United States: Nutter Bank Report, October 2014

The Nutter Bank Report is a monthly electronic publication of the firm's Banking and Financial Services Group and contains regulatory and legal updates with expert commentary from our banking attorneys.

1. New Guidance Emphasizes Board's Role in Establishing Corporate Culture
2. Court Allows Bank to Pursue Insurer for Reimbursements Made to Hacked Depositor
3. Permissible Investments Expanded under Massachusetts Legal Investment List Law
4. CFPB Proposes a No-Action Letter Program
5. Other Developments: FAIR Plan and Credit Risk Retention 

1. New Guidance Emphasizes Board's Role in Establishing Corporate Culture

The Basel Committee on Banking Supervision—the primary global standard-setter for the prudential regulation of banks made up of bank regulators from 28 nations—has issued revised guidance on principles of corporate governance for banks. The revised corporate governance principles released on October 10 build on the Basel Committee's 2010 principles for enhancing corporate governance. Specifically, the revised principles strengthen guidance on risk management, including the roles played by business units, risk management teams and internal audit and control functions and the importance of a sound risk culture to drive risk management within a bank. The revised principles also expand the guidance on the role of the board of directors in overseeing the implementation of effective risk management systems and emphasize the importance of the board's collective competence as well as the obligations on individual directors to dedicate sufficient time to their duties and to remain current on developments in banking. The revised principles recognize that compensation systems are a key component of corporate culture through which the board and senior management of a bank convey acceptable norms for risk-taking. The principles on corporate governance also provide guidance for bank regulators in evaluating the processes used by banks to select board members and senior management. The revised principles recommend that bank regulators strengthen their ability to assess the effectiveness of a bank's risk governance and its risk culture.

     Nutter Notes: The Basel Committee's revised principles on corporate governance for banks reflect a trend among bank regulators in emphasizing the importance of corporate culture in risk management, particularly the role of a banking organization's board of directors in establishing a bank's risk management culture. The first principle of the Basel Committee's revised corporate governance guidance is that "[t]he board has overall responsibility for the bank, including approving and overseeing the implementation of the bank's strategic objectives, governance framework and corporate culture." The revised principles recommend that a bank's board take a number of measures to establish the "tone at the top," such as setting and adhering to corporate values for the board, senior management and other employees that create expectations that business should be conducted in a legal and ethical manner. The revised principles also recommend that a bank's board promote risk awareness and convey the expectation that the board does not support excessive risk-taking. According to the revised principles, a bank's board is responsible for ensuring that steps are taken to communicate throughout the bank the corporate values, professional standards or codes of conduct the board sets, together with supporting policies, and reinforcing those standards with appropriate disciplinary actions for unacceptable behavior.

2. Court Allows Bank to Pursue Insurer for Reimbursements Made to Hacked Depositor

A federal district court in Pennsylvania recently held that a bank's payments to a commercial deposit customer reimbursing the customer for fraudulent transfers made after a data security breach could not be excluded from coverage under the bank's insurance policy by the insurer on the basis that the payments were "voluntary" – despite the fact that the bank did not seek the insurance company's consent before making the payments. The October 6 decision on a motion for summary judgment by the insurer involved a case where a business customer of a bank was the victim of a malware attack that allowed a hacker to obtain the on-line banking credentials of an officer of the business and transfer over $3 million out of its account. The bank reimbursed the business customer for the fraudulent transfers under Article 4A of the UCC in effect under Pennsylvania law and submitted a claim to the bank's insurance company under its professional liability policy. The insurance company denied coverage on the basis that the bank breached the voluntary payments exclusion under the policy. The court held that the bank's reimbursement payments to its customer were not voluntary payments because they were compelled by Article 4A and therefore inherently involuntary. The court concluded that the payments are not subject to the voluntary payments exclusion in the policy, which will allow the bank to argue at trial that the insurance company was not prejudiced by the bank's payment prior to notifying the insurance company of the claim.

     Nutter Notes: Section 204(a) of UCC Article 4A generally requires a bank to reimburse depositors for unauthorized funds transfers to the extent that the bank is not entitled to enforce such transfers, and to pay interest on the reimbursable amount. The relevant provision of the insurance policy provided that the insurance company would not be liable for any "settlement, defense costs, assumed obligation, admitted liability, voluntary payment, or confessed or agreed damages or judgment to which [the insurer] has not consented." [Emphasis added.] The policy also prohibited the bank from voluntarily making any payment with respect to any claim covered by the policy without the insurer's written consent. The case is an important precedent for banks seeking to recoup from insurers reimbursement for payments made to depositors for fraudulent transfers resulting from data breaches or cyber-security incidents. While banks should as a general rule make every reasonable effort to give prompt notice to insurers to attempt to avoid coverage disputes arising from fraudulent transfers, state and federal data security breach notice requirements often require banks to take immediate and costly response measures that do not permit time to wait for insurers to react to claims.

3. Permissible Investments Expanded under Massachusetts Legal Investment List Law

Governor Patrick has signed into law a bill that amends the Massachusetts legal investment list law, which requires the Commissioner of Banks to annually issue a list of equity and fixed instrument investments deemed permissible for state-chartered banks and certain other regulated entities. The amendment signed by the Governor on October 9, Chapter 343 of the Acts of 2014, preserves the authority of the Commissioner to issue the annual list of legal investments, but adds authority for Massachusetts banks to invest in certain types of debt and equity securities that are separate from, and in addition to the Commissioner's legal investment list. Permissible investments under the amended law include certain municipal and corporate notes and bonds, and the common stock, notes and bonds of banks and bank holding companies under certain circumstances. The amended law provides authority for banks to invest in all bonds, notes or other interest-bearing obligations of the United States or Massachusetts, or in obligations that are unconditionally guaranteed by the United States or Massachusetts, and bonds, notes or other interest-bearing obligations issued or unconditionally guaranteed by other states that have not materially defaulted on an obligation within the past 20 years. It also provides direct authority for investments in guaranteed obligations of Fannie Mae, any obligations of a federal home loan bank, obligations of the Export-Import Bank of the United States, and mortgage backed securities guaranteed by Ginnie Mae or issued by Freddie Mac, among other debt securities. The amendments to the legal list law become effective on January 8, 2015.

