Monthly Bank Regulatory Report (July 2024)

August 1, 2024

We are pleased to provide you with the July 2024 edition of Gibson Dunn’s U.S. bank regulatory update. Feel free to reach out to us to discuss any of the below topics further.

KEY TAKEAWAYS

The intersection of banks and partners remains at the regulatory and supervisory forefront and the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC) and Office of the Comptroller of the Currency (OCC) issued a Joint Statement and accompanying Request for Information discussing risks associated with bank-fintech partnerships.
The FDIC issued a new proposal on brokered deposits that would fundamentally reverse the 2020 final rule and impact a wide range of financial institutions, including banks, broker-dealers, registered investment advisers, fintechs and neobanks, as discussed in more detail here.
The FDIC issued a new proposal to expand its authority to approve transactions subject to the Change in Bank Control Act (CIBCA).
The U.S. Supreme Court overruled Chevron v. Natural Resources Defense Council,[1] a landmark decision that had required courts to defer to agencies’ reasonable interpretations of ambiguous statutory terms, as discussed in more detail here.
The FDIC published its final rule with respect to the resolution plan requirements for large banks,[2] declaring an effective date of October 1, 2024, and making certain changes from the proposed rule including the creation of a new category of regulatory feedback (“significant finding”) and modifications to the resolution plan submission cycle. Acting Comptroller Hsu expressed his support for the Final Rule.

DEEPER DIVES

Federal banking agencies continue to focus on bank-fintech partnerships with Joint Statement and Request for Information relating to banking-as-a-service (BaaS) arrangements. On July 25, 2024, the FRB, FDIC and OCC (collectively, the Agencies) issued a Joint Statement cautioning regulated institutions about the risks associated with arrangements with third parties to deliver bank deposit products and services. The Agencies highlighted the following as key areas of risk: (i) operational and compliance risks; (ii) challenges created by growth of the program; and (iii) end user confusion and misrepresentations with respect to deposit insurance coverage. The Agencies draw on existing law and guidance, including safety and soundness standards[3] and Interagency Guidance on Third-Party Risk Management to recommend strategies for combating the identified risks. The Agencies emphasize that “…[e]ffective board and senior management oversight is crucial to ensure a bank’s risk management practices are commensurate with the complexity, risk, size, and nature of the activity and relationship, both when the relationship commences and as it evolves over time.” Accompanying the Joint Statement was a Request for Information on Bank-Fintech Arrangements Involving Banking Products and Services Distributed to Consumers and Businesses, which expands on those risks identified in the Joint Statement and invites comment on, among other topics, (a) descriptions of bank-fintech partnerships; and (b) risk management practices in connection with such relationships.

Insights. The Agencies’ Joint Statement and Request for Information again signals the heightened regulatory and supervisory focus on BaaS arrangements, as well as future rulemakings and/or additional guidance. Regulated institutions are expected to take a much more active role with respect to third-party risk identification, management, and monitoring, especially when the third parties in question support the delivery of regulated financial products, such as deposit accounts. Financial institutions considering partnering with fintechs should, at a minimum, continue to focus on ensuring that their risk management infrastructure meets the expectations of the Agencies as described in the Joint Statement and related guidance.

FDIC issues Interpretive Rule and Request for Information reversing 2020 brokered deposit rules. On July 30, 2024, the FDIC issued a Notice of Proposed Rulemaking proposing changes to the brokered deposit rules set forth at 12 C.F.R. Parts 303 (Filing Procedures) and 337 (Unsafe and Unsound Banking Practices). The Proposed Rule would make changes to the “deposit broker” definition and related “primary purpose” exception to such definition,[4] as well as the notice and application processes associated therewith.[5] Specifically, the Proposed Rule would eliminate the exclusive deposit arrangement carveout[6] and enabling transaction designated business test exceptions[7] from the definition of “deposit broker”, revise the 25% test designated business exception[8] for a primary purpose exception to only be available to broker-dealers and investment advisors and only if less than 10% of the total assets of such entity is under management is placed at one or more insured depository institutions (IDIs), and require that only IDIs file notices and applications to the FDIC for primary purpose exceptions.

