Share
Major final rules and proposals in the financial services industry were released in 2023, and more could be expected next year. The changes will require policy and procedural action by banks as early as 2024 in some cases. And that means banks, credit unions and other financial entities may want to reprioritize compliance training. Here’s a snapshot of new regulations and pending rule-making that could have the biggest impact on financial services.
Section 1071: Small Business Data Collection Act
Section 1071 requires impacted financial institutions to collect and report information on small business loan applications based on certain thresholds established in the Act. Covered financial institutions include banks, savings associations, credit unions, online lenders, and equipment, vehicle and commercial finance companies, as well as non-profit organizations and certain governmental organizations. To be covered, a financial institution must have at least 100 covered originations in each of the two preceding calendar years. Covered financial institutions are not required to aggregate originations at the parent or holding company level. Financial institutions are not required to report the covered originations produced by an affiliate.
The small business definition comes from the meaning of a “small business concern” in the Small Business Administration (SBA) rules. A small business concern (SBC) must be independently owned and operated; not be dominant in its field of operation; and not exceed the relevant small business size standard for the particular procurement action ($5 million or less in gross annual revenue). It must be located and operate primarily within the U.S. or contribute significantly to the U.S. economy by paying taxes or using American-made products, materials or labor. A financial institution is permitted to rely on an applicant’s representation of their gross annual revenue, which may or may not include an affiliate’s gross revenue for the same fiscal year.
Covered credit transactions are extensions of credit primarily for business, commercial or agricultural purposes, unless excluded under the final rule. Covered credit transactions include loans, lines of credit, credit cards, merchant cash advances and other credit products. They include the following lending activities:
Regulation B requires that covered financial institutions must not discourage applicants from responding to requests for primary owner demographic data. They must maintain procedures for collecting the data before the final loan decision and in a reasonable manner, and the request must be prominently displayed or presented. Procedures designed to monitor compliance with the law should address monitoring for low response rates and for significant irregularities. Institutions must provide adequate training to loan officers and any others involved in the collection of the data. The law includes one safe harbor for covered financial institutions that initially collect demographic data of the applicant’s principal owners pursuant to the final rule, but later determine that it should not have collected that data, if the institution had a reasonable basis for believing that the applicant qualified as a small business.
Community Reinvestment Act (CRA)
The interagency CRA final rule was recently released, and it had several changes. Elements of the final rule address eight objectives of the regulatory agencies: (1) strengthening the achievement of the CRA’s core purposes of addressing inequities in access to credit and fostering innovation to expand access to credit; (2) adapting to industry changes, such as the expanded role of mobile and online banking; (3) providing greater clarity, consistency, and transparency in the CRA’s application; (4) tailoring performance standards to a bank’s size and business model; (5) tailoring data collection and reporting requirements and using existing data whenever possible; (6) promoting transparency; (7) confirming that the CRA and fair lending responsibilities are mutually reinforcing; and (8) promoting a consistent regulatory approach across agencies.
The rule mentions that assessment areas will still largely be focused on a bank’s facility-based assessment (FBA), but intermediate-to-large institutions will also be evaluated under the Retail Lending Test. Large banks are required to create a retail lending assessment area when less than 80% of retail lending activity occurs within their facility-based assessment areas. Large banks would also need to delineate areas where they have an annual lending volume of at least 150 home mortgage loan originations or at least 400 small business loan originations in a geographical area for two consecutive years.
This graphic provides a summary of the overall assessment framework:
https://baidotorgqa.wpengine.com/wp-content/uploads/2023/12/Graph-lending-FI-750×453.jpg
Large banks will be assessed on all four tests with no exceptions. Intermediate-sized banks will also be evaluated under the new Retail Lending Test, and either the status quo community development test or the Community Development Financing Test if they choose to opt in. Small banks would be evaluated under the existing lending test, unless they choose to opt into the new Retail Lending Test. Community development activities anywhere in the U.S. can qualify for CRA credit, but activities near facility-based assessment areas will carry more weight.
