Dive into this month's regulatory update as we explore CFPB's stance on data security, FHFA requirements to maintain fair lending data, stances on CRE loan accommodations, consideration of the future of FFIEC’s CAT, and cybersecurity assessments for nonbanks. Stay informed and ahead of the curve!
The CFPB released a bulletin stating that security deficiencies can be considered deceptive practices under the UDAAP framework. Data breaches can cause substantial harm to consumers, are not easily avoidable, and have no countervailing benefits. The guidance emphasizes multi-factor authentication, strong passwords, and timely patching of vulnerabilities.
FHFA announced that Fannie Mae and Freddie Mac will require mortgage servicers to collect and maintain fair lending data, including borrower demographics. The requirement starts from March 1, 2023, but servicers are encouraged to implement it earlier. HUD also announced that FHA lenders must obtain a Unique Entity Identifier (UEI) by December 31, 2022, for tracking non-federal entities doing business with the government. Compliance and preparation are essential for institutions, including training and incorporating the UEI in applications.
The OCC, FDIC, and NCUA proposed an updated policy statement on prudent commercial real estate loan accommodations and workouts. It emphasizes working constructively with borrowers, provides examples, and aims to promote supervisory consistency while ensuring credit availability to sound borrowers. Institutions can provide feedback by October 3.
Regulators are seeking industry feedback on the FFIEC's Cybersecurity Assessment Tool (CAT). It's rumored that the OCC may develop its own tool, but no official version has been released. Use of the CAT is voluntary, but baseline cybersecurity preparedness is crucial. The Federal Reserve issued guidelines for reviewing access to Federal Reserve master accounts and payment services, aiming to make the application process more transparent.
The California Attorney General's first public enforcement action under CCPA was against Sephora for allegedly failing to comply with disclosure and opt-out requirements related to third-party tracking. The settlement highlights that analytics cookies are considered a sale, GPC compliance is mandatory, and CCPA enforcement is active. Businesses subject to CCPA should review their use of cookies, update privacy notices, ensure third-party agreements comply, implement opt-out mechanisms, and prepare for upcoming CPRA changes.