Insights. The fundamental changes to the 2020 brokered deposit rules coupled with the FDIC’s Request for Information on Deposits (Deposits RFI) reflect concerns within FDIC on how they currently oversee the risks associated with different types of deposits. While much more will be written on these topics, we believe the conflation of the risks related to certain types of uninsured deposits and the risks of brokered deposits is a central issue. We also continue to be concerned with the over-extension of the restrictions on brokered deposits, as set forth in section 29 of the FDI Act, to banks that are well-capitalized. There is little disagreement within the industry that banks that fail to remain well-capitalized should not be relying on brokered deposits for growth. However, the FDIC and other Agencies have leveraged the definition of brokered deposits for other purposes – essentially defining a very diverse set of deposits to be inherently risky and penalizing banks that accept such deposits – be it in the form of assessments or, for the larger banks, the calculation of the liquidity coverage ratio and the net stable funding ratio. Instead of over-hauling such a recent regulation, the FDIC should first receive and release information relating to the Deposits RFI so that both the FDIC and the industry can consider the actual risks associated with different types of deposits prior to considering any changes to the current rule.

FDIC proposes to expand its authority to review certain bank merger applications under the CIBCA. On July 30, 2024, the FDIC issued a Notice of Proposed Rulemaking to amend the FDIC’s regulations under the Change in Bank Control Act (CIBCA). The CIBCA generally provides that no person, acting directly or indirectly, may acquire control of an insured depository institution (IDI) unless the person has given the appropriate federal banking agency prior notice of the proposed transaction, and the agency has not disapproved the transaction. The FDIC’s CIBCA regulations currently specify eight transactions that are exempt from providing prior notice to the FDIC, including if the transaction to acquire control of the IDI’s holding company is subject to notice to the FRB. The proposed rule would remove such exemption.

Insights. The FDIC has demonstrated material differences between it and the other federal bank regulators in areas such as corporate governance and bank consolidation. Thus, the implications of introducing another regulatory agency into CIBCA notices could be substantial and impact future investor appetite.

Federal financial services regulatory agencies issue final rule to help on automated valuation models. On July 17, 2024, the FRB, FDIC, OCC, the National Credit Union Administration (NCUA), the Consumer Financial Protection Bureau (CFPB), and the Federal Housing Finance Agency issued a final rule pursuant to the Dodd-Frank Act, designed to help ensure the credibility and integrity of models used in valuations for certain mortgages secured by a consumer’s principal dwelling. In particular, the final rule implements quality control standards for automated valuation models (AVM) used by mortgage originators and secondary issuers in valuing the consumer’s dwelling. The final rule requires institutions that engage in certain transactions secured by a consumer’s principal dwelling to adopt certain policies, practices, and procedures designed to ensure a high level of confidence, protect against data manipulation, and avoid conflicts of interest.

Insights. Automated valuation models are being used with increasing frequency, driven by advances in database and modeling technologies. While advances in AVM technology and data availability have the potential to reduce costs and turnaround times of the property valuation process, AVMs present heightened technology and operational risks for mortgage originators and secondary issuers. In particular, adopters of AVMs should take appropriate steps to ensure the credibility and integrity of the valuation outputs generated by the model. Adopters must also understand the inputs used by the model to ensure compliance with applicable nondiscrimination laws.

Acting Comptroller Hsu discusses trends reshaping banking. On July 17, 2024, Acting Comptroller Hsu spoke at the Exchequer Club regarding long-term trends reshaping banking and how the OCC is uniquely positioned to address them. The three trends Hsu identified were: the growing number and size of large banks, the complexity of non-bank relationships, and how polarization is enabling greater fragmentation of the U.S. financial system.

Insights. Notably, Acting Comptroller Hsu’s remarks pointed to the concept of preemption as “critical” to both national banking and combatting what he referred to as a worrisome trend of fragmentation at the state and local levels. The preemption issue is especially timely in light of the Supreme Court’s recent decision in Cantero v. Bank of America (discussed in our previous Client Alert), in which the Supreme Court considered which legal standard courts should use in determining whether the National Bank Act preempts state banking laws. In Cantero, the Supreme Court ultimately rejected the categorical tests advanced by both parties, holding that lower courts must instead determine whether the challenged state law significantly interferes with the exercise by a national bank of its powers, based on a “nuanced comparative analysis” of the Court’s applicable opinions. In his remarks, Acting Comptroller Hsu acknowledged that the OCC will need to embrace and develop a more nuanced analysis in defense of preemption in light of the Cantero decision, and we expect the Supreme Court’s rejection of the categorical standards advanced in Cantero to yield more preemption litigation in the lower courts.