Most banks will not need to comply with most of the provisions until Jan. 1, 2026, and large banks will not have to comply with the reporting requirements until Jan. 2027. However, banks will need to comply with the public file requirements when the final rule becomes effective on April 1, 2024. The agencies, for the first time, will develop and maintain a publicly available illustrative list. Banks can also submit a request to their regulator to provide a determination on CRA qualifying activities, which may not be included in the illustrative list.
Section 1033: Personal Financial Data Rights
Section 1033 requires covered entities to make available to consumers, upon request, transactional data and other information concerning consumer financial products or services that the consumer obtains from a covered entity. The Consumer Financial Protection Bureau’s (CFPB) goal with Section 1033 is to provide options to strengthen consumers’ access to and control over their financial data.
Open banking implements the concept that consumers should be the ultimate owners of their financial data, be free to access and share it, and have the choice to obtain products and services from whomever they choose. Covered data providers are defined as a “financial institution” under Regulation E or “card issuer” under Regulation Z. Organizations offering digital wallets would be required to comply with the rules. Covered accounts would include any checking, savings, consumer assets, or prepaid account held directly or indirectly by a financial institution and established primarily for personal, family, or household purposes, as well as credit card accounts and digital wallets. Importantly, commercial or business accounts are exempt from the requirements, as well as open-end credit accounts that are not credit cards, and closed-end loan accounts.
Six categories of information that BAI expects to be part of the requirements are:
The proposed rule lists four tiers for expected compliance dates:
https://baidotorgqa.wpengine.com/wp-content/uploads/2023/12/Graph-cra-final-rule-750×386.png
NIST Cybersecurity Framework (CSF) 2.0
The National Institute of Technology (NIST) created the Cybersecurity Framework (CSF) 1.0 in 2013, as a voluntary framework to provide organizations with guidance on how to prevent, detect and respond to cyberattacks to comply with Executive Order 13636. The framework was designed to help organizations identify, assess, and manage cyber risk through a cost-effective approach.
In early 2024, NIST plans to release the Cybersecurity Framework 2.0, which is designed for the future while continuing to fulfill the original framework’s goals and objectives. A draft of the framework was released in April of this year and has received numerous comments from the global community. All relevant comments, including attachments and other supporting material, will be made publicly available on the NIST CSF 2.0 website.
More capital requirements for large banks
In Spring of 2023, the industry witnessed four bank failures that created a global ripple effect, which was mitigated through swift regulator monetary policy adjustments to stabilize consumer confidence in the banking system.
When combined, the initial three failed banks held $532 billion in total assets, more than the combined holdings of all failed banks in the 2008 financial collapse and Great Recession.
Two of the 2023 collapsed banks’ assets were between $100 million and $400 million, which was previously deemed a nonsystemic amount. The impact the bank failures had on the industry quickly made it obvious that these institutions were of systemic importance to the stability of the banking system in the U.S. Regulators are proposing increased capital and stress testing requirements, more robust corporate resolution plans, and increased long-term debt requirements for large banks with assets of $100 million or more. We can expect proposals and final rules within the next 12 to 18 months.
Credit Card Competition Act and other topics of interest
The Credit Card Competition bill is still awaiting a vote as of our newsletter deadline Dec. 13, but some Washington watchers still expected possible action by the end of the year. A goal of the legislation is to increase competition with Visa and Mastercard within the industry. The ultimate goals of the Act are to foster more choices for network providers, thus increasing competition for merchant business, and effectively decreasing credit card and interchange fees, which would benefit consumers. There appear to be a few issues which need to be ironed out, but the Act seems to be heading toward a final rule within the next few months.
Other topics of interest which are likely to produce proposals or final legislation in the next 12 to 18 months include artificial intelligence, privacy, cryptocurrency and cybersecurity. BAI will provide more information in the future as the legislation unfolds.
Christopher Boersma is Product Manager, Compliance Learning & Development at BAI.
Join our community to unlock exclusive content, connect with industry experts, and gain access to valuable resources that will help you stay ahead.
