REGular Blog: Weekly Roundup: July 26th

Happy Friday everyone! Summer is FLYING by - it's hard to believe it's almost August already! I was on site at a credit union this morning doing some training for some of their supervisory committee members when the conversation turned to back-to-school preparations. Hard to believe! As we wrap up July and head into August, lets take a look at some of this week's developments in regulatory compliance.

NCUA

Last Friday a faulty update from global cybersecurity firm Crowdstrike caused a massive IT outage across the world. Airlines, payments systems, stock exchanges, and many other industries saw outages and disruptions. There have been lingering effects - it took Delta Airlines until yesterday to normalize operations. 

Whether or not your credit union or your vendors were impacted, an incident like this is a reminder of the NCUA's 2023 cybersecurity reporting rule. Effective in September of last year, the rule requires credit unions to notify the agency of reportable cybersecurity incidents within 72 hours. We have a full detailed post on the Agency's guidance on how to make a report here.

Now is a great time to make sure your incident response plans are up to date, not just in terms of resuming operations but also with complying with incident reporting requirements like this one.

Also last Friday the NCUA issued a press release that they and the other banking regulators are requesting comments on a proposal to update the BSA/AML requirements for financial institutions. The new rule would require a formal AML/CFT risk assessment that would be integrated into other elements of the FI's AML program. We have two recent posts going in depth on the proposed rule and its impact on the existing BSA pillars here and here. We'll be submitting comments on the proposed rule.

CFPB

Late last week the CFPB issued a proposed interpretive rule on earned wage access (EWA) products. If finalized, the rule would clarify that EWA products are credit and are subject to the requirements of TILA and Reg Z. It would also clarify that the tips sometimes associated with EWA would be considered "finance charges."

EWA is a growing area with providers giving customers advances on their paychecks. Generally, the customer is provided early access to their wages rather than having to wait until payday, and they pay back the advance once their payroll hits, sometimes with the option to leave a "tip" for the service. Two different models have emerged - one where the EWA provider works directly with the consumer and one where the EWA provider partners with an employer to offer early access to earned wages to its employees.

This new proposed rule would reverse a November 2020 advisory opinion which stated that EWA products did not involve the extension of credit as defined in Reg Z and TILA. The proposed rule has a 60 day comment period, and comes amidst many states trying to enact laws to properly regulate EWA. Here in Virginia, the 2023 session saw two competing bills on EWA regulation, neither of which was passed into law. Most states have yet to take a stance on regulating EWA, though a handful of states have enacted laws which specify that EWA products are not loans or credit under state law.

This is an evolving area and between new technology, a patchwork of regulatory structures, and changing views from the CFPB across administrations, things may get murkier before they get clearer.

The CFPB also this week issued a circular to law enforcement agencies and financial regulators on whistleblower protections. The circular describes how confidentiality agreements, depending on how they are worded, "could lead an employee to reasonably believe that they would be sued or subject to other adverse actions if they disclosed information related to suspected violations of federal consumer financial law to government investigators." The circular explains that financial institutions may violate the law by forcing employees to sign broad NDAs that discourage cooperation with law enforcement. 

That's all for this week - I hope everyone has a great weekend. The League will be in Williamsburg next week hosting the 2024 Southeast Regional Directors and Volunteers Conference. I'm also looking forward to watching some Olympics coverage this weekend and over the next few weeks. We'll be back soon with more developments in regulatory compliance.