalized, well-managed, not having undergone any change in control during the previous 12-month period, and not being subject to a formal enforcement order or proceeding.
This extended examination cycle should provide at least some level of welcome relief for qualifying institutions.
Banks as Brokers
At long last, on Oct. 3, 2007, the Fed and the SEC published rules to implement provisions of Gramm- Leach-Bliley that except banks (in certain instances) from the definition of “broker” under the ’34 Act when they conduct certain securities transactions.
The rules (which were issued for comment in December, 2006) have been the subject of significant controversy and extensive negotiation between the agencies, and between the agencies and the industry, and will hopefully provide clear guidance for banks seeking to avoid SEC licensing requirements and the corresponding imposition of SEC regulation (and examination) of their activities in this area of operation.
The rules clarify permissible bank “brokerage” activities that can be conducted under the GLBA exceptions, and have been designated as Federal Reserve Regulation “R”. They include specific direction with respect to third-party brokerage referral (networking) arrangements, trust and fiduciary activities, custodial and deposit sweep activities, and safekeeping and custody activities, and allow banks to continue to offer those services and engage in those activities subject to certain conditions.
Institutions engaged in any of these activities will need to review their procedures and operations carefully in order to avoid inadvertently exceeding the permissible parameters of Reg R, and the SEC licensing and oversight requirements which could result.
Compliance with the new Reg R will be required effective the first day of the first fiscal year of an institution after Sept. 30, 2008.
Identity Theft and Address Discrepancy Rules
Final rules on identity theft “red flags” and address discrepancies have been finalized by the FFIEC and FTC to implement sections of the FACT Act. Institutions are required under the rules to develop and implement an “Identity Theft Prevention Program” to address identity theft risks inherent in the institution. The program should include reasonable policies and procedures intended to detect, prevent, and mitigate identity theft in the institution, through customer patterns and practices which may provide a “red flag” for identity theft. Examples of “red flags” are provided in the regulations along with guidelines for compliance.
The rules also require credit and debit card issuers to adopt policies and procedures to police proposed address changes in order to assist in mitigating potential identity theft concerns.
The rules are likely to require significant compliance attention by institutions, and are similar to the AML/BSA requirements in the approach to risk self-assessment, analysis, and program development. They are also likely to provide further examination challenges for institutions similar to those provided by BSA/AML.
The rules are effective Jan. 1, 2008, with compliance required by Nov. 1, 2008.