Financial regulators focus on vendor due diligence

In the wake of the economic crisis, financial institutions have faced a wave of new rules and regulations. From the Dodd-Frank Wall Street Reform and Consumer Protection Act to regulators stepping up their enforcement efforts, regulated entities must ensure compliance with a host of new requirements.

The rules and heightened oversight go beyond banks themselves, and are increasingly focused on their third-party vendors. In many cases, vendors are not allowed to work with regulated entities unless they can demonstrate their compliance with various data security and privacy requirements.

Last year, New York’s Department of Financial Services (the “DFS”) sent letters to banks nationwide expressing concern about the state of their cybersecurity practices with regard to third-parties. DFS Superintendent Benjamin Lawsky requested that recipients disclose “any policies and procedures governing relationships with third-party service providers” as well as “any due diligence processes used to evaluate” all types of providers, including accountants and law firms. “It is abundantly clear that, in many respects, a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors,” Lawsky wrote.

In “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” the Securities and Exchange Commission (the “SEC”) and the Department of Justice (the “DOJ”) state that the agencies “assess whether the company has informed third-parties of its compliance program and commitment to ethical and lawful business practices, and where appropriate, whether it has sought assurance from third-parties, through certifications and otherwise, of reciprocal commitments.” To avoid regulatory action, the SEC and DOJ also suggest that regulated banks and financial institutions consider providing training to vendors.

The Office of the Comptroller of the Currency (the “OCC”) released new guidance in October 2013, advising banks to take a “life cycle” approach to managing third-party relationships (such as security providers, affiliates, consultants, joint ventures, and payment processors) from planning and due diligence to ongoing monitoring and termination.

When conducting due diligence – commensurate with the level of risk and complexity presented by the relationship – financial institutions should not rely on prior knowledge or experience of the third-party, the OCC said. Instead, they must conduct an “objective, in-depth assessment of the third-party’s ability to perform the activity in compliance with applicable laws and regulations and in a safe and sound manner” including a review of the third-party’s financial conditions (like any pending litigation or audited financial statements), reference checks, and evaluation of the entity’s legal and regulatory compliance.

Contracts should specify compliance with the regulations of relevant law, such as the Gramm-Leach-Bliley Act, the OCC added, and provide the financial institution with the power to conduct compliance reviews of the third-party.

Not to be outdone, the Consumer Financial Protection Bureau (the “CFPB”) followed up in January 2015 with the latest addition to its loosely-sewn patchwork of vendor management best practices and requirements. Compliance Bulletin 2015-01 which, among other directives, puts CFPB-supervised entities on notice that they may not invoke non-disclosure agreements to avoid complying with requests from the CFPB to produce a third-party’s confidential information.

For nonbanks and service providers still coming up-to-speed on the CFPB’s supervision and enforcement, confidentiality obligations, audit rights, vendor training responsibilities, and remedies for vendor breaches are among the more thorny agreement provisions that may need to be enhanced in light of developing trends.

Read OCC Bulletin 2013-29.

Read the SEC’s and DOJ’s “A Resource Guide to the U.S. Foreign Corrupt Practices Act“.

May 8th, 2015|Legislation|

SEC new rule: ABS issuers and underwriters must disclose any third-party due diligence report

On August 27, 2014, as mandated by the Dodd-Frank Act, the Securities & Exchange Commission (the “SEC”) adopted several new rules and amendments designed to improve the quality of credit ratings and increase the accountability of Nationally Recognized Statistical Rating Organizations (“NRSROs”). The new rules, which become effective nine months after their publication in the Federal Register, significantly affect services in connection with asset-backed securities (“ABS”). Among other provisions, included is a requirement for ABS issuers and underwriters to disclose the findings and conclusions of any third-party due diligence report they obtain. The rule applies to both registered and unregistered offerings. Additionally, providers of ABS due diligence services must submit a written certification (signed by an individual who is duly authorized to make such a certification) to any NRSRO that is producing a credit rating regarding the ABS, and disclose information about the due diligence performed, along with a summary of the findings and conclusions, and identification of any relevant NRSRO due diligence criteria that the third-party intended to meet in performing the due diligence.

