United States: Nutter Bank Report, October 2014

The Nutter Bank Report is a monthly electronic publication of the firm's Banking and Financial Services Group and contains regulatory and legal updates with expert commentary from our banking attorneys.

1. New Guidance Emphasizes Board's Role in Establishing Corporate Culture
2. Court Allows Bank to Pursue Insurer for Reimbursements Made to Hacked Depositor
3. Permissible Investments Expanded under Massachusetts Legal Investment List Law
4. CFPB Proposes a No-Action Letter Program
5. Other Developments: FAIR Plan and Credit Risk Retention 

1. New Guidance Emphasizes Board's Role in Establishing Corporate Culture

The Basel Committee on Banking Supervision—the primary global standard-setter for the prudential regulation of banks made up of bank regulators from 28 nations—has issued revised guidance on principles of corporate governance for banks. The revised corporate governance principles released on October 10 build on the Basel Committee's 2010 principles for enhancing corporate governance. Specifically, the revised principles strengthen guidance on risk management, including the roles played by business units, risk management teams and internal audit and control functions and the importance of a sound risk culture to drive risk management within a bank. The revised principles also expand the guidance on the role of the board of directors in overseeing the implementation of effective risk management systems and emphasize the importance of the board's collective competence as well as the obligations on individual directors to dedicate sufficient time to their duties and to remain current on developments in banking. The revised principles recognize that compensation systems are a key component of corporate culture through which the board and senior management of a bank convey acceptable norms for risk-taking. The principles on corporate governance also provide guidance for bank regulators in evaluating the processes used by banks to select board members and senior management. The revised principles recommend that bank regulators strengthen their ability to assess the effectiveness of a bank's risk governance and its risk culture.

     Nutter Notes: The Basel Committee's revised principles on corporate governance for banks reflect a trend among bank regulators in emphasizing the importance of corporate culture in risk management, particularly the role of a banking organization's board of directors in establishing a bank's risk management culture. The first principle of the Basel Committee's revised corporate governance guidance is that "[t]he board has overall responsibility for the bank, including approving and overseeing the implementation of the bank's strategic objectives, governance framework and corporate culture." The revised principles recommend that a bank's board take a number of measures to establish the "tone at the top," such as setting and adhering to corporate values for the board, senior management and other employees that create expectations that business should be conducted in a legal and ethical manner. The revised principles also recommend that a bank's board promote risk awareness and convey the expectation that the board does not support excessive risk-taking. According to the revised principles, a bank's board is responsible for ensuring that steps are taken to communicate throughout the bank the corporate values, professional standards or codes of conduct the board sets, together with supporting policies, and reinforcing those standards with appropriate disciplinary actions for unacceptable behavior.

2. Court Allows Bank to Pursue Insurer for Reimbursements Made to Hacked Depositor

A federal district court in Pennsylvania recently held that a bank's payments to a commercial deposit customer reimbursing the customer for fraudulent transfers made after a data security breach could not be excluded from coverage under the bank's insurance policy by the insurer on the basis that the payments were "voluntary" – despite the fact that the bank did not seek the insurance company's consent before making the payments. The October 6 decision on a motion for summary judgment by the insurer involved a case where a business customer of a bank was the victim of a malware attack that allowed a hacker to obtain the on-line banking credentials of an officer of the business and transfer over $3 million out of its account. The bank reimbursed the business customer for the fraudulent transfers under Article 4A of the UCC in effect under Pennsylvania law and submitted a claim to the bank's insurance company under its professional liability policy. The insurance company denied coverage on the basis that the bank breached the voluntary payments exclusion under the policy. The court held that the bank's reimbursement payments to its customer were not voluntary payments because they were compelled by Article 4A and therefore inherently involuntary. The court concluded that the payments are not subject to the voluntary payments exclusion in the policy, which will allow the bank to argue at trial that the insurance company was not prejudiced by the bank's payment prior to notifying the insurance company of the claim.

     Nutter Notes: Section 204(a) of UCC Article 4A generally requires a bank to reimburse depositors for unauthorized funds transfers to the extent that the bank is not entitled to enforce such transfers, and to pay interest on the reimbursable amount. The relevant provision of the insurance policy provided that the insurance company would not be liable for any "settlement, defense costs, assumed obligation, admitted liability, voluntary payment, or confessed or agreed damages or judgment to which [the insurer] has not consented." [Emphasis added.] The policy also prohibited the bank from voluntarily making any payment with respect to any claim covered by the policy without the insurer's written consent. The case is an important precedent for banks seeking to recoup from insurers reimbursement for payments made to depositors for fraudulent transfers resulting from data breaches or cyber-security incidents. While banks should as a general rule make every reasonable effort to give prompt notice to insurers to attempt to avoid coverage disputes arising from fraudulent transfers, state and federal data security breach notice requirements often require banks to take immediate and costly response measures that do not permit time to wait for insurers to react to claims.

