Our Take: financial services regulatory update – June 16, 2023

On June 5th, the SEC brought a series of charges against digital asset trading platform Binance, which the complaint describes as “the largest crypto asset trading platform in the world.” The charges allege that the organization secretly allowed high-value US customers to trade on the non-US version of its platform and falsely claimed that its US and non-US platforms were independent. They also allege that Binance commingled customer assets, misled investors about trading controls, and operated unregistered exchanges, broker-dealers and clearing agencies. The following day, the SEC charged digital asset trading platform Coinbase with operating as an unregistered exchange, broker-dealer and clearing agency as well as engaging in an unregistered securities offering through its staking-as-a-service program. Both lawsuits taken together describe 19 different assets as “securities,” although neither includes the two largest digital assets by market capitalization, Bitcoin and Ethereum.

Following these actions, SEC Chair Gary Gensler explained in a speech that the “vast majority” of digital assets fit the definition of a security as they are generally used as investment contracts rather than currency, noting that many assets have websites, social media accounts and marketing events to promote their attractiveness as investments. He stated that, accordingly, firms offering services related to digital assets are either required to register with the SEC or meet requirements for an exemption. Noting that some have accused the agency of not providing a clear path for registration, he pointed to a recent approval of a digital asset broker-dealer and stated that existing rules make the path to registration clear. He then highlighted the agency’s charges against Binance and Coinbase and promised that it will continue to take action against digital asset firms that run afoul of securities laws.

During a House Financial Services Committee (HFSC) hearing on digital assets, Republicans including HFSC Chair Patrick McHenry (R-NC) criticized the SEC’s actions, stating that the agency is “picking winners and losers based on inconsistent factors.” They generally called for regulatory clarity to avoid pushing innovation outside of the US and into jurisdictions that do not provide adequate oversight and supported recent draft legislation introduced by McHenry and Senate Banking Committee Ranking Member Tim Scott (R-SC) that would put most digital assets under the authority of the CFTC. Many Democrats expressed their opposition to the legislation, stating that it would reduce the SEC’s authority and would not prohibit certain conduct such as commingling of investor funds. However, Representatives from both sides expressed a willingness to work together on legislation and supported actions to provide regulatory clarity, including around asset classification.

Our Take

The SEC’s continued string of lawsuits, this time against two of the largest digital asset exchanges, along with Gensler’s pledge to continue taking action against digital asset firms that are out of compliance with securities laws puts all industry participants on notice: the agency is coming and the time to act is now. As a key theme of recent enforcement actions has been registration, firms need to either prepare to register their products and services with the agency or develop an alternative plan. Just last week, Crypto.com announced that they will discontinue certain US operations supporting assets that were specifically called out as securities in the SEC’s filings. While the SEC’s view that virtually all digital asset firms must register will be challenged in court and could potentially be tempered by legislation, it will be a long wait for any court decision or Congressional action and any potential outcome remains unclear. In the meantime, the agency’s enforcement streak will continue.

Aside from registration, other key themes of enforcement actions have included failure to segregate customer assets and failure to mitigate conflicts of interest. Having policies and controls to make sure that customer assets are segregated and separating broker, clearing and exchange functions will not only be essential for SEC compliance but will also prepare firms for other regulatory regimes such as the CFTC’s expectations and the New York State digital assets legislation. Firms offering broker-dealer services should also consider whether their customer communications could be construed as investment advice and implement policies and controls around suitability. Fraud and manipulation also remain key concerns for the SEC and other regulators, and as such firms should be scrutinizing all of their public statements to confirm that they do not mislead customers around issues such as the profitability of certain assets, the security of their funds and bankruptcy protections.

On June 1st, the Fed, OCC, FDIC, CFPB, NCUA and FHFA (the Agencies) released a joint proposal that would require that mortgage originators and secondary market issuers adopt quality control standards for the use of automated valuation models (AVMs), which it notes are increasingly used in the mortgage industry as part of the real estate valuation process to reduce costs and increase speed. Specifically, it would require that firms adopt policies, procedures and controls designed to: (a) ensure a high level of confidence in estimates; (b) protect against data manipulation; (c) avoid conflicts of interest; (d) require random sample testing and reviews; and (e) comply with nondiscrimination laws.

The proposal notes that the Agencies debated whether to issue a set of prescriptive rules or principles-based guidance and decided upon the latter. Accordingly, it does not set specific requirements for how institutions are to implement and structure the quality standards for their AVM use, explaining that the principles-based approach provides the flexibility to set quality controls based on the size of the institution as well as the risk and complexity of their practices. As modeling technology continues to evolve, this flexible approach would also allow institutions to refine their policies, practices, procedures, and control systems as appropriate.