October 15th, 2014|Dodd-Frank|

SEC defines “compensated solicitor” and “participation” under bad actor Rule 506(d)

As we reported previously, on September 23, 2013, new Rules 506(d) and (e) of Regulation D under the Securities Act and changes to Form D (“Bad Actor Rules”) went into effect, making all Rule 506 offerings subject to certain disqualification, disclosure and certification requirements.

In this blog, we want to bring to your attention the SEC’s compliance and disclosure interpretations (“C&DIs”) issued December 4, 2013, which, among other provisions, define what constitutes a “compensated solicitor” and “participation” in an offering, in case the SEC’s expanded guidance warrants an assessment of your particular services, especially if you are a professional advisor.

The CD&Is define “compensated solicitors” as “all persons who have been or will be paid, directly or indirectly, remuneration for solicitation of purchasers, regardless of whether they are, or are required to be, registered under Exchange Act Section 15(a)(1) or are associated persons of registered broker-dealers.”

According to the CD&Is, “participation in an offering is not limited to the solicitation of investors, and includes involvement in due diligence activities or the preparation of offering materials (including analyst reports used to solicit investors), providing structuring or other advice to the issuer in connection with the offering, and communicating with the issuer, prospective investors or other participants about the offering. To constitute ‘participation,’ such activities must be more than transitory or incidental–administrative functions, such as opening brokerage accounts, wiring funds, and bookkeeping activities, would generally not be deemed to be deemed as ‘participating’ in the offering.”

January 23rd, 2014|Dodd-Frank, Educational Series|

Stricter Volcker Rule final; banking entities have until July 21, 2015 to conform

On December 10, 2013, five federal agencies approved the regulation known as the Volker Rule which introduces a variety of guidelines to limit risk-taking by banks with federally insured deposits. The Federal Reserve Board announced that banking entities covered by section 619 of the Dodd-Frank Wall Street Reform and Consumer Protection Act will be required to fully conform their activities and investments by July 21, 2015. The compliance requirements will vary based on the size of the entity and the scope of activities conducted.

The rule prohibits insured depository institutions and any company affiliated with an insured depository institution from engaging in short-term proprietary trading of certain securities, derivatives, and other financial instruments for the firm’s own account, subject to certain exemptions, including market making and risk-mitigating hedging. It also imposes limits on banking entities’ investments in, and other relationships with, hedge funds and private equity funds.

December 10th, 2013|Educational Series, Legislation|

Remedying Rule 506 “bad actor” disqualification through reasonable care

The SEC’s Rule 506 “bad actor” amendments went into effect September 23, 2013. As we reported previously, these amendments add Rule 506(d) to implement Regulation 926 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Under the rule, securities offerings involving certain “felons and other ‘bad actors'” are disqualified from the Rule 506 exemption unless the disqualification is waived or remedied through a “reasonable care” exception. (See Securities Act Release No. 9414, 78 Fed. Reg. 44,729; July 24, 2013).

The rule’s long list of disqualifying events – and an even longer list of covered persons – is raising consternation as issuers and practitioners come to grips with the challenges of compliance. A disqualification due to the presence of “bad actors” can be catastrophic, resulting in the loss of the exemption altogether, spilling into regulatory actions, litigation, and reputational issues. And any impediment to raising capital is likely to scare away investors.

The rule provides an exception from disqualification if the issuer is able to demonstrate that it did not know and, in the exercise of reasonable care, could not have known that a covered person with a disqualifying event participated in the offering. The SEC has not prescribed specific steps to establish reasonable care; however, it has indicated that the concept includes a factual inquiry in view of the particular facts and circumstances and other offering participants. Despite the procedural ambiguity, the message is clear that is not enough to show that the issuer was unaware of the disqualifying event – the issuer must establish that in exercising “reasonable care,” could not have known that a disqualification existed.

