As anticipated, the OCC, Federal Reserve Board, and FDIC recently approved and released the Final Rule Requiring Computer-Security Incident Notification (“Final Rule”).  The Final Rule is designed to promote early awareness and stop computer security incidents before they become systemic.  It places new reporting requirements on both U.S. banking organizations, as well as bank service providers.    

The Final Rule applies to “banking organizations” as defined in the Final Rule.  Covered banking organizations are required to provide notice to their relevant regulator in the event that a “Notification Incident” occurs.  A Notification Incident is a computer security event that results in actual harm to the confidentiality, integrity, or availability of information or an information system, when that occurrence has—or is reasonably likely to—materially disrupt or degrade:

  • a banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base;
  • business line(s), that upon failure would result in a material loss of revenue, profit, or franchise value; or
  • operations, including associated services, functions, and support, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

The Final Rule specifically calls out ransomware and DDOS attacks as potential Notification Incident. Banking organizations that suffer a Notification Incident must provide notice to their respective regulator as soon as possible, but not later than 36 hours after the occurrence of the incident.  Despite the 36-hour notification window, covered banking organizations that offer “sector critical services” are encouraged to provide same day notification.  Finally, the required notice should be provided either by email, telephone, or any other similar methods later prescribed by regulators for providing notice.

The Final Rule also requires that bank service providers notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has—or is likely to—materially disrupt or degrade covered services for more than four hours.  Banking organizations and service providers are required to work collaboratively to designate a method of communication that is feasible for both parties and reasonably designed to ensure that banking organizations actually receive the notice in a timely manner.  This requirement is designed to enable a banking organization to promptly respond to an incident, determine whether it must notify its primary federal regulator, and take any other measures that may be appropriate.

The Final Rule is likely to impact the operations of both banking organizations and bank service providers.  Banking entities should closely review the definitions in this Final Rule to determine whether they fall within its scope.  Moving forward, covered entities should expect to include relevant notification provisions in new and existing service contracts.  Covered entities will also want to ensure that they create internal policies and procedures for identifying when an incident requiring notification has occurred, and what steps must be taken by whom to provide notice to relevant parties in compliance with the Final Rule.


The CFPB has agreed to settle the lawsuit filed by the National Association of Consumer Advocates, U.S. Public Interest Research Group, and Professor Kathleen Engel challenging the legality of the Bureau’s Taskforce on Federal Consumer Financial Law.  The central allegation in the complaint was that the Taskforce failed to comply with the Federal Advisory Committee Act (FACA), a federal law that governs the creation, operation, and management of advisory committees to federal agencies.  The Taskforce released its report making recommendations on how to improve consumer protection in the financial marketplace in January 2021.

In the Stipulated Settlement Agreement, the parties stipulate that the Taskforce was subject to FACA and that the CFPB failed to comply with FACA’s requirements in establishing and operating the Taskforce.  The Settlement Agreement also provides that:

  • The Bureau will release to the plaintiffs, on a rolling basis, all Taskforce records “that would have been made public if the [Bureau] had complied with FACA’s requirements.”  The rollout will begin on January 17, 2022 and must be completed by March 22, 2022.  The Bureau will also make the records publicly available on its website.
  • The Bureau will amend the Taskforce’s two-volume report to add a disclaimer stating that the report was produced in violation of FACA and to add “a prominent warning label” in bold red font on the cover page of each volume stating that the report was produced in violation of FACA.  The disclaimer must include a description of the FACA requirements that the Bureau failed to satisfy.  It must also include the following statement:

Adhering to FACA’s requirements ‘ensure[s] that advisory committees are fairly constituted and properly monitored so that they will provide sound advice.’ (case citation omitted)  Because the Taskforce did not comply with FACA’s requirements, readers should not assume that the report provides ‘sound advice.’

  • The Bureau will move the Taskforce webpage which is currently located under the Rules and Policy Page to the Advisory Committees Page and add a disclaimer on the Taskforce webpage that the Taskforce was created in violation of FACA.  The Bureau will ensure that any links to the Taskforce on its website, including in prior press releases, are directed to the amended report. The current version of the report will be removed from the Bureau’s website.