In the proposal, the Agencies define the scope of the rule fairly narrowly to cover (a) use for determination of collateral value for credit decisions, which would exclude other uses such as monitoring value over time or validating an already completed valuation; (b) direct use of AVMs in determining the collateral value, which would exclude use of AVMs by qualified appraisers to assist with value determination; (c) valuation of residential collateral as part of consumer lending, which would exclude any application of AVMs in commercial lending, including small business loan underwriting; (d)v valuation of the consumers’ primary dwelling, which would exclude any application of AVMs for underwriting investment properties or second homes; and (e) use only by mortgage originators and secondary market issuers. The proposal will be open for comment for 60 days following publication in the Federal Register.

Our Take

Many industry participants commented that they would prefer that the proposal take a principles-based approach, and while the proposal’s flexibility and lack of prescriptive requirements will largely be welcomed by those commenters, its very high-level principles may not provide sufficient detail for firms to interpret and implement accurately and effectively in certain areas. For example, as many firms, especially smaller organizations, rely on vendor off-the-shelf AVMs, it may not be clear how they can protect against data manipulation if they have no control over or insight into what data their vendors use to develop the models and how the data was processed.

Similarly, we expect that firms using vendor off-the-shelf AVMs will find it difficult to determine how they can comply with applicable nondiscrimination laws. In addition to facing the same transparency obstacles described above, many smaller firms likely have transaction volumes that are too low to meaningfully test valuations for discriminatory biases. Applying commonly-used disparate impact measurement approaches would also be very challenging due to the fact that (a) it is impossible to measure “actual” real estate value as the basis for determining AVM error; and (b) identification of “similarly situated” properties for fair comparison requires significant simplifying assumptions.

Other proposed requirements are more straightforward. For example, firms would be able to comply with the requirements to ensure confidence in estimates and require random sample testing by leveraging existing detailed regulatory guidance, such as the interagency guidance on model risk management. The requirement to “avoid conflicts of interest” may also be straightforward to implement, at least as it relates to the risk that an entity may “cherry pick” one preferred AVM value out of a range of values they can access from different vendor and/or internal automated valuation models. There are existing industry practices for developing and maintaining robust multi-model AVM cascades that encompass measurement and reporting of a range of accuracy, bias and coverage metrics that entities can leverage to address this proposed requirement.

On June 14th, the OCC released its spring 2023 Semiannual Risk Perspective. The report covers recent bank failures, explaining that rising interest rates have caused depreciation in investment portfolios while noting that liquidity levels have increased following the failures. It notes that credit risk remains moderate in aggregate, although signs of stress in commercial real estate (CRE) are increasing and the impact of inflation and rising interest rates are causing credit conditions to deteriorate. As it did in its previous risk perspective, the OCC continues to describe operational risk as “elevated,” citing cybersecurity threats as well as risks associated with increased digitization, reliance on third parties, and use of aging technologies - which is discussed further in a “special topic” section. Similarly, it also notes elevated compliance risk due to the rapid pace of technological innovation and new offerings.

The report also provides an update on the OCC’s work regarding climate-related risk, noting that it is currently considering comments on the draft risk management principles it published last December and working with the Fed and FDIC on next steps. Meanwhile, it notes that the OCC is continuing to conduct supervision of climate-related financial risk management practices at banks with over $100 billion in total consolidated assets and states that it “anticipates that all large banks will need to increase their capabilities, investments in data, and sophistication of their analysis to be fully effective” in climate-related risk management. It also highlights risks related to digital assets, including volatility, high-risk lending, excessive leverage, interconnectedness, concentration and lack of comprehensive regulation.

In a press briefing alongside the report, Acting Comptroller Michael Hsu stated that OCC examiners are “on the balls of their feet” regarding issues such as concentration risk, capital and liquidity, and strong risk management across all areas (“not just headlines”). He also stated that banks should have communications programs in place that can respond clearly, credibly and promptly to questions from stakeholders regarding their condition and risk profiles. In response to questions, Hsu noted that the recent bank failures have pushed back the timeline for releasing a final Community Reinvestment Act rule, but he explained that the agency is still working “urgently” on the issue.

Our Take

The OCC’s latest risk perspective highlights a similar set of risks to past editions and the priorities in the Fed’s recent Supervision and Regulation Report. As the OCC was not the primary regulator of any of the failed banks and did not issue a report specifically on the failures, this risk perspective provides insight into the OCC’s views on the dynamics contributing to ongoing stress. These views closely align with the Fed’s and FDIC’s concerns about banks with concentrations in CRE, indicating that all of the bank regulators are closely monitoring this sector for further deterioration. Apart from economic conditions, the risk perspective devotes significant attention to the risks related to technology and digitalization. In light of the OCC’s warning about the cybersecurity implications of evolving technology, banks should consistently review the latest security practices and capabilities of malicious actors to maintain their ability to detect, assess and respond to threats. Banks should also note the OCC’s dedicated discussion of the risk of continued use of aging technology and end-of-life (EOL) systems as it indicates that examiners have seen issues with these practices across a number of banks. Accordingly, as banks consider technology investments, they should carefully weigh the costs of not updating legacy technologies which could include increased outages, security vulnerabilities, and manual workarounds.

