STATE GOVERNMENT RELATIONS
Indiana Statehouse Committee Assignments Released
Committee assignments for both the Indiana House and Senate have been released by their respective leaders. The IBA Government Relations Team works closely with multiple committees, particularly the House Financial Institutions and Insurance Committee and the Senate Insurance and Financial Institutions Committee. Click below to view committee assignments.
FEDERAL GOVERNMENT RELATIONS
NCUA Finalizes Controversial Rule Allowing CUs to Issue Subordinated Debt
In a move opposed by the banking industry, the National Credit Union Administration yesterday approved a final rule that would allow large credit unions to issue subordinated debt for regulatory capital purposes from outside for-profit investors—such as corporate debt markets—while maintaining their tax-exempt status. The banking industry had previously called for the proposal to be withdrawn, noting that it lacked both a reasonable basis—given the fact that the vast majority of credit unions currently meet the NCUA’s net worth and risk-based capital requirements—and a legal one, as the Federal Credit Union Act does not authorize the issuance of debt for capital purposes.
Security Vendor Reports Cyberattack Affecting Government, Private Clients
A major cyberattack announced over the weekend on SolarWinds – a security vendor that serves a wide range of military, private companies, government agencies and academic institutions – may have allowed hackers to gain access to the emails, systems and data of several of its clients, including the departments of the Treasury and Commerce, among others.
According to reports this weekend, suspected Russian hackers targeted SolarWinds’ Orion business software with a “supply chain attack” through which malicious code was embedded within a routine software update that was distributed to SolarWinds’ clients.
The Cybersecurity and Infrastructure Security Agency on Sunday issued an emergency directive noting that the breach “poses an unacceptable risk” and directing federal agencies to take steps to disconnect or shut down use of affected SolarWinds Orion products, among other measures. SolarWinds also issued a security advisory to its users with detailed instructions.
Read the SolarWinds security advisory
Senate Approves Defense Bill That Includes BSA/AML Changes
By a bipartisan vote of 84 to 13, the Senate last Friday passed the National Defense Authorization Act for fiscal year 2021, a bill that includes several critical improvements to anti-money laundering rules. Among other provisions, the bill directs the Financial Crimes Enforcement Network to establish and maintain a national registry of beneficial ownership information that banks may in turn rely on when complying with customer due diligence requirements.
The bill now goes to the president for signature. Although President Trump has threatened to veto the NDAA over other provisions, the House and Senate vote margins were large enough to overcome a veto.
FDIC Finalizes Rule on ILC Parent Companies
The Federal Deposit Insurance Corp. has finalized a rule to codify its capital, liquidity and source-of-strength requirements for industrial loan company (ILC) parent companies.
The rule will require covered parent companies to enter into written agreements with the FDIC and the ILC on the company relationship, require capital and liquidity support from the parent to the industrial bank, and establish recordkeeping and reporting requirements.
FDIC Approves Rule on Brokered Deposits, Rate Restrictions
The Federal Deposit Insurance Corp. has approved a final rule to establish a new framework for determining whether deposits made through deposit arrangements qualify as brokered deposits.
The rule establishes standards for determining whether an entity meets the statutory definition of “deposit broker.” It also identifies business relationships that automatically meet the “primary purpose exception.”
The final rule also amends the methodology for calculating the interest rate restrictions that apply to less-than-well-capitalized institutions.
Agencies Propose Rule Regarding Timely Notification of Cyberattacks
A new proposed rule by the federal banking agencies would require banks to notify their primary regulator within 36 hours of becoming aware that a “computer-security incident” or “notification incident” has occurred. The rule would also require bank service providers to notify “at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours.”
The rule defines a computer-security incident as an occurrence that: results in actual or potential harm to the confidentiality, integrity or availability of an information system or the information the system processes, stores or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies. It defines a notification incident as one that could materially disrupt, degrade or impair bank operations or the delivery of bank products and services, among other results. This notice requirement is intended to signal the occurrence of a significant material event; based on a review of FinCEN reports, the banking agencies anticipate that incidences of this type (such as ransomware, Trojan malware, zero day attack, etc.) occur approximately 150 times annually across the aggregate financial services industry.
Under the proposed rule, banks would be required to notify their regulator “as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred.” The agencies added that the requirement “is intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident.” The Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency have approved the proposal, and comments will be due 90 days after publication in the Federal Register.
FDIC Proposes to Allow Exemptions From SAR Requirements
To help banks develop more efficient and effective Bank Secrecy Act compliance programs, the Federal Deposit Insurance Corp. has issued a proposal that would allow the agency to issue exemptions from Suspicious Activity Report requirements, in conjunction with the Financial Crimes Enforcement Network. Comments on the proposal are due 30 days after publication in the Federal Register.
While FinCEN has authority to grant exemptions from SAR filing requirements, the FDIC’s current SAR regulations “contain a discrete set of filing exemptions pertaining to physical crimes (robberies and burglaries), and lost, missing, counterfeit or stolen securities.” Allowing the FDIC to grant exemptions where it deems appropriate will help reduce regulatory burden on banks while encouraging innovation in BSA/AML compliance, according to the agency.
IBA COVID-19 Updates
The IBA has several COVID-19 resources and updates available at our website.