LAW OR REGULATION

HIGH-LEVEL DESCRIPTION

Credit

• Prohibits creditors from discriminating against credit applicants on the basis of race, color, religion, national origin, sex, marital status, or age, or because all or part of the applicant’s income derives from any public assistance program, or because the applicant has in good faith exercised any right under the federal Consumer Credit Protection Act or any applicable state law
• Covers both disparate treatment and disparate impact claims
• Requires creditors to provide borrowers with notice of any action taken on their application for credit

• Provides meaningful disclosure of credit costs and terms to promote the informed use of consumer credit. The uniformity of disclosures is intended to assist consumers in comparison shopping for credit.
• Protects consumers against unfair credit billing and credit card practices
• Regulates credit advertising

• Requires a permissible purpose to obtain a consumer credit report
• Requires furnishers of information to credit bureaus to implement policies and procedures concerning the accuracy and integrity of the information they furnish and to address consumer disputes about information furnished
• Imposes disclosure requirements on creditors who take adverse action on credit applications or charge more for credit based on information in a credit report
• Requires creditors to develop and implement an identity theft prevention program

• Provides guidelines and limitations on the conduct of third-party debt collectors in connection with the collection of consumer debts
• Limits certain communications by debt collectors; imposes notice and debt validation requirements; and prohibits false and misleading representations, harassing or abusive conduct, and unfair practices in collecting a debt

• Allows servicemembers entering active duty to have the interest rate on debts incurred prior to service reduced to 6 percent
• Protects active duty servicemembers from default judgments and allows them to obtain a suspension of civil proceedings if their service prevents them from appearing to defend a collection action

• Imposes a rate cap of 36 percent on the Military Annual Percentage Rate for credit extended to active duty servicemembers and their dependents and imposes additional restrictions to protect covered borrowers

• Allows a national bank to charge the highest rate allowed for a state-chartered bank in the national bank’s home state, regardless if the customer is located in- state or out-of-state
• Permits a state-chartered bank to charge the “highest” allowable rate permitted under its home state law to out-of-state customers as well as in-state customers, the same way a national bank could

Privacy and Data Security

• Limits when a financial institution may disclose a consumer’s nonpublic personal information to nonaffiliated third parties
• Requires financial institutions to notify their customers about their information-sharing practices and to tell consumers of their right to opt out if they do not want their information shared with certain nonaffiliated third parties

• Requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.

Bank Secrecy Act

• Requires financial institutions to implement anti-money-laundering procedures, apply customer verification program rules, and report suspicious activity that meets a certain dollar threshold

Other

• Prohibits unfair or deceptive acts or practices in trade or commerce

• Prohibits unfair, deceptive, or abusive business acts or practices

• Provides certain consumer rights regarding the electronic transfer of funds to and from consumers’ bank accounts
• Requires disclosure of terms and conditions of electronic transfers, limits consumer liability for unauthorized transfers, establishes procedures for recurring preauthorized transfers, and establishes error resolution procedures

• Authorizes the use of electronic records and signatures to create legally valid and enforceable agreements
• Requires businesses to obtain consumers’ affirmative consent before using electronic records or signatures to comply with a legal requirement to provide information in writing

• Provides federal banking agencies with the authority to regulate and examine the performance of certain services by a third-party service provider for a depository institution (or for any subsidiary or affiliate of a depository institution that is subject to examination by that agency) “to the same extent as if such services were being performed by the depository institution itself on its own premises”
• The federal banking agencies may also have enforcement authority against a third-party service provider (considered to be an institution-affiliated party) and in other circumstances under the Federal Deposit Insurance Act.

• Requires that firms or sole practitioners who are compensated for advising others about securities investments register with the U.S. Securities and Exchange Commission and conform to regulations designed to protect investors

GUIDANCE LETTER

HIGH-LEVEL DESCRIPTION

Working with Third Parties²

• Addresses outsourced activities performed by traditional core bank processing and information technology service providers as well as operational activities such as accounting, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing
• Highlights the potential risks arising from the use of service providers
• Describes the elements of an appropriate service provider risk management program
• Supplements existing guidance on technology service providers (TSP) issued by the Federal Financial Institutions Examination Council (FFIEC)

• Explains that it is contrary to Federal Reserve regulation and policy for agreements to contain confidentiality provisions that (1) restrict the banking organization from providing information to Federal Reserve supervisory staff; (2) require or permit, without the prior approval of the Federal Reserve, the banking organization to disclose to a counterparty that any information will be or was provided to Federal Reserve supervisory staff; or (3) require or permit, without the prior approval of the Federal Reserve, the banking organization to inform a counterparty of a current or upcoming Federal Reserve examination or any nonpublic Federal Reserve supervisory initiative or action
• Notes that banking organizations that have entered into agreements containing such confidentiality provisions are subject to legal risk

Credit

• Provides guidance on private student loans with graduated repayment terms at origination

• Discusses banking agencies’ views on prudent lending practices for creditworthy small business borrowers

• Provides examination procedures for regulations implementing the following three provisions of the FCRA, as amended by the Fair and Accurate Credit Transactions Act:
  • Duties of users regarding address discrepancies (12 CFR 222.82) (Address Discrepancy rule)
  • Duties regarding the detection, prevention, and mitigation of identity theft (12 CFR 222.90) (Identity Theft Red Flags rule)
  • Duties of card issuers regarding changes of address (12 CFR 222.91) (Card Issuer rule)

Technology

• Announces the revised FFIEC information security booklet, which highlights characteristics of effective information security programs
• Includes examination procedures for cybersecurity threats and resource requirements
• Reviews the stages of an IT risk management program

• Addresses the agencies’ statutory authority to supervise third-party servicers that enter into contractual arrangements with regulated financial institutions
• Outlines the agencies’ risk-based supervisory program
• Emphasizes that a financial institution’s management and board of directors have the ultimate responsibility for ensuring outsourced activities are conducted in a safe and sound manner and comply with applicable laws and regulations

• Addresses the need for risk-based assessments, customer awareness, and security measures to reliably authenticate customers accessing financial institutions’ Internet-based services
• Emphasizes that the agencies consider single-factor authentication, if it is the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or moving funds to other parties. Supplemented by SR 06–13, which includes an FAQ to assist institutions and TSPs in conforming to the guidance, and by SR 11–9, which updates agencies’ expectations for supervised financial organizations regarding customer authentication, layered security, and other controls

• Establishes standards for financial institutions related to administrative, technical, and physical safeguards for customer records and information

• Focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services

Bank Secrecy Act

• Provides an overview of the Unlawful Internet Gambling Enforcement Act of 2006
• Sets forth procedures for reviewing compliance by institutions with the joint rule of Treasury (31 CFR Part 132) and the Board (12 CFR Part 233)

• Clarifies the requirements of the Bank Secrecy Act and anti-money-laundering regulations in relation to the provision of banking services to money services businesses operating in the United States

• Describes current issues in providing banking services to money service businesses and the views of the Federal Reserve, the other federal financial institutions supervisory agencies, and the Financial Crimes Enforcement Network about assessing and controlling the varying levels of risk associated with such accounts

Other

• Provides guidance to banking organizations and supervisors concerning model risk management, including model validation