Within minutes of its release in January 2021, the Taskforce’s report met with intense criticism from consumer advocacy groups.  In our blog post about the report, we commented that given the then imminent change in Administrations, there was considerable uncertainty as to what the ultimate impact of the Taskforce’s recommendations will be.  While the settlement does not fully expunge the report from the public record, it clearly will allow the CFPB’s current leadership to ignore the Taskforce’s recommendations when exercising the CFPB’s authorities.


Joined by two CBA representatives who previously served at the CFPB, we discuss the key arguments advanced in the white paper for why rulemaking and informal written guidance are more effective tools than enforcement for the Bureau to use to create new standards and expectations for industry and to carry out its consumer protection mission.  We also discuss how CBA plans to use the white paper to address industry concerns that may arise from the CFPB’s expected strong reliance on its enforcement authority under its current leadership.

Chris Willis, Co-Chair of Ballard Spahr’s Consumer Financial Services Group, hosts the conversation.

Click here to listen to the podcast.

Click here to read our blog post about and access the white paper.

In Bulletin 2021-36 Freddie Mac addresses cryptocurrency in the mortgage qualification process. Freddie Mac indicated that it is providing guidance “[d]ue to the high level of uncertainty associated with cryptocurrency.”

Freddie Mac advises that the Seller/Servicer Guide is updated to include the following guidance:

  • Income paid to the borrower in cryptocurrency may not be used to qualify for the mortgage.
  • For income types that require evidence of sufficient remaining assets to establish likely continuance (e.g., retirement account distributions, trust income and dividend and interest income, etc.), those assets may not be in the form of cryptocurrency.
  • Cryptocurrency may not be included in the calculation of assets as a basis for repayment of obligations.
  • Monthly payments on debts secured by cryptocurrency must be included in the borrower’s debt payment-to-income ratio and are not subject to the guide provisions regarding installment debts secured by financial assets.
  • Cryptocurrency must be exchanged for U.S. dollars if it will be needed for the mortgage transaction (i.e., any funds required to be paid by the borrower and borrower reserves).

Freddie Mac notes that it “will continue to monitor cryptocurrency developments and may update these requirements as appropriate in the future.”

The Federal Reserve Board, FDIC, and OCC (collectively, the “Agencies”) issued on November 23 a short Joint Statement on Crypto-Asset Policy Sprint Initiative and Next Steps (“Joint Statement”), which announced – without further concrete detail – that they had assembled a “crypto asset roadmap” in order to provide greater clarity in 2022 to banks on the permissibility of certain crypto-asset activities.  Only the week before, the OCC’s Chief  issued Interpretive Letter #1179, which confirmed that a national bank or federal savings association could engage in certain cryptocurrency, distributed ledger and stablecoin activities – consistent with prior OCC letters – so long as a bank shows that it has sufficient controls in place, and first obtains written notice of “non-objection” by its supervisory office.  This post will discuss both publications.

There is great overlap between the bank activities referenced in the Joint Statement and Interpretive Letter #1179.  The 2022 clarity promised by the “roadmap” presumably will supersede, once issued, Interpretive Letter #1179, which appears to function as a general stop-gap until the 2022 publications hopefully provide more detail regarding exactly how banks can attain compliance.

Federal banking regulators have been busy in this space.  These pronouncements come closely on the heels of a Report on Stablecoins issued earlier in November by the Agencies and the U.S. President’s Working Group on Financial Markets, which delineated perceived risks associated with the increased use of stablecoins and highlighted three concerns: risks to rules governing anti-money laundering (“AML”) compliance, risks to market integrity, and general prudential risks.

A “Crypto Asset Roadmap” Promising Future Clarity

In the Joint Statement, the Agencies state that they “recognize that the merging crypto-asset sector presents potential opportunities and risks for banking organizations, their customers, and the overall financial system.”  Accordingly, “it is important that [the Agencies] provide coordinated and timely clarity where appropriate to promote safety and soundness, consumer protection, and compliance with applicable laws and regulations, including [AML] and illicit finance statute and rules.”  The Joint Statement therefore provides a “crypto asset roadmap” — the five bullet points set forth below — regarding topics for which the Agencies “plan to provide greater clarity [throughout 2022] on whether certain activities related to crypto-assets conducted by banking organizations are legally permissible, and expectations for safety and soundness, consumer protection, and compliance with existing laws and regulations[.]”  The five “roadmap” topics are:

  • Crypto-asset safekeeping and traditional custody services.
  • Ancillary custody services.
  • Facilitation of customer purchases and sales of crypto-assets.
  • Issuance and distribution of stablecoins.
  • Activities involving the holding of crypto-assets on balance sheet.