FRB and Arkansas State Bank Department issue cease and desist order against Evolve Bank. On June 11, 2024, the FRB and Arkansas State Bank Department issued a cease and desist order against Evolve Bank & Trust and its parent company Evolve Bancorp, Inc. following a number of identified deficiencies, including with respect to the bank’s fintech partnerships involving deposit account offerings and payment processing products. The Agencies found that the bank was engaged in unsafe and unsound practices as a result of “failing to have in place an effective risk management framework for those [fintech] partnerships.” As a result of the order, Evolve Bank is restricted from establishing new fintech partnership programs or offering new products or services to fintechs unless Evolve Bank obtains the prior approval of the FRB and Arkansas State Bank Department.

Insights. The order against Evolve Bank, as well as other recent bank enforcement actions,[9] reflects the increasing focus of bank regulators on partnerships between fintechs and regulated financial institutions. Regulated institutions seeking to engage in such partnerships are expected to establish robust risk management frameworks to identify and manage safety and soundness risks and should expect increased regulatory focus on such relationships and control processes during exams.

FDIC approves deposit insurance application and merger application for Thrivent Bank. On June 20, 2024, the FDIC approved the deposit insurance application of Thrivent Bank, a proposed Utah-chartered industrial loan bank, as well as the associated merger of Thrivent Federal Credit Union, a federally chartered credit union, with Thrivent Bank. In connection with the approval, Thrivent Financial Holdings, Inc. and Thrivent Financial for Lutherans are required to enter into Capital and Liquidity Maintenance Agreements and Parent Company Agreements with the FDIC.

Insights. The FDIC’s first approval of an industrial loan bank in four years signals a willingness to consider industrial loan companies, which can be an attractive route for other growth-focused nonbanks and fintechs looking to obtain bank licenses of their own without impeding the broader operations of the parent organization. However, the FDIC is expected to continue to require a degree of prudential regulation over the bank’s parent companies through the application of similar capital and liquidity requirements and other parent agreements designed to oblige such parents to serve as a source of financial strength for the bank.[10]

Remarks by Acting Comptroller Michael J. Hsu relating to the use and risks of AI tools in the financial system. On June 6, 2024, Acting Comptroller Hsu spoke at the 2024 Conference on Artificial Intelligence and Financial Stability hosted by the Financial Stability Oversight Council regarding the systemic risk implications of AI in financial markets, as well as challenges and potential solutions for the accountability challenge associated with AI. Specifically, Acting Comptroller Hsu emphasized the need to pause development of AI tools at certain key phases in order to develop controls to ensure responsible innovation and trust, highlighted key financial stability risks associated with AI’s use as a weapon, including AI-enabled fraud, cyberattacks, and disinformation, and advocated for shared responsibility frameworks to combat the unique accountability problems presented by AI.

Insights. Acting Comptroller Hsu’s speech reflects the OCC’s continued focus on the development of AI-enabled tools in financial services and the associated risks to the U.S. financial system. Clearly, explainability, accountability, fraud risk, risk management and controls are top of mind for the OCC. Citing to the OCC’s Supervisory Guidance on Model Risk Management, Hsu noted that the OCC “expects banks to use controls commensurate with ‘a bank’s risk exposures, its business activities, and the complexity and extent of its model use.’” Moreover, by advocating for the development of a shared responsibility framework with support from self-regulatory agencies and network membership, the OCC may be signaling its intention to offer limited direct guidance in the short-term on the topic of AI-development, instead choosing to rely on broader guidance on risk-based approaches to providing financial services and engaging with third parties.

