InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB to extend 1071 rule compliance deadlines
On May 17, the CFPB announced it is extending the compliance deadlines for the small business lending rule (Section 1071 of Dodd-Frank, the “1071 rule”), which will require financial institutions to collect and report data on lending to small businesses to the Bureau (covered by InfoBytes here). Following challenges to the 1071 rule in the U.S. District Court in Texas, the rule was stayed pending the Supreme Court’s decision in CFPB v. CFSA (covered by InfoBytes here). Considering the Supreme Court’s recent decision that the Bureau’s funding is constitutional and the district court’s order requiring the CFPB to extend the rule’s compliance deadlines to compensate for the period stayed, the Bureau will issue an interim final rule to extend compliance deadlines as follows:
- Tier 1 institutions (highest volume lenders): The new compliance date is July 18, 2025, and the first filing deadline is June 1, 2026.
- Tier 2 institutions (moderate volume lenders): The new compliance date is January 16, 2026, and the first filing deadline is June 1, 2027.
- Tier 3 institutions (lowest volume lenders): The new compliance date is October 18, 2026, and the first filing deadline is June 1, 2027.
CFPB and Fed adjust dollar thresholds for Regulation CC
On May 13, the CFPB and the Fed announced inflation-adjusted changes to Regulation CC, which governed the availability of customer funds from bank deposits. The final rule altered the minimum amounts that must be made available for withdrawal by the next business day for certain types of check deposits and modified the funds from certain checks deposited into new accounts that are subject to next-day availability. Mandated by Dodd-Frank, these adjustments were based on the five-year change in the CPI for Urban Wage Earners and Clerical Workers from July 2018 to July 2023. The updated thresholds will go into effect on July 1, 2025.
FTC’s Safeguards Rule notification requirement under GLBA now in effect
On May 14, the FTC published a business blog post announcing the Safeguards Rule, an amendment to the GLBA, is in effect as of May 13. The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and aims to protect customers' private personal information through data breach reporting requirements.
Additional revisions to the Rule related to data breach reporting were announced in October 2023, with amendments requiring covered companies to notify the FTC within 30 days of a security breach impacting at least 500 consumers. For reporting, businesses must use a new online form provided by the FTC. The Rule complements existing business security measures and does not negate other state and federal legal obligations. Businesses can refer to FTC guidance for further details on the rule and compliance requirements.
Agencies issue NPRM on incentive-based compensation
On May 6, the FDIC, OCC, NCUA and the FHFA issued a NPRM (proposed rule) on incentive-based compensation, pursuant to Dodd-Frank’s Section 956 (Section 956), which required federal regulators to prescribe regulations or guidelines regarding incentive-based compensation at covered financial institutions. Regulators first proposed a rule to implement Section 956 in 2011, and again in 2016. Now, regulators are reproposing the 2016 version without change, albeit with certain alternatives. The current proposal, however, will be published without involvement from the Fed or SEC.
Section 956 defined “covered financial institutions” as institutions with at least $1 billion in assets and include the following: depository institutions or depository institution holding companies, registered broker-dealers, credit unions, investment advisers, Fannie Mae, and Freddie Mac (or any other financial institution that federal regulators determined should be treated as a covered financial institution). Dodd-Frank required regulators to prohibit incentive-based compensation arrangements that encouraged “inappropriate risks.” The proposed rule included prohibitions intended to make these compensation arrangements more sensitive to risk, such as a ban on incentive-based compensation arrangements that do not include risk adjustment of awards, deferral of payments, or forfeiture and clawback provisions. In addition, the proposed rule set forth recordkeeping and disclosure requirements to help federal regulators monitor potential issues.
The agencies will review both new comments and those received in 2016 for the prior proposed rule. The agencies invited those who previously submitted comments and resubmit their comments to explain how their viewpoint may have changed from their prior comments. The agencies also requested comments on the compliance date and disclosures, like the recordkeeping and clawback requirements. Comments will be due no later than 60 days following publication in the Federal Register.
HUD announces FFRMS final rule
Recently, HUD announced a final rule to implement the Federal Flood Risk Management Standard to “protect communities from flood risk, heavy storms, increased frequency of severe weather events and disasters, changes in development patterns, and erosion.” The final rule will enact the FFRMS as mandated by Executive Order 13690 by amending two HUD regulations: (i) Part 55, Floodplain Management and Protection of Wetlands; and (ii) Part 200, Minimum Property Standards. Among other things, the final rule will raise the elevations and flood proofing requirements of properties in flood-prone areas that use federal funds for new construction or are financed through HUD’s grant or subsidy programs. The revisions to Minimum Property Standards specifically target Federal Housing Administration-insured new constructions located within the 100-year floodplain. The final rule becomes effective on May 23.
FTC finalizes new rule on health data breach notification requirements
On April 26, the FTC released a final rule that will amend its Health Breach Notification Rule to require vendors of health apps and related entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify affected individuals, the FTC, and in some cases, the media of a health data breach. The NPRM was published in May 2023 (covered by InfoBytes here). The final rule will apply to breaches of unsecured personally identifiable health data and, among other things, clarify that a “breach of security” to include “an authorized acquisition of unsecured [personal health record] identifiable health information that occurs as a result of a data security breach or unauthorized disclosure.” Further, the final rule will define a “[personal health record’s] identifiable health information” to cover health diagnoses, medications, health information tracked on applications or websites, or emergent health data to adopt health apps and privacy and data security risks collected by these technologies.