In other words: although the Joint Statement provides no concrete details, stay tuned for greater clarity throughout 2022 for banks regarding crypto-assets and related safety and soundness issues.  In theory, this potential regulatory clarity sounds promising – but of course, the devil is in the details, and the final product will need to judged according to its actual utility.  The Joint Statement also notes that the Agencies will evaluate bank capital and liquidity standards for crypto assets for activities involving U.S. banking organizations.

OCC Interpretive Clarification

The OCC’s Interpretive Letter #1179 refers back to three prior OCC Interpretive Letters:

  • OCC Interpretive Letter 1170, issued on July 22, 2020 and addressing whether banks may provide cryptocurrency custody services;
  • OCC Interpretive Letter 1172, issued on September 21, 2020 and addressing whether banks may hold dollar deposits serving as reserves backing stablecoin in certain circumstances; and
  • OCC Interpretive 1174, issued on January 4, 2021 and addressing (1) whether banks may act as nodes on an independent node verification network (e., distributed ledger) to verify customer payments, and (2) whether banks may engage in certain stablecoin activities to facilitate payment transactions on a distributed ledger.

All three of the above interpretive letters found that banks could perform the activity under consideration, if certain conditions were met.  Distilled, Interpretive Letter #1179 confirms that the activities described in the prior interpretive letters are “legally permissible for a bank to engage in, provided the bank can demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner.”  Importantly, a national bank or federal savings association wishing to engage in any of the activities described above must notify in writing its supervisory regulator, and should not engage in such activities until it receives written notification of the supervisor’s “non-objection.”  As always, the adequacy of the bank’s risk management systems will be critical to this determination.  To obtain supervisory non-objection, a bank must demonstrate in writing that it understands any relevant compliance obligations, including under the Bank Secrecy Act, federal securities laws, the Commodity Exchange Act, and consumer protection laws.  Once a bank has received supervisory non-objection, the OCC will review these activities as part of its ordinary supervisor process.  It is unclear how fact regulators will act – or not – on requests for non-objection before the Agencies issue the clarity promised by “road map” sometime in 2022.

Interpretive Letter #1179 provides that banks already engaged in cryptocurrency, distributed ledger, or stablecoin activities as of the date of the letter do not need to obtain supervisory non-objection, assuming that they previously notified their supervisory offices and have adequate systems and controls in place to ensure that they are operating in a safe and sound manner.

The California Department of Financial Protection and Innovation (DFPI) is seeking comments on a proposed rulemaking under the California Consumer Financial Protection Law (CCFPL).  The proposal would implement the authority that the CCFPL gives the DFPI to require companies that provide financial products and services to California consumers to register with the DFPI and to require registered companies “to generate and provide records to facilitate oversight of registrants and detect risks to California consumers.”  Comments must be submitted by December 20, 2021.

The proposal would require businesses that provide the following financial products and services to register with the DFPI:

  • Debt settlement
  • Student debt relief
  • Education financing
  • Wage-based advances

With regard to education financing, there are no exceptions for open-end credit, loans secured by real property or a dwelling, or school payment plans or short term extensions of credit.  The DFPI states in its Invitation for Comments that the registration requirement would apply to providers of any form of credit where the credit’s purpose is to fund postsecondary education “regardless of whether the provider labels the credit a loan, retail installment contract, or income share agreement, and regardless of whether the credit recipient’s payment obligation is absolute, contingent, or fixed.”

The proposal prohibits a person, unless exempt, from offering or providing these products and services to a California resident without first registering with the DFPI.  It provides that registering with the DFPI “does not constitute a determination that other laws, including other licensing laws under the commissioner’s jurisdiction, do not apply” and that “granting registration to an applicant does not constitute a determination that the applicant’s acts, practices, or business model complies with any law or regulation.”

