While the creation of new compliance regulations was slow this year compared with years past, some regulations were implemented as expected, and some continue to evolve.
By Mary Thorson Wright
At the time of writing, many regulatory compliance issues appear to be stalled or out of regulators’ focus, while a few have received ample attention or have continued to develop.
“CFPB director Rohit Chopra was confirmed in October 2021, and in 2022 the bureau has been somewhat muted in terms of new regulations,” says Michael Emancipator, ICBA vice president and regulatory counsel. “It has been active taking other actions and has used some novel tools, like interpretive rules, advisory opinions and circulars,” he adds. “Using those, the director can implement policy changes more quickly than through standard regulatory revision.”
Emancipator gives examples such as an advisory opinion on privacy when companies compile personal data and interpretive rules on credit reporting and the use of data. There is also a circular about requirements for adverse action notices for credit decisions based on complex algorithms.
Compliance developments in 2022
Climate risk and financial institutions. In May 2021, President Joe Biden issued an executive order directing federal agencies to act regarding climate change-related financial risks. Some financial regulators, including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) and U.S. Securities and Exchange Commission (SEC), have published proposed rules intended to enhance and standardize climate-related risk management. ICBA has submitted comment letters to all three agencies.
Unfair, Deceptive, or Abusive Acts or Practices (UDAAP) enforcement. In 2021, President Biden issued an executive order on customer data access and UDAAP to encourage the CFPB to commence rulemaking about customer access to financial data and to keep enforcing UDAAP. The CFPB reversed a policy of restraint on enforcement of UDAAP.
It issued Consumer Financial Protection Circular 2022-04 in August 2022 on “Insufficient data protection or security for sensitive consumer information.” The content specifies that inadequate security for sensitive consumer information collected, processed, maintained or stored can constitute an unfair practice in violation of UDAAP.
Data protection. In July, the CFPB issued an advisory opinion, “Protect Privacy When Companies Compile Personal Data.” It makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy, and it reminds covered entities of potential criminal liability for certain misconduct.
Regulatory requirements enacted in 2022
Several regulatory requirements became effective as expected.
General Qualified Mortgage (QM). On Oct. 1, 2022, the final rule became effective after delay from the original July 1, 2021, effective date.
Home Mortgage Reporting Act (HMDA). Effective Jan. 1, 2022, the temporary reporting threshold of 500 open-end lines of credit expired and reverted to 200.
Computer-security incident notification requirements. The federal banking regulatory agencies’ (FDIC, Federal Reserve and OCC) computer-security incident notification rule went into effect as expected this year. Community banks now have a requirement to notify their primary regulator no later than 36 hours after they determine that a notification incident has occurred. Bank service providers are also required to notify affected banks if an incident could disrupt, degrade or impair services for four or more hours.
While few new requirements were finalized in 2022, community bankers should ensure their implementation as needed and continue to closely monitor other evolving issues.
Evolving and stalled regulatory requirements
Several more are still evolving or appear to have stalled.
Third-party oversight. The comment period for the federal banking regulatory agencies’ proposed guidance on third-party oversight ended in September 2021, and the agencies had not issued final guidance as of October 2022.
Small business loan reporting. Section 1071 of the Dodd-Frank Act (DFA) amended the Equal Credit Opportunity Act (ECOA) to require reporting of data for certain business loans. In 2021, the CFPB issued a notice of proposed rulemaking (NPRM), and comments were due Jan. 6, 2022. A final rule is expected by March 31, 2023.
CRA. On May 5, 2022, the OCC, Federal Reserve, and FDIC jointly released an NPRM to strengthen and modernize the Community Reinvestment Act (CRA) regulations to better achieve the purpose of the CRA. The comment period ended Aug. 5, 2022; however, no analysis of the comments or final rule have been announced.
Fair lending. HUD had proposed to rescind its 2020 changes to the Fair Housing Act (FHA) disparate impact rule, reverting to the 2013 standard. At this time, banks are still following the 2013 rule. At the time of this writing, no further action had been taken. There has been anecdotal information regarding the regulators’ scrutiny of REMA (Reasonably Expected Market Area) for fair lending.
Credit reporting. Discussion has continued about changes to the credit reporting system, use of alternative data, credit scoring and limits on the uses of credit information. The CFPB issued an interpretive rule in July affirming states’ abilities to police credit reporting and issuing their own fair credit report laws and one regarding permissible purposes for furnishing, using and obtaining credit reports.
While few new requirements were finalized in 2022, community bankers should ensure their implementation as needed and continue to closely monitor other evolving issues, including those now published by the CFPB through less customary vehicles.
Mary Thorson Wright is a writer in Virginia.