TMCnet News
FDIC Seeks Comments on Electronic Operations Regulations(Targeted News Service Via Acquire Media NewsEdge) Targeted News Service WASHINGTON, July 21 -- The Federal Deposit Insurance Corporation published the following proposed rule in the Federal Register: Transferred OTS Regulations Regarding Electronic Operations A Proposed Rule by the Federal Deposit Insurance Corporation on 07/21/2014 Publication Date: Monday, July 21, 2014 Agency: Federal Deposit Insurance Corporation Dates: Comments must be received on or before September 19, 2014. Comments Close: 09/19/2014 Entry Type: Proposed Rule Action: Notice of proposed rulemaking. Document Citation: 79 FR 42231 Page: 42231 -42235 (5 pages) CFR: 12 CFR 390 RIN: 3064-AE19 Document Number: 2014-16975 Shorter URL: https://federalregister.gov/a/2014-16975 Action Notice Of Proposed Rulemaking. Summary In this notice of proposed rulemaking, the Federal Deposit Insurance Corporation ("FDIC") proposes to rescind and remove regarding electronic operations which were transferred to the FDIC from the Office of Thrift Supervision ("OTS") on July 21, 2011, in connection with the implementation of applicable provisions of Title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank Act"). There is no corresponding FDIC Electronic Operations rule and the rule is deemed obsolete and unnecessary. Therefore, the FDIC proposes to rescind and remove the regulations. DATES: Comments must be received on or before September 19, 2014. ADDRESSES: You may submit comments by any of the following methods: FDIC Web site: http://www.fdic.gov/regulations/laws/federal/. Follow instructions for submitting comments on the agency Web site. FDIC Email: [email protected]. Include RIN 3064-AE19 on the subject line of the message. FDIC Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW., Washington, DC 20429. Hand Delivery to FDIC: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m. Please include your name, affiliation, address, email address, and telephone number(s) in your comment. Where appropriate, comments should include a short Executive Summary consisting of no more than five single-spaced pages. All statements received, including attachments and other supporting materials, are part of the public record and are subject to public disclosure. You should submit only information that you wish to make publicly available. Please note: All comments received will be posted generally without change to http://www.fdic.gov/regulations/laws/federal/, including any personal information provided. Paper copies of public comments may be requested from the Public Information Center by telephone at 1-877-275-3342 or 1-703-562-2200. FOR FURTHER INFORMATION CONTACT: Frederick Coleman, Division of Risk Management Supervision, (703) 254-0452; Martha L. Ellett, Legal Division, (202) 898-6765; Jennifer Maree, Legal Division, (202) 898-6543. SUPPLEMENTARY INFORMATION: I. Background The Dodd-Frank Act Title III of the Dodd-Frank Act [1] provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency ("OCC"), as to Federal savings associations, and the Board of Governors of the Federal Reserve System ("FRB"), as to savings and loan holding companies. Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provides the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. The section provides that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law. Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations which would be enforced by the FDIC and the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a "List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act." This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011. [2] Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the Federal Deposit Insurance Act ("FDI Act") and other laws as the "appropriate Federal banking agency" or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of "appropriate Federal banking agency" contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations to the list of entities for which the FDIC is designated as the "appropriate Federal banking agency." As a result, when the FDIC acts as the designated "appropriate Federal banking agency" (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify and rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks. As noted, on June 14, 2011, operating pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring OTS regulations. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011. [3] When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them, as appropriate. One of the OTS rules transferred to the FDIC requires State savings associations to notify the FDIC at least 30 days before establishing a transactional Web site. The OTS rule, formerly found at 12 CFR part 555, subpart B ("part 555, subpart B"), was transferred to the FDIC with only technical changes and is now found in the FDIC's rules at part 390, subpart L, entitled "Electronic Operations." The FDIC has no such corresponding rule. After careful review of part 390, subpart L, the FDIC proposes to rescind part 390, subpart L, because, as discussed below, it is obsolete, unnecessary, and burdensome. Former OTS Part 555, Subpart B (Transferred to FDIC Part 390, Subpart L) On January 1, 1999, part 555, subpart B became effective and was among the regulations that were transferred to the FDIC from the OTS on July 21, 2011, pursuant to the Dodd-Frank Act. This rule required savings associations to file a written notice with the OTS at least 30 days before establishing a transactional Web site. The OTS enacted the Electronic Operations rule unilaterally. Neither the FDIC, nor the Office of the Comptroller of the Currency ("OCC"), [4] nor the Board of Governors of the Federal Reserve System ("FRB") has a regulatory notice requirement similar to the Electronic Operations rule that requires insured depository institutions ("IDIs") to notify the FDIC if they intend to establish transactional Web sites. In issuing its Electronic Operations rule, the OTS sought to "monitor adequately savings associations' technological innovations and to assess security, compliance, and privacy risks." [5] The OTS reasoned that the notice requirement would aid the agency in assisting savings associations "that are contemplating or already conducting Internet operations to identify and address the risks that accompany such activities" and would "help institutions avoid problems and protect consumers." [6] At the time, the OTS concluded that a requirement that each savings association must provide advance notice to the OTS of the association's intent to establish a transactional Web site would assist the OTS in evaluating safety and soundness, compliance, and other risks. Significantly, the OTS noted that "[a]s technologies mature and the industry and OTS gain additional experience, the OTS may revise the rule to no longer require notice before establishing a transactional Web site." [7] In a 2001 review of its regulations regarding electronic delivery of financial products and services, the OTS suggested that a goal of the Electronic Operations rule was to impose a notice requirement in lieu of specific operational standards as the least burdensome way to regulate savings associations. The OTS also stated that it "designed its regulations to help ensure that it would have sufficient information to understand developing technologies, to provide appropriate guidance on these technologies, and to supervise electronic operations effectively." [8] After careful consideration of the former OTS's general prior notice requirement, the FDIC has reached the same conclusion it has in the past, particularly in light of continuing advancements in electronic banking and related technology. Specifically, the FDIC concludes there is no supervisory value in a requirement that an IDI give prior notification to the FDIC about its establishment of a transactional Web site. Given the rapid evolution, innovation and current state of technological products and interfaces with customers, the FDIC relies on dynamic, in-depth supervisory means to evaluate an IDI's information technology ("IT") systems. Instead of a general notice requirement for the establishment of a transactional Web site, the FDIC has developed and relies upon more useful and ongoing sources of information to evaluate the financial condition, risks and regulatory compliance by FDIC-supervised institutions. Prior notification that an institution is establishing a transactional Web site is an outdated and unnecessary requirement. Currently, the FDIC receives information about an IDI's IT systems, including its transactional Web sites, from various examinations and other sources of information that render a general prior notice requirement such as the former OTS rule for savings associations, outdated and unnecessary for the FDIC's supervisory purposes of risk management and compliance. For example, the FDIC's IT pre-examination questionnaire to IDIs requires information about the IDI's technological developments, including whether there were any changes in technology that were implemented since the previous FDIC examination. Changes in technology include, for example, any "new service provider relationships, new software applications and/or service offerings." [9] The IT pre-examination questionnaire also asks whether the IDI plans to "deploy new technology within the next 12 months," which would include the implementation of a transactional Web site. If the answer is "yes," the questionnaire asks whether the risks associated with the new technology were reviewed by the IDI during the institution's most recent risk assessment. [10] The FDIC then reviews the IDI's risk assessment at each examination. The questionnaire also asks whether the IDI has "identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC," [11] which would include those with Technology Service Providers ("TSPs"). This information is also required to be reported by the IDI to the FDIC pursuant to the Bank Service Company Act ("BSCA"). [12] As part of its examination process, the FDIC also monitors technology developments and TSPs. In periodic on-site IT examinations, FDIC examiners obtain information regarding the establishment of transactional Web sites and any other