The proposal sets forth registration application procedures and designates the Nationwide Multistate Licensing System & Registry to handle all applications, registrant filings, and fee payments on behalf of the DFPI.  It also requires registrants to pay annual assessments and satisfy annual reporting requirements.


On November 22, 2021, the CFPB filed its seventh status report with the California federal district court hearing the lawsuit brought by the California Reinvestment Coalition, National Association for Latino Community Asset Builders, and two individual plaintiffs in 2019.  The purpose of the suit was to force the Bureau to issue a proposal implementing the small business data requirements of Section 1071 of the Dodd-Frank Act of 2010 after years of delay.  In the status filing, new CFPB Director Rohit Chopra, who was appointed to that role on October 12, 2021, was automatically substituted for Acting Director Dave Uejio as a defendant under the federal rules of civil procedure.

The status report reiterates the fact that the CFPB has met the deadlines to date under the Stipulated Settlement Agreement with the plaintiffs, including issuing the Small Business Regulatory Enforcement Fairness Act (“SBREFA”) outline on September 15, 2020; convening a SBREFA panel on October 15, 2020; and completing the SBREFA report on December 14, 2020.  Most recently, the Bureau met the deadline for issuance of the Section 1071 notice of proposed rulemaking (“Section 1071 NPRM”), which was due on September 30, 2021, but published slightly earlier on September 1, 2021.  The status report notes that comments on the Section 1071 NPRM are due by January 6, 2022.

Importantly, the status report indicates that after the Section 1071 NPRM rulemaking concludes, the CFPB will meet and confer with plaintiffs regarding an “appropriate deadline” for issuance of the final rule, consistent with the Stipulated Settlement Agreement.

In September 2021, Ballard Spahr attorneys held a webinar on the Section 1071 NPRM.  We also discussed the NPRM in a two-part podcast.  Click here to listen to Part I and here to listen to Part II.

Last week, the U.S. Court of Appeals for the Eleventh Circuit ordered rehearing en banc in Hunstein v. Preferred Collection and Management Services, Inc.  Yesterday, the Eleventh Circuit issued a memorandum indicating that for purposes of the en banc rehearing, the Court wants counsel to focus their briefs on the question: “Does Mr. Hunstein have Article III standing to bring this lawsuit?”

The Court also directed Preferred Collection and Mr. Hunstein to serve and file their briefs by, respectively, December 23, 2021 and January 18, 2022.  An en banc reply brief must be filed by February 1, 2022 and oral argument will be conducted during the week of February 21, 2022.

Although the Court has asked the parties to focus their briefs on Mr. Hunstein’s Article III standing, the Court could still reach the question of whether Mr. Hunstein has stated a FDCPA claim and conclude that he has not.  In the rehearing, the Court must decide whether to affirm or reverse the district court’s dismissal of the complaint for failing to state a claim.  The district court concluded that Mr. Hunstein had not sufficiently alleged that the debt collector’s transmittal of information to the vendor violated Section 1692c(b) of the FDCPA because the transmittal did not qualify as a “communication in connection with the collection of any debt.”

If the Eleventh Circuit concludes that Mr. Hunstein has Article III standing, it could also decide to affirm the district court’s dismissal for failure to state a FDCPA claim.  Alternatively, if the Eleventh Circuit rules that Mr. Hunstein does not have standing, it might still consider whether Mr. Hunstein has stated a FDCPA claim but any such discussion would be dicta.

The Federal Reserve Bank of Kansas City recently issued a research briefing titled “The Appeal and Proliferation of Buy Now, Pay Later: Consumer and Merchant Perspectives.”

The briefing divides buy now, pay later (BNPL) products into two main types based on how they are offered to consumers.  One type is offered directly to consumers by fintechs before a purchase is made and the other is offered during a purchase through a merchant who partners with a fintech or financial institution.  According to the briefing, the first type of BNPL products generally target millennials, Gen Z consumers, and financially underserved consumers such as those with no or bad credit.  The second type of BNPL products targets broader consumer segments, offers longer-term installments, and tend to have higher credit limits.

