Extracted from Law360
The Texas Department of Banking has extended the state banking commissioner's regulatory authority.
The action was among several legal and regulatory developments in the fourth quarter of 2023 that could significantly affect the banking industry as it moves into the new year.
Banking Department's Updated Policies on Enforcement Actions
After the Texas Legislature amended certain sections of the Texas Financial Code, on Oct. 25, Texas Banking Commissioner Charles Cooper issued two memorandums to revise and supersede previous guidance from Feb. 19, 2013.
Supervisory Memorandum 1005 revised the department's policy on enforcement actions for state-chartered banks and bank-holding companies operating under the department's authority, updating the cease-and-desist and order of removal or prohibition sections.
The memorandum clarified that, under Section 35.002 of the Texas Finance Code, the banking commissioner has the authority to issue a cease-and-desist order against former officers, employees or directors of a bank in addition to current officers, employees or directors.
Passed into law earlier in 2023, Texas H.B. 3574 had amended Section 35.002(a) to read, "The banking commissioner has grounds to issue a cease and desist order to a current or former officer, employee, or director of a state bank."
The section previously read, "The banking commissioner has grounds to issue a cease and desist order to an officer, employee, or director of a state bank." Supervisory Memorandum 1005 now reflects this change.
The memorandum also provided that the commissioner has the authority to remove, on an emergency basis, any individual associated with a state bank that refuses to comply with a subpoena. The Texas Legislature granted this new authority by enacting Section 31.105(c-2) of the Texas Finance Code.
Supervisory Memorandum 1005 states:
If an officer, director, employee, controlling shareholder, or other person participating in the affairs of a state bank refuses to comply with a subpoena issued under Section 31.105, the Commissioner may issue an order on an emergency basis removing the person from the person's position and prohibiting the person from participating in the affairs of the state bank or any other entity chartered, registered, permitted, or licensed by the Commissioner until the person complies with the subpoena.
Interestingly, the new statutory authority extended the commissioner's authority to "other positions participating in the affairs of a state bank," while the supervisory memorandum noted that the commissioner may exercise this authority over "other persons participating in the affairs of a state bank."
The language used in the supervisory memorandum — "person" rather than "position" — appears several times in Section 35 of the Finance Code, while the word "position" is unique to the newly enacted statutory provision.
Under either standard, we'll have to wait to see how broadly the commissioner seeks to assert his authority. However, since the individual must be "currently serving" to be subject to this removal authority, there are natural limits on the commissioner's ability to extend this authority too broadly.
Another supervisory memo, 1030, made nonsubstantive revisions to Texas Department of Banking policy on enforcement actions for trust companies under the department's purview.
Ransomware Self-Assessment Tool Version 2.0
On Oct. 24, the Conference of State Bank Supervisors — which includes Texas — along with the Bankers' Electronic Crimes Task Force and the U.S. Secret Service released an updated ransomware self-assessment tool, or R-SAT.
R-SAT 2.0 is a multiquestion self-assessment tool intended to help banks and other financial institutions manage risks associated with ransomware. The updated version has the same appearance and format as the previous version but was expanded from 16 questions to 20 questions.
The updated R-SAT focuses on multifactor authentication; international data management; employee awareness and security training; cyber insurance; ransomware threat remediation; preventive controls; and social media.
R-SAT 2.0 uses a series of questions and sub-questions to help banks gauge the effectiveness of their current security protocols and provides the banks with information and tools to help prevent ransomware attacks.
Aside from the institutional benefits that come with adopting R-SAT 2.0, the Texas Department of Banking recommended that banks update their R-SAT as soon as possible because, starting on April 1, examiners will review and discuss banks' completed R-SAT 2.0 at information technology examinations.
FDIC's Proposed Standards for Corporate Governance and Risk Management
On Oct. 11, the Federal Deposit Insurance Corp. published a notice of proposed rulemaking that would establish new guidelines for governance and risk management at FDIC-supervised insured depository institutions with assets greater than or equal to $10 billion.
This is relevant to Texas banks because portions of the proposed rule, if promulgated, would usurp corporate governance authority traditionally held by the Texas Department of Banking and the Texas Secretary of State. The proposal would amend Title 12 of the Code of Federal Regulations, Sections 364.101 and 308.302, to promulgate stringent standards and guidelines for corporate governance and risk management for covered institutions.
These standards would be issued as Appendix C to the FDIC's standards for safety and soundness regulations and would be enforceable under Section 39 of the Federal Deposit Insurance Act.
Although the FDIC based the proposed guidelines on the principles set forth in both the Board of Governors of the Federal Reserve System's Regulation YY and the Office of the Comptroller of the Currency's "Guidelines Establishing Heightened Standards for Certain Large Insured National Banks, Insured Federal Savings Associations, and Insured Federal Branches," the FDIC's proposal goes well beyond what its sister agencies currently have in place.
