Monthly Bank Regulatory Report (October 2024)

Client Alert  |  October 31, 2024

We are pleased to provide you with the October edition of Gibson Dunn’s monthly U.S. bank regulatory update. Please feel free to reach out to us to discuss any of the below topics further.

KEY TAKEAWAYS

  • The Office of the Comptroller of the Currency (OCC) released its bank supervision operating plan for fiscal year 2025 signaling the OCC’s supervision priorities for the next fiscal year. Although the key areas of heightened focus for supervisory strategies in fiscal year 2025 largely mirror those from fiscal year 2024, changes or updates include (predictably) a focus on third-party risk management, as well as a heightened focus on capital optimization activities (e.g., credit risk transfer transactions) and changes to the supervisory posture with respect to climate-related financial risks.
  • The Consumer Financial Protection Bureau (CFPB) issued its final rule implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The final rule was quickly met with a challenge by the Bank Policy Institute and Kentucky Bankers Association.
  • On October 21, 2024, the OCC finalized revisions to its recovery planning guidelines for national banks, federal savings associations and federal branches, expanding coverage of the guidelines to institutions with at least $100 billion in total assets (reduced from $250 billion). As adopted, the guidelines include a new “risk-based” testing standard and changes designed to ensure that non-financial risks are addressed in recovery planning efforts. The final guidelines become effective on January 1, 2025, with changes to the initial compliance dates.
  • The Federal Deposit Insurance Corporation (FDIC) extended the comment period on its brokered deposits proposal until November 21, 2024 and the comment period on its request for information on deposit data until December 6, 2024. See our Client Alert on both here.
  • The New York State Department of Financial Services (NYDFS) released guidance to address cybersecurity risks arising from artificial intelligence (AI). The guidance does not impose new requirements beyond those obligations codified in the NYDFS’ cybersecurity regulations—23 NYCRR Part 500. Instead, according to the NYDFS, the guidance is designed “to explain how [covered entities] should use the framework set forth in Part 500 to assess and address the cybersecurity risks arising from AI.”

DEEPER DIVES

OCC Releases Bank Supervision Operating Plan for Fiscal Year 2025. On October 1, 2024, the OCC released its bank supervision operating plan for fiscal year 2025. The plan signals the OCC’s supervision priorities for the fiscal year. The key areas of heightened focus for supervisory strategies in fiscal year 2025 largely mirror key areas of focus in the fiscal year 2024 plan (e.g., BSA/AML, cybersecurity, consumer compliance, asset/liability management, credit and allowance for credit losses, operational risk, enterprise change management, payments, CRA, fair lending), with certain notable changes or updates.

  • Insights. Not surprisingly, the plan includes as a new, separate line item, third-party risks and third-party risk management. The plan also specifically identifies capital as an area of heighted focus, most notably capital optimization activities, “including any new plans by banks to engage in credit risk transfer transactions.” With respect to climate-related financial risks for banks (or U.S. branches of foreign banks) with over $100 billion in total assets, the 2025 plan states that “examiners should conduct target examinations” to assess banks’ ability to identify and manage climate-related financial risks. The 2024 plan contemplated examiners’ “engagement with bank management” with respect to climate-related financial risks. Finally, the 2025 plan excludes substantive discussion of distributed ledger technology-related products and services.

OCC Finalizes Revisions to Its Recovery Planning Guidelines. On October 21, 2024, the OCC finalized revisions to its recovery planning guidelines. Under the final rule, coverage of the recovery planning guidelines was extended to institutions with $100 billion or more in total assets—down from the current $250 billion threshold. The revised guidelines become effective on January 1, 2025.

