- Updated Annual Meeting Guidance for Mutual Banks and Mutual Holding Companies
- FDIC and OCC Adopt Final Rules on the Role of Supervisory Guidance
- Data Breach Notice Requirements Proposed for Banks and Their Service Providers
- OCC Proposes New National Bank and Federal Thrift Rule for Investments in Premises
- Other Developments: Suspicious Activity Reporting, and Escrow Accounts
1. Updated Annual Meeting Guidance for Mutual Banks and Mutual Holding Companies
The Massachusetts Division of Banks has issued new guidance to mutual banks and mutual holding companies that have not yet held their 2020 annual meetings due to the ongoing COVID-19 public health emergency and to clarify the Division’s expectations for 2021 annual meetings. The guidance released on January 21, Updated Annual Meeting Guidance for Mutual Banks and Mutual Holding Company Subsidiary Bank, supplements the Division’s June 2020 guidance that any mutual institution that postponed its annual meeting until after the COVID-19 emergency ended would not be subject to any adverse regulatory finding by the Division. According to the new guidance, the Division recognizes that while the COVID-19 emergency has not ended, annual meetings cannot be postponed indefinitely. The new guidance advises mutual institutions to hold their 2021 annual meetings either in-person in accordance with applicable public health guidance on in-person gatherings, or as virtual or hybrid meetings in accordance with the Division’s June 2020 guidance. The Division’s June 2020 guidance stated that the Division would not take adverse regulatory action if a mutual bank or mutual holding company opts to conduct its 2020 annual meeting through remote communication under certain circumstances, regardless of whether the mutual institution’s by-laws include an election to follow the corporate governance provisions of the Massachusetts law that allows Massachusetts business corporations in stock form to conduct meetings of shareholders by means of remote communication – treating a mutual institution’s corporators or depositors, as applicable, as if they were “shareholders” under that law. According to the new guidance, the Division does not expect any mutual institution that has not yet held its 2020 annual meeting to hold separate 2020 and 2021 annual meetings, but advises any such institution to consider and vote on any matters that would have been considered at its 2020 annual meeting during its 2021 annual meeting. Click here for a copy of the new annual meeting guidance for mutual institutions.
Nutter Notes: The Division’s June 2020 guidance emphasized that, if a mutual institution’s charter or by-laws specifically requires that its annual meeting be conducted in-person, or specifically prohibits holding the meeting by means of remote communication, then the institution would not be permitted to conduct its annual meeting by means of remote communication in reliance on the Division’s guidance. In such circumstances, a virtual or hybrid meeting would only be permissible if the institution’s charter or by-laws were first amended to remove that kind of requirement or prohibition, as applicable. While the Division’s new guidance and its June 2020 guidance provide comfort that the Division will not object on supervisory grounds to a mutual institution that conducts its annual meeting by means of remote communication even if the institution has not previously amended its by-laws to elect to follow the Massachusetts business corporation law as a source of authority on governance procedures, legal questions could remain with respect to the validity or efficacy of actions taken at such a meeting under those circumstances. A mutual institution that conducts a virtual or hybrid meeting without first designating in its by-laws that the institution may follow the corporate governance procedures of the Massachusetts business corporation law risks exposure to claims that the meeting was conducted ultra vires—without legal power or authority—and that any action taken at the meeting is therefore invalid, including the elections of corporators, trustees, or directors, as applicable, which could in turn call into question the validity of actions taken by those persons on behalf of the institution.
2. FDIC and OCC Adopt Final Rules on the Role of Supervisory Guidance
The FDIC and the OCC have separately approved final rules that outline and confirm how each agency uses supervisory guidance, and affirm the principle that supervisory guidance does not have the force and effect of law. The final rules announced on January 19 codify the Interagency Statement Clarifying the Role of Supervisory Guidance, which was jointly issued by the FDIC, OCC, Federal Reserve, NCUA, and CFPB on September 11, 2018. The 2018 interagency statement confirmed that the agencies recognize that, unlike a law or regulation, supervisory guidance only outlines supervisory expectations and priorities, or articulates the agencies’ general views about appropriate practices on particular issues. The final rules reiterate that the FDIC and OCC will not take enforcement actions based on supervisory guidance or issue supervisory criticisms (such as matters requiring attention noted on reports of examination) based on non-compliance with supervisory guidance. Because the agencies have incorporated into their final rules the 2018 interagency statement, it is binding on the agencies. The codification of the 2018 interagency statement is still being considered by the Federal Reserve and the other agencies. The FDIC’s and the OCC’s final rules will become effective 30 days after they are published in the Federal Register, which is expected shortly. Click here for a copy of the FDIC’s final rule, and here for a copy of the OCC’s final rule.
Nutter Notes: The FDIC separately issued on January 19 a revised version of its Guidelines for Appeals of Material Supervisory Determinations. According to the FDIC, the revised guidelines are meant to enhance the independence of appeals decisions and to clarify the procedures and timeframes that apply to appeals when the FDIC is taking a formal enforcement action. The revised guidelines establish an independent office within the FDIC, the Office of Supervisory Appeals, to replace the existing Supervision Appeals Review Committee. The revised guidelines will take effect when the Office of Supervisory Appeals is fully operational, and current guidelines on supervisory appeals will remain in effect until the FDIC announces that the new office is operational. Under the revised guidelines, appeals submitted to the new office will be decided by a panel of reviewing officials, and the new office will have authority to issue material supervisory determinations. The revised guidelines will also allow a bank to request expedited review in an appeal to the new office. While reviewing officials at the new office will have bank supervisory or examination experience, the FDIC said that it plans to recruit reviewing officials from outside the agency to promote the independence of the new office. Click here for a copy of the revised guidelines.