Prepared remarks of CFPB Director Rohit Chopra on fraud in consumer payments. On July 9, 2024, Rohit Chopra, Director of the CFPB, delivered remarks on fraud in consumer payments, which touched on three current vectors of fraud perpetrated against U.S. households: (i) scams from large-scale scam compounds in Southeast Asia targeting Americans via text, messaging applications and social media; (ii) the increasingly-common microtargeting of individuals by using generative AI to impersonate others or by exploiting available personal data; and (iii) via vulnerabilities in new and old payment mechanisms.

Insights. Addressing frauds in consumer payments has been a priority for the CFPB since 2021, and Director Chopra’s remarks highlight some of the actions that the CFPB is taking. With regard to fraud involving the exploitation of personal data, the CFPB is actively working on rules that would prevent data brokers from abusing or misusing personal data. With regard to fraud involving the exploitation of payment mechanism vulnerabilities, the CFPB’s proposed rule on digital wallets and payment apps is an example of the efforts that the CFPB is undertaking to supervise widely used consumer apps.

OTHER NOTABLE ITEMS

Supreme Court overrules Chevron, sharply limiting judicial deference to administrative statutory interpretation. On June 28, 2024, the U.S. Supreme Court overruled Chevron v. Natural Resources Defense Council, a landmark decision that had required courts to defer to executive branch agencies’, including bank regulators’, reasonable interpretations of ambiguous statutory terms. The Court’s opinion is available here. For more information, please see our Client Alert.

FDIC publishes final rule on resolution requirements for large banks. On June 20, 2024, the FDIC approved the final rule relating to resolution planning for insured depository institutions with $50 billion or more in total assets. The final rule is largely consistent with the proposed rule issued by the FDIC in August of 2023. However, the final rule creates a new category of regulatory feedback (“significant finding”) which falls short of qualifying as a “material weakness,” emphasizing that the difference between the two “is one of degree of severity…[a significant finding] is not of the same level of impact and urgency as a material weakness.” In addition, the FDIC loosened the requirement applicable to nine depository institutions with assets greater than or equal to $50 billion and global systemically important bank (GSIB) parents that would have required frequent interim supplement submissions. The final rule provides that such supplements are not required in calendar years when resolution plans are submitted or affiliates submit Dodd-Frank Act resolution plans. The final rule becomes effective on October 1, 2024.

FDIC and FRB announce results of resolution plan review for largest and most complex banks. On June 21, 2024, the FDIC and FRB announced the results of their joint review of the July 2023 resolution plan submissions of the eight largest and most complex banks, highlighting “shortcomings” raising questions with respect to the feasibility of the plans submitted by four of those institutions. Each of the shortcomings noted by the Agencies related to process for modeling the unwinding of derivatives and trading positions during resolution. The FDIC and FRB requested that the banks simulate such positions using scenario inputs different from those used in their 2023 resolution plans in both fast and slow run time frames, with the goal being to understand whether the banks could generate accurate analyses under time pressure and different resolution scenarios. The FDIC and FRB further provided that the remedial actions required to address the identified shortcomings should be addressed in the next resolution plan submission due on July 1, 2025. The FDIC and FRB also requested that all 2025 resolution plan submissions address topics of contingency planning and obtaining foreign government actions required to execute the proposed resolution strategy.

Supreme Court holds the Seventh Amendment entitles a defendant to a jury trial when the SEC seeks civil penalties for securities fraud. On June 27, 2024, the U.S. Supreme Court held that the Seventh Amendment to the Constitution requires the SEC to sue in federal court, not in the agency’s in-house court, when the SEC seeks civil penalties for fraud. The Court’s decision could have broader implications for other agencies, including the FRB, FDIC, OCC, CFPB and others, and other theories of liability. The Court’s opinion is available here. For more information, please see our Client Alert.

FRB publishes 2024 stress test results. On June 27, 2024, the FRB published its 2024 stress test results analyzing whether large banks are sufficiently capitalized and able to continue lending in the event of a severe recession. The FRB examined 31 banks in connection with its 2024 stress test and concluded that all have sufficient capital to absorb almost $685 million in losses and continue lending despite the adverse economic conditions. Under the severely adverse scenario, CET1 capital ratios remained above regulatory minimums throughout the projection horizon. Compared to the 2023 stress test results, the FRB noted (i) greater projected credit card losses due to increased balances and higher delinquency rates; (ii) higher projected corporate losses due to riskier corporate credit portfolios; and (iii) lower levels of pre-provision net revenue offset losses as a result of a decline in noninterest net revenue. The FRB’s 2024 stress test results signal that the large U.S. financial institutions remain well-capitalized and well-positioned to weather an economic downturn.