Under the rule, the FTC will require each vendor who discovered it was the target of a security breach of personal health record identifiable health information to notify each U.S. resident whose information was compromised during the security breach, notify the FTC, and, in cases where 500 or more residents are confirmed or reasonably believed to have been affected by the breach, to notify “prominent media outlets” no later than 60 days after the discovery of the breach (with an exception for law enforcement concerns). The rule will go into effect 60 days after the date of publication in the Federal Register.
FTC bans all non-competes for workers and new non-competes for senior executives
On April 23, the FTC released a final rule titled the “Non-Compete Clause Rule,” in a 570-page release, to “categorically ban” non-compete clauses in employment contracts with all workers after the effective date of the rule pursuant to the FTC’s UDAP authority, by rendering such clauses an unfair method of competition pursuant to Section 5 of the FTC Act. The final rule also renders most existing noncompete clauses unenforceable after the effective date of the final rule, with an exception for existing noncompete clauses for senior executives, which remain enforceable. The FTC explained that it viewed noncomplete clauses as “restrictive and exclusionary” with negative impacts on earnings, innovation, and market competition. The final rule defines “non-compete clause” as “a term or condition of employment that prohibits a worker from, penalizes a worker for, or functions to prevent a worker from (1) seeking or accepting work in the United States with a different person where such work would begin after the conclusion of the employment that includes the term or condition; or (2) operating a business in the United States after the conclusion of the employment that includes the term or condition.”
While the FTC decided against adopting a rescission requirement for non-competes in the final rule, it adopts notice requirements for all workers who are not senior executives requiring “the person who entered into the non-compete” to provide “clear and conspicuous notice to the worker by the effective date that the worker’s non-compete clause is no longer in effect and will not be, and cannot legally be, enforced against the worker.” The Commission noted that employers concerned about protecting confidential business information, may avail themselves of the protections of trade secret law and further noted that there are several states that have already substantially banned non-competes, and that within these states employers have found alternative methods to protect their investments.
The FTC’s final rule will go into effect 120 days after publication of the final rule in the Federal Register.
FHFA seeks public input on new closed-end second mortgage product
On April 22, the FHFA sent to the Federal Register a notice of a proposed new product from Freddie Mac to begin purchasing certain single-family closed-end second mortgages. According to the proposal, Freddie Mac would purchase certain closed-end second mortgage loans from approved and active sellers and on properties for which Freddie Mac already owns the first mortgage, subject to additional product and term limitations. FHFA’s stated goal is to offer borrowers a second mortgage at a lower interest rate than other financing alternatives given the higher interest rate environment, and increased competition among second mortgage lenders. FHFA requested comments on nine questions, with comments to be received by May 22.
FTC amends the TSR on recordkeeping and prohibiting misrepresentations
On April 16, the FTC issued a final rule amending the Telemarketing Sales Rule (TSR) to add requirements for telemarketers to maintain transaction records, prohibit misrepresentations, and add a new definition for “previous donor” in the context of robocalls on behalf of charitable organizations. This will be the fifth time the TSR has been amended since its enactment in 1995, with previous amendments creating the National Do Not Call Registry in 2003, prohibiting sellers to use prerecorded messages (i.e., robocalls) in 2008, banning debt relief services from requiring an advance fee in 2010, and most recently, barring certain payment mechanisms used in fraudulent transactions in 2015. The FTC’s new amendments to the TSR will require telemarketers to retain a copy of each prerecorded message, call detail records, records to show an established business relationship, records on charitable donations and the do-not-call registry. On the rule’s efforts to prohibit misrepresentations, marketers will be prohibited from making misrepresentations about the good or service they are selling or false statements to induce a charitable contribution. The final rule also will update the definition of “previous donor” to allow telemarketers to place robocalls on behalf of a charity only to customers who have donated to a charity within the previous two years. The amendment will go into effect on May 16 with mandatory compliance beginning October 16.
FTC issues NPRM to extend TSR coverage for inbound calls on elder fraud
On April 16, the FTC published an NPRM for the Telemarketing Sales Rule (TSR) in the Federal Register to extend the TSR’s coverage to inbound telemarketing calls by consumers to include technical support service – i.e., calls that consumers would make in response to an advertisement. The FTC noted this extension of the TSR would allow the FTC to “obtain stronger relief,” such as civil penalties and consumer redress, when consumers would be affected by tech support scams. The FTC argued that this proposed expansion of the TSR would be necessary given the rise in consumer complaints regarding tech support scams, explaining that consumer complaints rose from 40,000 complaints in 2017 to nearly 115,000 complaints in 2021. Additionally, the FTC explained that in 2018, consumers reported losses totaling over $55 million from these scams and noted that the scams disproportionately affected consumers over 60 years old. The proposed rule would define technical support services as a program or service that would be marketed to repair, maintain or improve the performance and security of electronic devices. The FTC explained that this broad definition will be necessary because scammers purport to offer such services as they evolve with changes to technology and consumer behavior; additionally, scammers would aim to profit from a consumer’s problems or unfamiliarity with technology. In sum, the proposed rule would add “tech support services” to the list of categories excluded from the TSR exemptions for inbound calls, specifically when such calls are in response to an advertisement “through any medium”; this exclusion will also extend to inbound calls in response to “a direct mail solicitation” including email. The FTC will seek comments on its proposed rule, including on nine specific questions, and comments must be received by June 17.