3. Data Breach Notice Requirements Proposed for Banks and Their Service Providers
The federal banking agencies have requested comments on a jointly proposed rule that would require a banking organization to promptly notify its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident,” as those terms are defined in the proposed rule. If adopted, the proposed rule published on January 12 would require a banking organization to give notice to its primary federal regulator as soon as possible and no later than 36 hours after the organization believes in good faith that a notification incident has occurred. The proposed rule would also require each bank service provider to notify its affected banking organization customers immediately after the service provider experiences a computer-security incident (whether or not it constitutes a notification incident) that the service provider believes in good faith could disrupt, degrade, or impair services provided for four or more hours. The proposed rule defines a computer-security incident as an “occurrence that (i) results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or (ii) constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” The proposed rule defines a notification incident to include a computer-security incident that a banking organization believes could materially damage either the organization’s ability to carry on its operations to a material portion of its customers, or any business line that would result in a material financial loss, or those operations of the organization that would pose a threat to the financial stability of the United States if they failed. Public comments on the proposed rule are due by April 12. Click here for a copy of the proposed rule.
Nutter Notes: The proposed rule would impose notification requirements for a broader set of computer information system security incidents than is currently required under federal law or regulations. Federal banking regulations currently require a banking organization to notify its primary federal regulator as soon as possible if it becomes aware of an incident that involves unauthorized access to or use of “sensitive customer information.” Sensitive customer information is defined as certain identifying information (a customer’s name, address, or telephone number) in combination with the customer’s “Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account.” Current regulations provide that sensitive customer information also includes any combination of other customer information that would allow someone to access the customer’s account, such as through an online or mobile banking platform. The federal banking agencies’ anti-money laundering regulations also require a banking organization to report certain instances of information system security incidents and cyber-crimes through the filing of a Suspicious Activity Report. The proposed rule would require a report to a federal banking agency of notification incidents even if no sensitive customer information is involved and no crime has occurred or is suspected.
4. OCC Proposes New National Bank and Federal Thrift Rule for Investments in Premises
The OCC has requested comment on a proposed rule that would amend the investment permissibility standards for bank premises investments that apply to national banks and to federal savings associations and combine those standards into a single rule. If adopted, the proposed rule released on January 4 would implement an occupancy test and excess capacity standards that would allow national banks and federal savings associations to better determine whether it is permissible to acquire or hold certain real estate if the entire parcel would not be occupied by the banking organization. The proposed rule would define “bank occupied premises” to mean real estate in which more than 50% of each building or “severable piece of land” is used by a banking organization’s personnel. The definition would include facilities operated by a third-party vendor that provides services to a banking organization’s personnel or that “otherwise facilitate” banking operations. Examples of such vendor-operated facilities would include a fitness center, cafeteria, daycare, or printing facility. Under the proposed rule, a national bank or federal savings association would be permitted to rent out any unoccupied space in real estate that qualifies as bank occupied premises remaining to avoid economic loss or waste consistent with existing OCC rules. Public comments on the proposed rule will be due 45 days after it is published in the Federal Register, which is expected shortly. Click here for a copy of the proposed rule.
Nutter Notes: The OCC’s proposal noted that its current legal interpretations provide examples of permissible investments in real estate for bank premises, but that the OCC has determined that they do not provide general principles that national banks and federal savings associations can apply to new acquisitions of real estate. The OCC’s proposal also noted that the statutory regimes that provide authority to national banks and federal savings associations to invest in bank premises are not identical, and has requested comments on whether the agency should apply different requirements to national banks and federal savings associations rather than combining the bank-occupied premises requirements into a single rule. The OCC has requested input from banks and other interested parties about whether 50% is the appropriate standard for determining whether premises are “bank occupied,” or whether a higher or lower percentage should be used. Under the Massachusetts bank parity statute, Massachusetts-chartered banks may be able to make certain investments in real estate for bank premises for which there is not currently express authorization under Massachusetts law if such investments become permissible for national banks or federal thrifts as a result of the OCC’s rulemaking.
5. Other Developments: Suspicious Activity Reporting, and Escrow Accounts
- Federal Regulators Publish New Answers to Frequently Asked BSA/AML Questions
The federal banking agencies, together with the Financial Crimes Enforcement Network of the U.S. Treasury Department and the NCUA, jointly issued new guidance on January 19 in the form of responses to frequently asked questions (“FAQs”) regarding Suspicious Activity Reports and other anti-money laundering considerations. The FAQs clarify supervisory expectations applicable to requests by law enforcement to maintain accounts, a bank’s receipt of grand jury subpoenas and law enforcement inquiries, and maintaining customer relationships following the filing of a Suspicious Activity Report, among other topics.
Nutter Notes: According to the federal banking agencies, the guidance contained in the FAQs does not alter existing Bank Secrecy Act/anti-money laundering legal or regulatory requirements, and does not establish any new supervisory expectations. Click here for a copy of the FAQs.
- CFPB Issues Final Rule on Escrow Exemptions for Higher-Priced Mortgage Loans
The CFPB issued a final rule on January 19 that amends Regulation Z, which governs compliance with the Truth in Lending Act, to implement a requirement under the Economic Growth, Regulatory Relief, and Consumer Protection Act to exempt certain banks and other insured depository institutions from a federal requirement to establish escrow accounts for certain higher-priced mortgage loans. The final rule will become effective on the date it is published in the Federal Register, which is expected shortly.
Nutter Notes: The CFPB’s final rule exempts from the applicable escrow requirement for higher-priced mortgage loans a first lien home mortgage loan if the insured depository institution has assets of $10 billion or less, the institution and its affiliates originated 1,000 or fewer such loans during the preceding calendar year, and certain of the current higher-priced mortgage loan escrow exemption criteria under Regulation Z are satisfied. Click here for a copy of the final rule.