The FDIC claims that the proposed guidelines are intended to align the FDIC's supervision framework more closely with the other federal banking regulators. The FDIC's $10 billion threshold, however, is much lower than the thresholds for both the OCC ($50 billion) and the Federal Reserve ($100 billion).
Importantly, the proposal would authorize the FDIC to apply the heightened standards to banks with less than $10 billion in assets that have safety and soundness concerns.
The proposed guidelines seek to promulgate into regulation heightened standards for board governance and risk management applicable to bank boards of directors, in many instances going beyond similar standards promulgated by the OCC and Federal Reserve.
This would have the effect of enhancing the responsibilities and potential liability of Texas bank directors, which could negatively affect state banks' ability to find and retain qualified directors.
The proposed guidelines may also shoehorn bank directors into more of a managerial role rather than their intended governance role.
FDIC Director Jonathan McKernan published a dissent to the proposal, in part because some of the guidelines could "conflate the roles of board and management, preempt state corporate law, and potentially conflict with regulatory expectations applicable to parent companies."
Texas Court's Nationwide Injunction Against CFPB's Section 1071 Rule
On Oct. 26, in the case of Texas Bankers Association et al. v. Consumer Financial Protection Bureau et al., the U.S. District Court for the Southern District of Texas extended an injunction on the CFPB's small-business data collection rule to apply nationwide, pending the outcome of a U.S. Supreme Court case — CFPB v. Community Financial Services Association of America — challenging the constitutionality of the CFPB's funding structure.
The expanded injunction came three months after a judge granted a limited preliminary injunction in July to member banks of the Texas Bankers Association, the American Bankers Association and Rio Bank, a Texas state bank.
The small-business data collection rule, known as 1071 for its section in the Dodd-Frank Wall Street Reform and Consumer Protection Act, would require banks, credit unions and small-business lenders to collect and report data on loan applications for women-owned and minority-owned small businesses.
The rule has been contentious among small-business lenders because it creates significant new compliance obligations to collect data, including geographic and demographic data, lending decisions, and the price of credit. Some claim that the rule would increase borrowing costs and potentially restrict credit for the small businesses the rule was purportedly designed to help.
In the lawsuit, the plaintiffs' complaint relied heavily on the U.S. Court of Appeals for the Fifth Circuit's decision in CFPB v. CFSA, finding the CFPB's funding structure unconstitutional and, therefore, rules promulgated by the bureau invalid. The case is pending for the Supreme Court's review.
The expanded injunction follows a period of mounting pressure on the Texas federal court by banks and trade groups, such as the Texas Bankers Association and the Independent Bankers Association of Texas, advocating for the nationwide extension of the injunction and U.S. Senate Joint Resolution 32 in favor of repealing the rule.
Even though the Senate voted in favor of the resolution, President Joe Biden vetoed the bill last month.
Fifth Circuit's Stay of CFPB Appeal to Texas Federal Court
In September, the U.S. District Court for the Eastern District of Texas ruled that the CFPB exceeded the scope of its statutory authority with its amendment of the exam manual, under which it planned to review companies for discrimination.
On Nov. 16, the Fifth Circuit granted a motion to stay further proceedings in the CFPB's appeal of summary judgment granted in favor of the U.S. Chamber of Commerce and other trade groups challenging the CFPB's exam manual changes, pending the Supreme Court's decision in the CFSA case.
The changes made to the unfair, deceptive or abusive acts and practices section of the exam manual instruct examiners to designate discriminatory conduct they turned up as an "unfair" practice. The CFPB announced that the discrimination was "unfair" under the Dodd-Frank Act and that examiners may use disparate impact reviews of lending to determine whether there was discrimination in a company's practices and apply the unfairness standard.
The complaint argued that the CFPB's funding mechanism is unconstitutional, and the district court agreed. But because the CFSA case is pending before the Supreme Court, the court also reached the merits of whether the CFPB impermissibly interpreted the word "unfair" to assert that it could bring these types of discrimination claims.
The court again agreed with the plaintiff on this basis, finding that such broad authority to police the industry for discrimination is a question of major significance and thus should not be granted without exceedingly clear language by Congress.
If the Supreme Court sides with the CFPB on the constitutionality of the agency's funding structure, the Fifth Circuit will likely address nonconstitutional claims of the plaintiffs or adjust compliance deadlines in each case.
On Oct. 3, the Supreme Court heard oral arguments in the CFSA case on the constitutionality of the CFPB's funding structure. We expect a final decision from the court in June 2024.