  • Insights. The final guidelines implement two principal changes from the July 3, 2024 proposal. First, the testing requirement is now risk-based—i.e., “appropriate for the bank’s individual size, risk profile, activities, and complexity, including the complexity of its organizational and legal entity structure.” Second, the guidelines provide covered institutions with more time to both develop a testing framework and conduct testing. Specifically, under the final guidelines, institutions currently subject to the guidelines will have 12 months to amend their recovery plans to address non-financial risk and an additional 6 months to comply with the new testing provision; institutions that are not covered by the current guidelines but that become subject to the guidelines on the effective date (or thereafter) will have 12 months to develop their recovery plan and an additional 12 months to comply with the testing provision. Finally, the revised guidelines include the condition that recovery planning “should appropriately consider both financial risk and non-financial risk (including operational and strategic risk).”

CFPB Releases Personal Financial Data Rights Final Rule. On October 22, 2024, the CFPB issued its final rule implementing Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act, commonly referred to as the “open banking” rule. The stated policy rationale of Section 1033 is to empower consumers and authorized third parties to access account data controlled by certain financial data providers in a safe, secure, reliable and competitive manner. “Data providers” include financial institutions as defined in Regulation E, card issuers as defined in Regulation Z, digital wallet providers, and “any other person that controls or possesses information concerning a covered consumer financial product or service that the consumer obtained from that person”, but excludes depository institutions with less than $850 million in total assets—which are exempt from the final rule’s requirements.
Under the final rule, data providers are required to transfer an individual’s personal financial data (Covered Data) to another party at the consumer’s request for free. The final rule requires data providers to create and maintain a consumer interface and a developer interface, and to make this Covered Data available in a machine-readable format without charge. Data providers must also establish and maintain written policies and procedures, though data providers do have the flexibility to design policies and procedures to avoid acting inconsistently with other legal obligations, or in a way that could reasonably hinder enforcement against unlawful or potentially unlawful conduct. Although depository institutions with less than $850 million in total assets are exempt from the final rule’s requirements, nondepository entities of all sizes must comply with the final rule.

The final rule includes several other notable deviations from the October 19, 2023 proposed rule. First, it provides an extended, tiered compliance structure. The first compliance date, which applies to the largest bank and non-bank covered entities, is April 1, 2026. Second, there is no assignment of liability among commercial entities or safe harbors from the Electronic Fund Transfer Act and Regulation E or the Truth in Lending Act and Regulation Z. Third, the final rule includes an exclusion for any products or services that “merely facilitate first party payments”, defined as “a transfer initiated by the payee or an agent acting on behalf of the underlying payee.” However, this exclusion is narrow because first party payments that relate to a product that facilitates payments to other payees or a data provider that is otherwise providing a Regulation E or Regulation Z account, remain in scope.
Immediately following the release of the rule, the Bank Policy Institute and Kentucky Bankers Association filed a lawsuit against the CFPB in U.S. District Court. The lawsuit asserts that the CFPB exceeded its statutory authority and finalized a rule that jeopardizes consumers’ privacy, financial data and account security. The lawsuit raises several key concerns with the final rule.

  • Insights. In parallel with legal challenges, covered entities are expected to prepare to come into compliance with the final rule. Both depository and nondepository institutions will be significantly impacted by the final rule, but the impacts will be different. All covered entities will need to engage in a mapping exercise to determine the products and data in scope and uplift their infrastructure to comply with the requirements. Banks will likely have an increased focus on ascertaining the risks associated with the compliance requirements and determining the appropriate risk mitigation. Nondepository institutions that less clearly control or possess Covered Data may be required to face significant reengineering hurdles to make Covered Data available consistent with the requirements of the final rule.

NYDFS Issues New AI Guidance. On October 16, 2024, the NYDFS published guidance addressing how AI is changing cyber risk and how covered entities can mitigate risks associated with AI. According to the NYDFS, the guidance does not impose any new requirements, but rather explains how covered entities should use the Part 500 framework to address cybersecurity risks arising from the use of AI. The Guidance addresses four risks related to the use of AI: (i) AI-enabled social engineering; (ii) AI-enhanced cybersecurity attacks; (iii) exposure or theft of vast amounts of nonpublic information; and (iv) increased vulnerabilities due to third-party, vendor, and other supply chain dependencies. The guidance maintains that covered entities must assess AI-related risks and implement minimum cybersecurity standards to address such risks. Examples of compensating controls include: (1) cybersecurity risk assessments; (2) incorporating AI-risks into business continuity and disaster recovery planning; and (3) incorporating AI-related risks into third-party risk management processes.