CFPB proposes interpretive rule to ensure workers know the costs and fees of paycheck advance products. On July 18, 2024, the CFPB issued a notice of proposed interpretive rule clarifying when the Truth in Lending Act, and by extension Regulation Z, applies to providers of “earned wage” credit to consumers. The proposed rule provides that “[e]arned wage products provide consumers with ‘the right to defer payment of debt or to incur debt and defer its payment’ because they incur a ‘debt’ when they obtain money with an obligation to repay via an authorization to debit a bank account or using one or more payroll deductions…” This model is contrasted with the scenario where “…an employee pays wages, [and] no later act of repayment is required, by deduction or otherwise.” The CFPB goes on to criticize so-called “no-cost” models that rely on tipping features or accelerated delivery fees.

CFPB publishes supervisory highlights from recent examinations of auto and student loan servicing companies. On July 2, 2024, the CFPB published its supervisory highlights report identifying violations of law and consumer harm in the areas of auto and student loan servicing and debt collection, including credit card debt collections.

Agencies finalize interagency guidance on reconsiderations of value for residential real estate valuations. On July 18, 2024, CFPB, FRB, FDIC, OCC and NCUA issued final guidance addressing reconsiderations of value (ROVs) for residential real estate transactions (the ROV Guidance). The ROV Guidance advises on policies and procedures that financial institutions may implement to allow consumers to provide financial institutions with information that may not have been considered during an appraisal or if deficiencies are identified in the original appraisal.

[1] See Chevron, U.S.A., Inc. v. Nat. Res. Def. Council, Inc., 467 U.S. 837 (1984).

[2] See 12 C.F.R. § 360 (Resolution and Receivership Rules).

[3] See e.g., 12 C.F.R. Parts 30 (OCC’s Safety and Soundness Standards) and 364 (FDIC’s Standards for Safety and Soundness).

[4] See 12 C.F.R. § 337.6(a)(5).

[5] See 12 C.F.R. § 303.243.

[6] See 12 C.F.R. § 337.6(a)(5)(ii)-(iii).

[7] See 12 C.F.R. § 303.243(b)(3)(i)(B).

[8] See 12 C.F.R. § 303.243(b)(3)(i)(A).

[9] For example, on May 21, 2024 the FDIC entered into a Consent Order with Thread Bank following compliance failures by the bank, including in connection with its fintech partnerships to offer BaaS and loan-as-a-service (LaaS) services.

[10] Note that during the Board of Directors of the FDIC’s July 30, 2024 meeting, the Board considered amendments to Part 354 (Industrial Banks) that would, among other changes, (i) make a parent company of an industrial bank subject to Part 354 if there is a change of control at the parent company or a merger in which the parent company is a resultant entity; and (ii) provide the FDIC with regulatory authority to apply Part 354 in other situations where an industrial bank would become a subsidiary of a company that is not subject to Federal consolidated supervision. In effect, these entities would be “Covered Companies” and would assume any resulting obligations to serve as a source of financial strength for their industrial bank under 12 U.S.C. § 1831o-1.

The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Ro Spaziani, Zach Silvers, Karin Thrasher, and Nathan Marak.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or any of the member of the Financial Institutions practice group:

Jason J. Cabral, New York (212.351.6267, [email protected])

Ro Spaziani, New York (212.351.6255, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

M. Kendall Day, Washington, D.C. (202.955.8220, [email protected])

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Sara K. Weed, Washington, D.C. (202.955.8507, [email protected])

Ella Capone, Washington, D.C. (202.887.3511, [email protected])

Rachel Jackson, New York (212.351.6260, [email protected])

Chris R. Jones, Los Angeles (212.351.6260, [email protected])

Zack Silvers, Washington, D.C. (202.887.3774, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.