Compliance changes to watch in 2023

Illustration by Monster Ztudio/Adobe

From new fee practices to peer-to-peer fraud, keep an eye on what regulatory changes could be developing in the new year.

By Mary Thorson Wright


While the pace of bank regulatory changes has diminished from a few years ago, several issues will either become effective or likely develop in 2023. Community banks must continue to stay focused on regulatory discussions and remain nimble to respond to proposals and address requirements quickly and accurately. Let’s look first at changes for the coming year that were projected at the time of this writing.

Projected changes

Deposit insurance. The FDIC approved a final rule to increase initial base deposit insurance assessment rates by 2 basis points until the Deposit Insurance Fund (DIF) achieves the FDIC’s long-term goal of a reserve ratio of 2% of insured deposits. The revised rate schedules will be effective Jan. 1, and applicable to the first quarterly assessment period of 2023 with an invoice payment date of June 30, 2023.

Quick Stat

2%

The FDIC’s long-term goal for the reserve ratio of insured deposits

Source: FDIC

Multiple re-presentment fees. The FDIC issued guidance about the consumer compliance risks associated with assessing NSF arising from the re-presentment of the same unpaid transaction. It cites potential violations of Section 5 of the Federal Trade Commission (FTC) Act, which prohibits unfair or deceptive acts or practices and potential risks arising from arrangements with third parties, and it directly applies to FDIC-supervised financial institutions. Full implementation may be delayed based on questions about clarity of disclosures and whether corrective lookbacks and restitution would be required.

Debit card interchange fees and routing. The Federal Reserve Board finalized updates to the board’s rule for debit card transactions. It becomes effective July 1, 2023, and requires debit card issuers to provide two unaffiliated payment networks enabled for card-not-present (CNP) transactions.

Disclosed bank fees on deposit items. CFPB issued Circular 2022-06 about two fee practices that it considers unfair and unlawful under existing law. The practices targeted include surprise overdraft fees and check depositor fees.

Evolving risks

Community banks should keep an eye on evolving risks and emerging threats in 2023, including these:

Small business data. According to a court filing in California, the CFPB plans to issue a final rule implementing Dodd-Frank Section 1071 small business (generally, those with gross annual revenues of less than $5 million) reporting requirements by March 31, 2023. It proposes to nearly double the number of data points required to be collected on small business loans, including information about race and demographics, and covers all banks making more than 25 small business loans annually. Finalization is expected as early as 2023.

CRA. On May 5, 2022, the federal bank regulators jointly released a notice of proposed rulemaking (NPR) to strengthen and modernize the Community Reinvestment Act (CRA) regulations. The proposal would increase small bank asset thresholds and create a new framework for evaluating large and intermediate banks. A final rule is expected in 2023.

“Looking at the CFPB’s regulatory agenda, it is likely we will continue to see the CFPB taking actions using novel tools, like interpretive rules, advisory opinions and circulars, rather than formal rule changes.”
—Michael Emancipator, ICBA

Cyber reporting. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was passed in 2022. The law will require all critical infrastructure entities to report cyber incidents to Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours from the time the entity reasonably believes the incident occurred and ransomware payments to CISA within 24 hours of payment. An NPR is due in 2024 or before.

Data privacy. Comprehensive data privacy laws remain a hot topic for state legislatures, with a number of states following California’s lead and passing their own version of the California Consumer Privacy Act. In 2022, the House Energy and Commerce Committee passed a national data privacy bill, but the bill did not receive a vote on the House floor. Interest at the state and national level is expected to continue in 2023.

Climate-related risk. In the past year, the OCC and FDIC published draft principles for climate-related financial risk management for large banks, and the SEC published a proposed rule governing the enhancement and standardization of climate disclosures for investors. The agencies are likely to take steps to finalize these proposals in 2023. While much of the regulatory climate-risk agenda remains focused on the nation’s largest banks, ICBA continues to make the community-bank perspective heard by advocating that these policies should not trickle down to community banks.

Peer-to-peer fraud. This area could evolve rapidly. According to Rhonda R. Whitley, ICBA vice president and regulatory counsel, “At this time, the CFPB has not initiated action; however, it is possible that it could revise Regulation E for banks’ liability for the fraudulent transactions due to the nature and growing scale of occurrences.”

It’s important for community banks to monitor all types of regulatory communications. “Looking at the CFPB’s regulatory agenda, it is likely we will continue to see the CFPB taking actions using novel tools, like interpretive rules, advisory opinions and circulars, rather than formal rule changes,” advises Michael Emancipator, ICBA vice president and regulatory counsel.

In 2023, community banks should stay engaged to adjust program requirements to align with regulatory expectations and to take steps to strengthen the risk governance framework.


Mary Thorson Wright is a writer in Virginia.