  • Insights. The guidance provides examples on how covered entities may fortify their pre-existing programs to address AI-related risks and highlights some of the current cybersecurity risks associated with AI that all organizations should consider when developing a cybersecurity program and implementing cybersecurity controls. Critical to undertaking a risk mitigation strategy, covered entities should first consider the risks presented by AI in their cybersecurity risk assessments. Even if a covered entity itself does not deploy AI tools, the covered entity should consider both AI used by any third-party service provider, and the risks that bad actors may use AI to infiltrate covered entities’ information systems.

FSOC Continues Focus on Private Credit. On October 18, 2024, the Financial Stability Oversight Council (FSOC) met in executive session. At the meeting, the FSOC received updates from Treasury and other regulators’ staffs on efforts to provide better visibility into private credit. The readout from the meeting noted “that the current lack of transparency in the private credit market can make it challenging for regulators to fully assess the buildup of risks in the sector.”
Relatedly, both Commissioner Peirce and Acting Comptroller Hsu recently weighed in on this topic. On October 15, Commissioner Peirce gave a speech titled “Temporarily Terrified by Thomas: Remarks on Private Credit” in which she emphasized the need to understand the private credit market and to use existing tools in monitoring the evolving market. She noted that “[i]nvoking systemic risk to regulate private credit in the same way we regulate bank lending would engender risks of its own. Doing so would squelch the dynamism that enables the non-bank sector to serve companies and investors so well. It would homogenize the market, which could make future financial contagion more, not less, likely. … If anything, the growing private credit sector may highlight the need for streamlining our public market regulation.” In addition, on October 25, 2024, Acting Comptroller Hsu gave a speech titled “Systemic Risk and Crossing the Hellespont.” In his remarks, Acting Comptroller Hsu identified private credit (along with “banking supply chains and, possibly, mortgage servicing”) as areas that are being closely monitored by regulators for potential build ups of systemic risk.

  • Insights. The FSOC highlighted its focus on the private credit market in its 2023 Annual Report and such attention has continued through 2024. This focus follows the FSOC’s easing of its process to designate nonbank financial companies as systemically important financial institutions coupled with banking regulation that created additional opportunities for nonbanks in the private credit sector. Whether and how the FSOC seeks to make designations in the private credit or other sectors are likely to be impacted by the upcoming U.S. election.

OTHER NOTABLE ITEMS

FDIC Announces Extension of Comment Period for Proposed Changes to its Brokered Deposits Regulations and Request for Information on Deposit Data. On October 8, 2024, the FDIC announced it will extend until November 21, 2024 the comment period on its notice of proposed rulemaking proposing significant changes to the FDIC’s brokered deposits rules. The FDIC also separately announced it is extending until December 6, 2024 the comment period on its Request for Information on deposit data.

Vice Chairman Hill Updates FDIC Staff’s Review of Applications Pending Before FDIC. Following the October 17, 2024 meeting of the FDIC Board, Vice Chairman Travis Hill released a statement lauding FDIC staff’s work to improve the application review process and reduce the number of merger and FDIC deposit insurance applications outstanding for more than nine months. According to Vice Chairman Hill, that number has “consistently hovered around 10” over the last two-and-a-half years; it currently sits at three for the first time since October 2021. Following a June 20, 2024 FDIC Board resolution, FDIC staff is now required to brief the full FDIC Board “any time a merger or deposit insurance application is outstanding for more than nine months.”

Speeches by Governor Bowman on Community Banking. On October 2, 2024 and October 11, 2024, Federal Reserve Board Governor Michelle Bowman gave speeches titled “Building a Community Banking Framework for the Future” and “Challenges to the Community Banking Model.” In her speeches, Governor Bowman reiterated consistent themes like the tradeoffs of regulation, guidance and supervision and their unintended consequences, competition and de novo banking, tailoring, and the risks faced by community banks.