On June 12th, FINRA released a concept proposal for a liquidity risk management rule intended to ensure that its members maintain sufficient liquidity under both normal and stressed conditions. The proposed rule would require broker-dealers to maintain a liquidity risk management program that includes capabilities for liquidity stress testing, a contingency funding plan and notification and reporting requirements to FINRA within prescribed timelines. FINRA expects that 125 members would be subject to the potential rule.

The proposal would also require that firms maintain sufficient liquidity on a current basis and lists eight conditions under which firms would be presumed to have insufficient liquidity. Specifically, firms will be presumed to have insufficient liquidity when (1) funds are borrowed from non-bank affiliates; (2) borrowing more than 70% of customer debit balances that are secured by customer assets; (3) the reserve formula calculation is performed on an ad-hoc basis and outside regular scheduled calculations; (4) loan facilities, other than intraday, are reduced by more than 50% on a rolling 90-day basis; (5) secured financing agreements are reduced by more than 50% on a rolling 90-day basis; (6) intraday credit facilities at settlement banks or the member’s CCP intraday credit facility are reduced by more than 50% on a rolling 90-day basis; (7) the member firm has lost or is notified of losing access to settlement bank services; or (8) a CCP revokes membership at the CCP of a member firm or material restriction by CCP or settlement bank.

Firms that meet any one of the above conditions will have two business days to notify FINRA followed by a window of five days to rebut the presumption that it does not have sufficient liquidity. FINRA would be able to direct a member to take necessary measures, including restricting or suspending business, if the determination is ultimately made that the member lacks sufficient liquidity.

Our Take

This concept release reflects FINRA’s view that there is substantial variance in liquidity risk management practices across its members with instances of insufficient liquidity risk management still prevalent across those that are not affiliated with a bank holding company. Even before this concept is finalized, FINRA and SEC oversight of liquidity risk management is likely to continue to tighten, particularly in light of ongoing stress across the financial sector. As such, impacted firms should not wait to assess whether they meet any of the insufficient liquidity conditions and evaluate their current practices and capabilities against those outlined in the proposal. Even larger firms with more mature liquidity risk management programs may find that they need to make incremental enhancements to align with FINRA’s expectations for more standardized practices across its members.

These notable developments hit our radar this week:

• FSOC meets. On June 16th, the Financial Stability Oversight Council (FSOC) met to discuss the LIBOR transition and current banking system conditions, including interest rate risk and liquidity risk management and risks in the CRE market. The FSOC also extended the comment periods for its proposed guidance on nonbank financial company designations and its analytic framework for financial stability risk identification, assessment and response until July 27th.
• Hsu speaks on tokenization and artificial intelligence. On June 16th, Acting Comptroller Michael Hsu spoke on tokenization and artificial intelligence (AI) in banking, outlining his concerns about rapid innovation without sufficient risk management. He acknowledged the potential benefits of tokenization to settlement efficiency but noted that legal, risk, and compliance frameworks need further development. Similarly, he referred to both the potential benefits and challenges of AI as significant. In particular, he highlighted the unpredictability of AI models and potential misalignment with governance and accountability expectations. He also reiterated concerns raised by all of the regulatory agencies in recent years regarding potential bias and discrimination from AI models. He closed by urging banks to “(1) innovate in stages, (2) build the brakes while building the engine, and (3) engage regulators early and often.”
• Senate Banking leaders unveil executive compensation bill. On June 15th, Senate Banking Chair Sherrod Brown (D-OH) and Ranking Member Tim Scott (R-SC) released draft legislation that would allow the regulatory agencies and boards to claw back executive compensation from failed banks for two years following their failures. It would also increase the monetary amounts able to be clawed back.
• Chopra on the Hill. On June 14th, CFPB Director Rohit Chopra testified before the HFSC, highlighting the agency’s work around issues such as credit reporting, small business lending data collection and the LIBOR transition. He stated that current focus areas include nonbank supervision, risks associated with AI and firms that have demonstrated persistent weaknesses.
• SEC releases spring agenda. On June 13th, the SEC released its Spring 2023 Regulatory Flexibility Agenda. Among other items, the agency intends to finalize a number of rules by the end of the year, including those around private fund disclosures, investment adviser safeguarding of client assets, investment adviser and investment company disclosures of environmental, social and governance (ESG) investment practices, cybersecurity risk management practices for advisers and funds, open-end liquidity risk management programs and swing pricing, and modernization of beneficial ownership reporting. In addition, the agenda highlights several potential new proposals, including one around conflicts of interest stemming from the use of predictive data analytics and similar technologies.
• Agencies propose guidance on reconsiderations of value. On June 8th, the Fed, CFPB, FDIC, NCUA and OCC proposed joint guidance on reconsiderations of value (ROV) for residential real estate transactions. The proposed guidance describes how financial institutions may enhance their ROV policies and processes to allow customers to provide new information or raise deficiencies in initial appraisals of residential real estate.
• Fed to announce stress test results June 28. The Fed announced that results from annual bank stress tests will be available on June 28th.