Scrutiny and Divergence: 2023 Regulatory Challenges

Increased supervision and enforcement

Regulators will continue to apply existing regulations to new products and service areas. This will bring heightened scrutiny to areas of ethics and conduct and consumer and investor protections, and will lead to expanded examinations and increased volumes of regulatory matters tied to business, technology, operations, and risk functions.  

Supervision will also be directed to new and evolving areas. Common themes across all regulators include fairness, digitalization, crypto and digital assets, cyber security, climate-related risks, competition, and financial crime (BSA/AML/CFT). Regulations and guidance that supervisors will be reviewing closely include:

• SEC: Investment Adviser Marketing Rule; private funds and hedge funds, including amendments to Form PF (with CFTC); amendments to Proxy rules; ESG-related rules, including proposals for the Names Rule and disclosures of Human Capital, corporate board diversity, and ESG investment practices; digital engagement practices; proposals to “modernize” equity market structure (including order routing, conflicts of interest, best execution); registration and regulation of crypto assets that are securities; records retention and disposal.

• FINRA: Regulation Best Interest and Form CRS; order handling, best execution, and conflicts of interest; communication and disclosure of complex products; supervision of mobile applications and consumer interactions; third-party vendor risks; customer account information (e.g., designation of registered individuals as a customer’s beneficiary, executor/trustee, or power of attorney holder).

• FRB: Real-time payments; access to the Federal Reserve Bank accounts and payments system (including novel charters); capital changes; large bank resolution planning; bank merger analysis; “fairness” policies based on financial capability, access, and consumer protection; stablecoins and other crypto assets.

• OCC: Technological innovation (fintechs, payments, banking-as-a service (BaaS); information technology (IT security controls, change management, operational resilience); credit, allowance for credit losses, interest rate risk; third parties and related concentrations; bank mergers analysis; novel charters; community reinvestment act; climate-related risk.

• CFPB: Application of UDAAP to discriminatory conduct across lifecycle of consumer financial services products and services; supervision of nonbank financial service providers (servicers, payment processers, fintechs, Big Tech);Consumer fees, including policies and practices related to transparency, clarity, and application; Consumer credit reporting; small business data collection; relationship, transactional, and algorithmic banking (e.g., complaints management, customer service, use of algorithms, automated decision making, valuation models); payments and international money transfer markets; “open banking;” repeat offenders. 

Regulatory democratization

Regulators will continue to actively seek consumers’ commentary, complaints, and input in an effort to help direct and defend new/expanded regulations, as well as supervisory and exam focus. Key areas will include:

• Proactive, direct solicitation of consumers’ and investors’ experiences with specific financial products and services, their associated underlying regulations, and areas such as disclosures, fees, and customer service interactions (live interactions, bots, accessibility, resolution).

• Complaints portal activity to guide and/or confirm areas of regulatory focus; may be factored into supervisory practices and investigations as a “should have known” standard.

• Proxy rules that increase opportunity for shareholder proposals and votes to be considered, including in the election of directors, merger applications, and ESG-related concerns.

• Fiduciary duties of investment advisers to carry out investor preferences inclusive of ESG matters alongside investment return. 

Regulatory divergence

Approaches to various ongoing and emerging risks diverge across federal, state, and global regulators and standards setters, due in part to social and political pressures and in part to debates on jurisdictional authorities. Such differences are unlikely to abate in the near term and, in some cases, may be aggravated by litigation and/or judicial action. Areas to watch include: 

• U.S. alignment in principle with other global jurisdictions and standards but divergence in U.S. laws and regulations, such as:
  • ESG/Climate (SEC, TCFD, ISSB, EFRAG).
  • Crypto assets (SEC, CFTC, Banking Regulators, countries with CBDCs, FATF).
  • Basel capital implementation (slow uptake in the U.S.)
  • Data privacy (no overarching federal law).

• Differences between state and federal regulations, especially in instances where federal regulations have not yet been finalized, such as:
  • New York’s law imposing a “bias audit” requirement on firms using AI tools in employment decisions (beginning 2023).
  • California’s Consumer Privacy Rights Act (augmenting the CCPA beginning 2023).
  • Texas’ ban on local and state government entities contracting with financial companies that “boycott” fossil fuel-based energy companies or the gun industry.

• Industry-driven legal challenges, such as challenges to the funding structure of the CFPB; the CFPB’s expansion of UDAAP beyond fair lending laws and regulations; SEC’s climate disclosure requirements (as proposed); and FRB review of requests to access the Federal Reserve Bank accounts and payments services by institutions with novel charters.

• Congressional testimony on “appropriate” jurisdictional authorities, particularly related to crypto assets. 

Across the three lines

Companies are expected to hold each of their three lines of defense accountable for managing risk. Regulators will:

• Connect risk management failures in one line to weaknesses in the other two lines. 

• Hold individuals and groups accountable for misconduct in addition to their companies (and DOJ says it will expedite investigations of individuals).  

• Favorably view/credit companies that voluntarily and timely self-disclose identified weaknesses and violations of laws and regulations and cooperate in investigations; self-disclosure practices are factored by regulatory agencies into the severity of ratings and fines.

• Set high expectations for companies to be aware of emerging risks and the conduct of their employees.

• Encourage companies to establish effective compliance programs and foster a culture that deters misconduct and promotes ethics and compliance. Regulators will look for investment (people, process, and technology) to prevent, detect, and respond to ethics and compliance matters as well as demonstrable reporting of issues (identification, notification, escalation, and resolution (inclusive of monetary action.)