In anticipation of this ruling, SI has been including “disqualifying event” searches in many of its reports for over two years. Now that the ruling has gone into effect, SI also offers a specialized factual inquiry service to help our clients evidence “reasonable care” under the highest standards. For information, please contact Dave Lazar at 440-423-1157 or e-mail or Jessica Staheli at 818-227-2598 or e-mail

October 29th, 2013|Dodd-Frank|

SEC approves JOBS Act requirement to lift general solicitation ban and adopts final rule to disqualify bad actors from certain offerings

The Securities and Exchange Commission (the “SEC”) today adopted a new rule implementing a JOBS Act requirement to lift the ban on general solicitation or general advertising for certain private securities offerings. In connection with this new rule, the SEC issued an amendment proposal requiring issuers to provide additional information about these offerings to better monitor the market with that ban now lifted. The proposal provides for additional safeguards as the market changes and new practices develop.

Continuing the momentum, the SEC also adopted a long-awaited rule  that disqualifies felons and other bad actors from participating in certain securities offerings as required by the Dodd-Frank Act. Under this final rule, an issuer cannot rely on the Rule 506 exemption if the issuer or any other covered person had what the SEC considers a “disqualifying event,” briefly described as a securities-related criminal conviction, court injunction or restraining order, final bar order, SEC disciplinary, cease-and-desist or stop order, suspension or expulsion from membership in a self-regulatory organization, or U.S. Postal Service false representation order.

The final rule provides an exception from disqualification when the issuer can show that it did not know and, in the exercise of reasonable care, could not have known that a covered person with a disqualifying event participated in the offering. The disqualification applies only for events that occur after the effective date of this rule. However, matters that existed before the effective date and that otherwise would be disqualifying are subject to a mandatory disclosure requirement to investors.

July 11th, 2013|Dodd-Frank, Educational Series|

CFPB issues long-awaited rule on supervising non-banks that pose risks to consumers

On June 26, 2013, the Consumer Financial Protection Bureau (the “CFPB”) issued a final rule that establishes procedures to bring under its supervisory authority certain nonbanks whose activities pose risks to consumers. Non-banks subject to the rule are companies that offer or provide consumer financial products or services but do not have a bank, thrift, or credit union charter, and include a nonbank’s affiliate service providers. The final rule will be effective 30 days after its publication in the Federal Register.

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”), the CFPB is authorized to supervise any nonbank, regardless of its size, that the CFPB has reasonable cause to determine “is engaging, or has engaged, in conduct that poses risks to consumers with regard to the offering or provision of consumer financial products or services.”

The CFPB has already finalized “larger participant” rules for the credit reporting and debt collection markets and has proposed such a rule for the federal and private student loan servicing market.

July 2nd, 2013|Dodd-Frank|

Final “bad actor” disqualification ruling long overdue

Over two years ago, Section 926 of the Dodd-Frank Act called for the SEC to impose “bad actor disqualification”(sometimes referred to as “bad boy disqualification”) on Rule 506 private placements. Under the proposed rule, which is long overdue, an issuer may not rely on Rule 506 exemptionfrom registration if certain individuals or entities associated with the offering have a disqualifying event in their past, such as a violation of securities law, state regulatory order or bar, or similar infraction.

Further, the JOBS Act, enacted last year, provided for the SEC to amend Rule 506 to lift the ban on general solicitation. This rulemaking is also past due, and anxious onlookers speculate that these changes to Rule 506 will get finalized at the same time. While there have been many comments to modify some of the rule’s overbroad applications, it is uncertain if the suggested changes will happen.

Notably, there is an important exception to the disqualification provisions. If an issuer exercises “reasonable care” in making a factual inquiry but is unable to uncover the disqualifying events despite having conducted the requisite due diligence, it will not necessarily lose the ability to rely on Rule 506. Although the proposed rules do not provide bright-line tests for establishing due diligence, they clearly point that the issuer has a duty to make a factual inquiry into the existence of disqualifying events. And depending on the circumstances, representations in agreements and questionnaires may not be adequate.  Searching public databases also may be required, and possibly “further steps” which have yet to be defined.

SI understands that the bad boy disqualifiers can stop an offering in its tracks immediately upon the final rule’s adoption. And no matter what the transaction, no one wants to be involved with a “bad boy.” For over a year, our proactive approach has been to include comprehensive searches of the disqualifying event elements in higher level background reports as a value-add. The very real risk that issuers could lose the Rule 506 exemption due to facts of which they are not even aware illustrates the power of effective and thorough due diligence.