     Nutter Notes: The amendments to the legal list law add a due diligence requirement to the expanded investment authorities. Before a bank or other regulated entity relying on the legal list law may make a permissible investment, the law requires the institution to conduct an appropriate level of due diligence to determine whether an investment is both permissible and appropriate for the institution. The amended law provides that such due diligence may include both internal and external analyses. The amended law specifically provides that, for debt instruments, such an analysis may not rely solely on a credit rating agency and the institution must determine that the instrument has both a low risk of default by the obligor and that the full and timely repayment is expected over the expected life of the investment. Investments not specifically authorized by the amended legal list law are still eligible for inclusion on the Commissioner's annual list. Banks and other regulated entities relying on the legal list law may petition the Commissioner to consider specific investments for addition to the Commissioner's annual list, such as mutual funds investing solely in legal investments, provided that such investments meet any additional criteria required by the Commissioner under the law.

4. CFPB Proposes a No-Action Letter Program

The CFPB has issued a proposal for a limited Policy on No-Action Letters that would establish a process to reduce regulatory uncertainty that may exist for certain emerging products or services by allowing CFPB staff to advise financial institutions about the permissibility of a new product or service in the planning stage. Specifically, the proposed program announced on October 10 would allow CFPB staff to send a No-Action Letter to a financial institution that advises the institution that the staff does not plan to recommend "the initiation of supervisory or enforcement action with respect to specific aspects of a particular legal requirement in connection with [the institution]'s offering or provision of a new product," as it has been described to the CFPB staff. Under the proposed program, the CFPB could modify or revoke a No-Action Letter, and limit such a letter by time, volume or in other ways. Under the proposed policy, the No-Action Letter would not be available unless the financial institution shows that the new product or service promises substantial consumer benefits. The CFPB would require a No-Action Letter applicant to demonstrate the characteristics of the proposed product or service, how it will work, and what consumer risks are involved. The applicant would need to explain the regulatory uncertainty that exists and how that uncertainty interferes with the development of the product or service. The applicant also would be required to demonstrate consumer safeguards and how consumer interests and safety will be monitored. Comments on the proposed No-Action Letter policy must be submitted to the CFPB by December 15.

     Nutter Notes: According to the CFPB, a No-Action Letter would not be a waiver of any law or regulation, and it would not give the applicant financial institution an exemption from complying with any statutory or regulatory requirement. A No-Action Letter also would not describe the CFPB's official interpretation of a statutory or regulatory requirement. A No-Action Letter would provide assurance to the applicant financial institution that, subject to certain limitations, the CFPB staff would not recommend enforcement action against the institution with respect to the statutory or regulatory requirements specified in the letter. A No-Action letter would not provide any assurance that another federal or state regulator, or another person, could not claim that the product or service has violated statutory or regulatory requirements. The CFPB's proposal describes certain circumstances under which it may specifically refuse to grant or deny a No-Action Letter application, either with or without an explanation. Such circumstances include the applicant or its principals being the subject of ongoing governmental law enforcement investigation, supervisory review, or enforcement action with respect to the new product or service or a related or similar product or service. The CFPB said that it expects that No-Action Letters would be provided rarely and on the basis of exceptional circumstances. Under the proposal, applicants would not have a legal entitlement to no-action treatment of regulatory uncertainties.

5. Other Developments: FAIR Plan and Credit Risk Retention

  • Governor Signs FAIR Plan Legislation

Governor Patrick has signed into law a bill that will require the Massachusetts Property Insurance Underwriting Association (MPIUA), known as the Massachusetts FAIR Plan, to include liability coverage in its Non-Owner Occupied Dwelling policy for 1-to-4 family residential units. The legislation was signed by the Governor on October 9.

     Nutter Notes: Generally, a residential property owner who cannot not get a Non-Owner Occupied Dwelling policy in the standard voluntary market must obtain it through the Massachusetts FAIR Plan. Until the law becomes effective, the FAIR Plan's Non-Owner Occupied Dwelling policy only covers the property and not liability, requiring the owner to obtain liability coverage separately. The law, Chapter 346 of the Acts of 2014, amends Section 1 of Chapter 175 of the General Laws of Massachusetts. The law becomes effective on January 8, 2015. 

  • Federal Banking Agencies Approve Credit Risk Retention Rule

The federal banking agencies announced on October 22 that they have approved a final rule requiring sponsors of securitization transactions to retain risk in those transactions as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank Act"). The final rule will be effective 1 year after publication in the Federal Register for residential mortgage-backed securitizations and two years after publication for all other securitization types. Publication is expected shortly.

     Nutter Notes: The final rule generally requires sponsors of asset-backed securities ("ABS") to retain not less than 5% of the credit risk of the assets collateralizing the ABS issuance. The rule also includes prohibitions on transferring or hedging the credit risk that the sponsor is required to retain. As required by the Dodd-Frank Act, the final rule defines a "qualified residential mortgage" ("QRM") and exempts securitizations of QRMs from the risk retention requirement. The QRM definition is aligned with the CFPB's definition of a qualified mortgage.

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


From time to time Mondaq may send you emails promoting Mondaq services including new services. You may opt out of receiving such emails by clicking below.

*** If you do not wish to receive any future announcements of services offered by Mondaq you may opt out by clicking here .


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.