The briefing compares BNPL to other installment options, such as layaway and credit cards.   It finds that BNPL products allow consumers with no or bad credit who do not qualify for credit cards to access goods and services.  It describes interest-free BNPL products and layaway as comparable in their terms and costs but observes that BNPL allows consumers to take immediate possession of a product at the point of sale while layaway requires the consumer to wait until the product has been paid for in full.  In addition, if the use of layaway requires a service fee, BNPL can be the least expensive method of payment.  It also notes that interest-bearing BNPL products may be less expensive than credit cards because the average interest charge for BNPL is typically lower.

The briefing also discusses the risks to consumers (such as encouraging spending) as well as the benefits and risks to merchants who adopt BNPL products.

In July 2021, the CFPB published a blog post warning consumers of the risks of BNPL products.   Ballard Spahr held a webinar in August 2021, “Buy-Now-Pay-Later Credit: What You Need to Know.”

At an industry fair lending conference last week, officials from the U.S. Department of Justice (“DOJ”), the CFPB, and the U.S. Department of Housing and Urban Development (“HUD”) outlined fair lending priorities for their agencies.  These represent the first remarks by these regulators following the DOJ’s announcement of its major new “Combatting Redlining Initiative” on October 22, 2021, and it was the topic of each of their presentations.  Although the DOJ officials’ remarks largely reflected the press release concerning the new anti-redlining initiative, a few new revelations came to light related to both DOJ’s initiative and the CFPB’s general and fair lending priorities under its new Director Rohit Chopra.

DOJ.  Keynote speaker Kristen Clarke, the new Assistant Attorney General (“AAG”) for the DOJ’s Civil Rights Division, explained the agency’s “Combatting Redlining Initiative” and partnership with other federal and state agencies.  She stated that fair lending is “one of most significant issues of our time,” and that the Civil Rights Division is “compelled to tackle this issue [of redlining] head-on” because of the “widespread practice” in the lending industry and the fact that large homeownership disparities still exist in the U.S. along racial, ethnic and national origin lines.

AAG Clarke explained that the DOJ’s new initiative is the “most aggressive and coordinated effort” to address redlining to date.  She noted that the agency will work with the CFPB, HUD, prudential regulators, and U.S. Attorneys’ Offices and state attorneys general to carry out its initiative using a “whole of government” approach to root out redlining practices on a broad geographic scale.

AAG Clarke further explained that DOJ plans to investigate lenders of all types and sizes for redlining practices, including non-depository institutions that now originate the majority of residential mortgages in the U.S, and noted that several investigations are already underway. She also discussed the list of factors used by the DOJ to determine whether a lender is engaged in redlining activities.

Furthermore, AAG Clarke dwelt on the recent Cadence Bank and Trustmark National Bank redlining settlements, stating that the significance of those settlements is not just about the dollar amount, but DOJ’s goal to repair “decades of discrimination.”  She also noted that redlining settlements can ultimately benefit the health of institutions and their surrounding communities.

AAG Clarke further noted that DOJ seeks to work “cooperatively and collaboratively” with institutions to address the “deep-seated” redlining problem and wants to make a “positive and lasting impact”on the state of fair lending in the U.S.  She also noted that the DOJ will continue to pursue investigations and enforcement actions when discrimination is detected in underwriting and pricing in other types of lending beyond mortgage lending, broadly including “all types of discrimination acs the lending process and credit markets.”

In a separate panel, Jon Seward, who is Principal Deputy Chief of the Housing and Civil Enforcement Section, Civil Rights Division at DOJ, indicated that “in the not too distant future,” DOJ plans to announce an enforcement action against a non-depository institution.  Although the CFPB filed a redlining lawsuit against Townstone Financial, Inc., a nonbank mortgage lender, in 2020, the DOJ has not previously pursued redlining allegations against nonbanks, so this will break new ground for that agency.

CFPB.  Patrice Ficklin, Fair Lending Director of the CFPB, was also a keynote speaker.  She began her remarks by noting the profound impact the COVID-19 pandemic has had on low- and moderate-income communities and people of color, and the CFPB’s goal to promote equitable and inclusive economic recovery for all consumers.