March 20th, 2013|Dodd-Frank|

CFPB proposal would put larger debt collectors and credit reporting agencies under the same supervision process as banks

The Consumer Financial Protection Bureau (CFPB) on February 16, 2011 announced a
proposed rule to include debt collectors and consumer reporting agencies under its nonbank
supervision program.

Created by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is
authorized to supervise nonbanks in the specific markets of residential mortgage, payday
lending, and private education lending. For other nonbank markets of consumer financial
products or services, the CFPB must define “larger participants” by rule, which is due on
July 21, 2012.

Three types of debt collection agencies dominate the market: firms that collect debt owned
by another company for a fee, firms that buy debt and collect the proceeds for themselves,
and attorneys and law firms that collect debt through litigation. A single company may be
collecting through any or all of these activities. Under the proposed rule, debt collectors
with more than $10 million in annual receipts from collection activities would be subject to
supervision. The CFPB estimates that the proposed rule would cover approximately 175 debt
collection firms (or 4% of debt collection firms) which account for 63% of annual receipts
from the debt collection market.

The CFPB’s proposal also takes aim at the largest credit bureaus selling comprehensive
consumer reports, consumer report resellers, and specialty consumer reporting agencies.
Defined as companies that make more than $7 million annually from their consumer
business, the rule would affect 30 companies, and firms like Experian, TransUnion and
Equifax, that account for 94% of the industry’s business.

This is the CFPB’s first in a series of rulemakings to define larger participants. The CFPB
chose annual receipts as the criterion for both debt collection and consumer reporting
because it approximates participation in these two markets.

The proposed rule is open for comment for 60 days after the rule is published in the Federal

February 18th, 2012|Dodd-Frank|

Dodd-Frank Act amendment for credit scores took effect July 21, 2011

The Federal Reserve Board and the Federal Trade Commission (FTC) issued final rules to implement the credit score disclosure requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If a credit score is used in setting material terms of credit or in taking adverse action, the statute requires creditors to disclose credit scores and related information to consumers in notices under the Fair Credit Reporting Act (FCRA).

The final rules amend Regulation V (Fair Credit Reporting) to revise the content requirements for risk-based pricing notices, and to add related model forms that reflect the new credit score disclosure requirements. These rules also amend certain model notices in Regulation B (Equal Credit Opportunity), which combine the adverse action notice requirements for Regulation B and the FCRA.

For employers, this means that if a consumer report that includes a credit score is used to determine eligibility for employment, the employer will be required to disclose to the subject the usage of the credit score in an adverse employment decision and to provide information about the credit score, including the score itself, up to four key adverse factors in the score, and the identity of the agency that provided the score.

For credit transactions, creditors, including banks, credit unions, credit card issuers, and utilities, that extend credit on terms that are less favorable than those offered to other consumers because of information contained in a credit report, or if other adverse action is taken, will have to provide to the subject a “risk-based pricing notice” which discloses the credit scores and related information. Such notice will include: 1) the numerical credit score used by the creditor in making the decision; 2) the range of possible scores under the model used by the creditor; 3) the key factors that adversely affected the credit score; 4) the date on which the credit score was created, and 5) the name of the entity that provided the score.

In certain cases, such as for applications for a mortgage, auto loan, or another type of credit, a lender will have to furnish to the subject a “credit score notice” that lists the credit score and how the score compares to other consumers’ scores regardless of the credit terms offered. If no credit score is available for a consumer, the lender’s notice will identify the particular credit bureau which reported this information. Additionally, if a consumer’s annual percentage rate (APR) on an existing credit account is increased based on a review of a credit report, the creditor will have to provide an “account review notice.

The Board and the FTC have stated that it is imperative to have the regulations and revised model forms in place as close as possible to July 21, 2011. This will help ensure that consumers receive consistent disclosures of credit scores and related information, and facilitate uniform compliance when Section 1100F of the Dodd-Frank Act becomes effective.

July 25th, 2011|Dodd-Frank, Legislation|
Go to Top