Speech by Governor Bowman at the Eighth Annual Fintech Conference hosted by the Federal Reserve Bank of Philadelphia. On October 23, 2024, Federal Reserve Board Governor Michelle Bowman gave the opening remarks for the second day of the Federal Reserve Bank of Philadelphia’s annual fintech conference. In her remarks, Governor Bowman reiterated her view that regulators “have an obligation to understand the functionality of new innovations” and encouraged regulators to “prioritize how we integrate innovation as we revise or enhance regulatory frameworks.”

Speech by Governor Waller on DeFi. On October 18, 2024, Federal Reserve Board Governor Christopher Waller gave a speech titled “Centralized and Decentralized Finance: Substitutes or Complements?” Governor Waller’s speech examined whether defi and centralized finance are substitutes or complementary. While citing the benefits of the technology underlying decentralized finance, Governor Waller ultimately concluded that technological innovations stemming from defi are largely complementary to centralized finance and have the ability to “improve centralized finance” and realize “significant value” to financial intermediaries in the financial markets.

Speeches by Governor Jefferson on the Discount Window. On October 8, 2024 and October 9, 2024, Vice Chair Phillip Jefferson gave a two-part speech titled “A History of the Fed’s Discount Window: 1913–2000” and “The Fed’s Discount Window: 1990 to the Present,” respectively. In his speeches, Vice Chair Jefferson detailed the history of the Federal Reserve’s Discount Window from its inception in 1913 through its evolution in the 21st century and explored the rise of the Discount Window “stigma” and tackled ways in which the Federal Reserve is working to eliminate or reduce that stigma.

Speech by Governor Cook on AI. On October 1, 2024, Federal Reserve Board Governor Lisa Cook gave a speech titled “Artificial Intelligence, Big Data, and the Path Ahead for Productivity.” Her speech explored the potential impacts of AI and big data on productivity and labor markets. Governor Cook reiterated her “cautiously optimistic” view on AI while noting that there is still a great deal of uncertainty surrounding AI’s long-term effects.

OCC Solicits Research on AI in Banking. On October 7, 2024, the OCC announced it was soliciting academic research papers on the use of AI in banking and finance. Authors of selected papers will be invited to present to OCC staff and other stakeholders on June 6, 2025. Interested researchers can submit papers to [email protected]. The deadline for submission is December 15, 2024.

FDIC Extends Compliance Date for Subpart A of the FDIC Official Signs and Advertising Requirements, False Advertising, Misrepresentation of Insured Status, and Misuse of the FDIC’s Name or Logo. On October 17, 2024, the FDIC announced that the compliance deadline for the FDIC’s new rule on FDIC signage and advertising (Subpart A of Part 328) has been extended from January 1, 2025, to May 1, 2025. Specifically, such rules require (i) the use of the FDIC official sign, official digital sign, and other signs differentiating deposits and non-deposit products across all banking channels; and (ii) the establishment and maintenance of policies and procedures designed to achieve compliance with Part 328. The compliance deadline for rules relating to misrepresentations of deposit insurance coverage (Subpart B of Part 328) remains January 1, 2025.

The following Gibson Dunn lawyers contributed to this issue: Jason Cabral, Ro Spaziani, Zach Silvers, Karin Thrasher, and Nathan Marak.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work or any of the member of the Financial Institutions practice group:

Jason J. Cabral, New York (212.351.6267, [email protected])

Ro Spaziani, New York (212.351.6255, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

M. Kendall Day, Washington, D.C. (202.955.8220, [email protected])

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Sara K. Weed, Washington, D.C. (202.955.8507, [email protected])

Ella Capone, Washington, D.C. (202.887.3511, [email protected])

Rachel Jackson, New York (212.351.6260, [email protected])

Chris R. Jones, Los Angeles (212.351.6260, [email protected])

Zack Silvers, Washington, D.C. (202.887.3774, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

Nathan Marak, Washington, D.C. (202.777.9428, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.