technological developments the institution has implemented. Through the Federal Financial Institutions Examination Council ("FFIEC"), the FDIC, jointly with other Federal banking agencies, also participates in examinations of all of the major TSPs. In these examinations, the FDIC obtains customer lists of all financial institutions that have contracted for services from the particular service provider, including TSPs. These lists are more up to date than a point-in-time notice that the Electronic Operations rule offers and they also provide the FDIC with notice of any changes in TSPs. During the FDIC's compliance examinations, IDIs are also routinely examined for compliance with applicable consumer protection laws and regulations, such as the Truth in Lending Act, Regulation Z; the Electronic Funds Transfer Act, Regulation E; the Equal Credit Opportunity Act, Regulation B; the Truth in Savings Act, Regulation DD; and Section 5 of the Federal Trade Commission Act that prohibits unfair or deceptive acts or practices. These examinations address any problems IDIs may have with the adequacy of consumer disclosures, among other things. In addition, the BSCA requires IDIs to provide written notice to the FDIC (or other appropriate Federal banking agency) of the existence of third-party service relationships "within thirty days after the making of such service contract or the performance of the service, whichever occurs first." [13] The BSCA covers services performed by third parties, including TSPs and the FDIC has long interpreted the BSCA to include within its scope Internet banking service providers. [14] Specific and ongoing information obtained and evaluated by the FDIC through the IT pre-examination questionnaire, on-site IT examinations, TSP examinations and compliance examinations as well as the BSCA notice better enables the FDIC to evaluate existing or potential safety and soundness and compliance concerns. The FDIC's IT examination process renders a general, point-in-time notice such as that required by the OTS's Electronic Operations rule, to be unnecessary. The rule is inefficient and unnecessarily burdensome, and it should be eliminated. In its supplemental notice of proposed rulemaking, the OTS expressed concerns regarding the safety of Internet banking and protecting customers' privacy in support of its rule. [15] However, these supervisory concerns have been addressed elsewhere, rendering the Electronic Operations rule superfluous. For example, in 2005 and most recently updated in 2011, the FDIC, with the other FFIEC agencies, issued guidance that describes supervisory expectations regarding customer authentication for high-risk transactions, layered security programs, and other controls related to Internet banking. [16] The guidance includes regulatory expectations about enhanced authentication methods banks must use when authenticating the identity of customers using on-line products and services, the need for layered security, and minimum control expectations for certain online banking activities. In addition, 12 CFR part 364, appendix B ("part 364, appendix B") to the FDIC regulations, which implements the Graham-Leach-Bliley Act, addresses the bank's requirements for safeguarding customer information, which includes transactional Web sites. [17] An institution's compliance with part 364, appendix B is assessed at every FDIC IT examination and specifically addressed in each Report of Examination. After careful review of the OTS's transferred rule in part 390, subpart L, and the former OTS's stated rationale for the rule, the FDIC, as the appropriate Federal banking agency for State savings associations, proposes to rescind and remove the former OTS rule in its entirety. Rescinding part 390, subpart L also will serve to streamline the FDIC's rules and eliminate obsolete and superfluous regulations. If the proposal is adopted in final form, all IDIs regulated by the FDIC--including State savings associations--will be regulated in a uniform manner. II. The Proposal Regarding the functions of the former OTS that were transferred to the FDIC, section 316(b)(3) of the Dodd-Frank Act, 12 U.S.C. 5414(b)(3), in pertinent part, provides that the former OTS regulations will be enforceable by the FDIC until they are modified, terminated, set aside, or superseded in accordance with applicable law. After reviewing the Electronic Operations rule currently found in part 390, subpart L, the FDIC, as the appropriate Federal banking agency for State savings associations, proposes to rescind part 390, subpart L in its entirety. Rescinding part 390, subpart L will serve to streamline the FDIC's rules and eliminate obsolete and unnecessary regulations. It will also facilitate uniform supervision regarding notification requirements for electronic operation for all FDIC-supervised IDIs. [*Federal RegisterVJ 2014-07-21] For more information about Targeted News Service products and services, please contact: Myron Struck, editor, Targeted News Service LLC, Springfield, Va., 703/304-1897; [email protected]; http://targetednews.com. TNS 22VistaJ-140721 gv-1169271 (c) 2014 Targeted News Service |