Director Ficklin proceeded to outline the Bureau’s three key priorities under new Director Chopra’s leadership:

  1. Stimulate greater competitive intensity in the consumer financial services market.  She noted that greater competitive intensity would benefit individuals and families, citing the “dearth of competition” in the mortgage refinance market for individuals of color.  In keeping with Director Chopra’s priorities honed during his recent tenure as an FTC commissioner, the CFPB will pay close attention to practices that may hamper competition by “dominant incumbents,” including those in Big Tech.
  1. Sharpened focus on repeat offenders that violate agency or court order.  Director Ficklin noted that the Bureau has entered into a substantial number of consent orders and will closely monitor compliance with them.  When needed, the CFPB will work closely with state and federal regulators to address non-compliance and fashion appropriate remedies.
  1. CFPB will look for ways to restore relationship banking in an era of Big Data.  As artificial intelligence and machine learning credit models proliferate, there is less transparency into how credit decisions are made through “black boxes” today, and sometimes those practices can reinforce bias and discrimination.  According to Director Ficklin, preserving relationship banking is “crucial to our nation’s resilience and recovery, particularly during times of stress.”

Director Ficklin then outlined the Bureau’s fair lending priorities:

  • Redlining.  She noted that redlining has been a top priority since the Bureau’s inception in 2011 and both the Trump and Biden administrations, and that the CFPB intends to take “fresh approaches,” citing the DOJ’s anti-redlining initiative.  She also underscored Director Chopra’s remarks at the DOJ press conference announcing the initiative that the CFPB will focus on digital redlining going forward, including concerns about “black box” algorithms that may reinforce biases that already exist.
  • Appraisal bias.  She noted this was one of Director Chopra’s key priorities.  She explained that home valuations have traditionally been based on human judgment and discretion, and additional objective controls are needed.  The CFPB has already held meetings with industry representatives concerning the policies, procedures and controls currently in use to better understand valuation issues.  The Bureau is also partnering with the FHFA and prudential agencies on a long-standing rulemaking for QC standards for automated valuation methods stemming from a requirement in the Financial Institutions Reform, Recovery and Enforcement Act of 1989, which is currently in the pre-rule stage.  An interagency taskforce established in June by President Biden is expected to issue a report with recommendations in the future.
  • Special purpose credit programs (“SPCPs”).   Also a top priority of Director Chopra, the CFPB seeks to promote usage of SPCPs to increase equitable access to credit.  Ms. Ficklin noted the Bureau’s December 2020 guidance on SPCPs and encouraged lenders to reach out to CFPB to discuss plans to launch an SPCP.
  • Small business lending.  The CFPB issued a notice of proposed rulemaking that would implement Section 1071 of the Dodd-Frank Act in September 2021, and Ms. Ficklin encouraged public comments, which are due on January 6, 2022.  She noted that the Bureau also launched a small business webpage on its website, including a “tell your story” portal for small business applicants to share their stories about applying for credit to help the CFPB better understand the small business lending market.
  • Limited English Proficiency (“LEP”) consumers.  She noted that LEP individuals face unique challenges in learning about and accessing consumer financial products and services because disclosures are generally not available in non-English languages.  She briefly explained the CFPB’s LEP guidance issued in January 2021 that sought to provide better guidance to the industry on serving LEP consumers, and in September 2021, the Bureau’s publication of a blog post on how mortgage lenders can better serve LEP borrowers.
  • Focus on unfairness and discrimination in examinations and supervision.  Ms. Ficklin stressed that violations of law will not be tolerated, especially during the pandemic.  In the CFPB’s quest to advance racial and economic equity, the Bureau has now increased resources targeted toward small business lending.  The CFPB will also pursue “other illegal practices outside of ECOA and HMDA,” with the goal of using its authority to narrow the racial wealth gap and ensure markets are clear, transparent and competitive.  Again, Director Chopra’s focus on anticompetitive market behavior appears to be evident in her remarks.

HUD.  David Enzel, who is the General Deputy Asst. Secretary for Fair Housing, at HUD, also expressed his concerns about redlining practices.  He noted that HUD maintains a dedicated team in Washington focused on that topic and that several “significant issues” are currently underway at the agency.  Mr. Enzel encouraged proactive use of “second look” review programs for both credit applications and low appraisals and close review of advertising practices for intentional and unintentional bias, especially those that are digital and custom-tailored to individuals, which can sometimes be based on race and ethnicity factors.