3. Permissible Investments Expanded under Massachusetts Legal Investment List Law

Governor Patrick has signed into law a bill that amends the Massachusetts legal investment list law, which requires the Commissioner of Banks to annually issue a list of equity and fixed instrument investments deemed permissible for state-chartered banks and certain other regulated entities. The amendment signed by the Governor on October 9, Chapter 343 of the Acts of 2014, preserves the authority of the Commissioner to issue the annual list of legal investments, but adds authority for Massachusetts banks to invest in certain types of debt and equity securities that are separate from, and in addition to the Commissioner's legal investment list. Permissible investments under the amended law include certain municipal and corporate notes and bonds, and the common stock, notes and bonds of banks and bank holding companies under certain circumstances. The amended law provides authority for banks to invest in all bonds, notes or other interest-bearing obligations of the United States or Massachusetts, or in obligations that are unconditionally guaranteed by the United States or Massachusetts, and bonds, notes or other interest-bearing obligations issued or unconditionally guaranteed by other states that have not materially defaulted on an obligation within the past 20 years. It also provides direct authority for investments in guaranteed obligations of Fannie Mae, any obligations of a federal home loan bank, obligations of the Export-Import Bank of the United States, and mortgage backed securities guaranteed by Ginnie Mae or issued by Freddie Mac, among other debt securities. The amendments to the legal list law become effective on January 8, 2015.

     Nutter Notes: The amendments to the legal list law add a due diligence requirement to the expanded investment authorities. Before a bank or other regulated entity relying on the legal list law may make a permissible investment, the law requires the institution to conduct an appropriate level of due diligence to determine whether an investment is both permissible and appropriate for the institution. The amended law provides that such due diligence may include both internal and external analyses. The amended law specifically provides that, for debt instruments, such an analysis may not rely solely on a credit rating agency and the institution must determine that the instrument has both a low risk of default by the obligor and that the full and timely repayment is expected over the expected life of the investment. Investments not specifically authorized by the amended legal list law are still eligible for inclusion on the Commissioner's annual list. Banks and other regulated entities relying on the legal list law may petition the Commissioner to consider specific investments for addition to the Commissioner's annual list, such as mutual funds investing solely in legal investments, provided that such investments meet any additional criteria required by the Commissioner under the law.

4. CFPB Proposes a No-Action Letter Program

The CFPB has issued a proposal for a limited Policy on No-Action Letters that would establish a process to reduce regulatory uncertainty that may exist for certain emerging products or services by allowing CFPB staff to advise financial institutions about the permissibility of a new product or service in the planning stage. Specifically, the proposed program announced on October 10 would allow CFPB staff to send a No-Action Letter to a financial institution that advises the institution that the staff does not plan to recommend "the initiation of supervisory or enforcement action with respect to specific aspects of a particular legal requirement in connection with [the institution]'s offering or provision of a new product," as it has been described to the CFPB staff. Under the proposed program, the CFPB could modify or revoke a No-Action Letter, and limit such a letter by time, volume or in other ways. Under the proposed policy, the No-Action Letter would not be available unless the financial institution shows that the new product or service promises substantial consumer benefits. The CFPB would require a No-Action Letter applicant to demonstrate the characteristics of the proposed product or service, how it will work, and what consumer risks are involved. The applicant would need to explain the regulatory uncertainty that exists and how that uncertainty interferes with the development of the product or service. The applicant also would be required to demonstrate consumer safeguards and how consumer interests and safety will be monitored. Comments on the proposed No-Action Letter policy must be submitted to the CFPB by December 15.

     Nutter Notes: According to the CFPB, a No-Action Letter would not be a waiver of any law or regulation, and it would not give the applicant financial institution an exemption from complying with any statutory or regulatory requirement. A No-Action Letter also would not describe the CFPB's official interpretation of a statutory or regulatory requirement. A No-Action Letter would provide assurance to the applicant financial institution that, subject to certain limitations, the CFPB staff would not recommend enforcement action against the institution with respect to the statutory or regulatory requirements specified in the letter. A No-Action letter would not provide any assurance that another federal or state regulator, or another person, could not claim that the product or service has violated statutory or regulatory requirements. The CFPB's proposal describes certain circumstances under which it may specifically refuse to grant or deny a No-Action Letter application, either with or without an explanation. Such circumstances include the applicant or its principals being the subject of ongoing governmental law enforcement investigation, supervisory review, or enforcement action with respect to the new product or service or a related or similar product or service. The CFPB said that it expects that No-Action Letters would be provided rarely and on the basis of exceptional circumstances. Under the proposal, applicants would not have a legal entitlement to no-action treatment of regulatory uncertainties.

5. Other Developments: FAIR Plan and Credit Risk Retention

  • Governor Signs FAIR Plan Legislation

Governor Patrick has signed into law a bill that will require the Massachusetts Property Insurance Underwriting Association (MPIUA), known as the Massachusetts FAIR Plan, to include liability coverage in its Non-Owner Occupied Dwelling policy for 1-to-4 family residential units. The legislation was signed by the Governor on October 9.

     Nutter Notes: Generally, a residential property owner who cannot not get a Non-Owner Occupied Dwelling policy in the standard voluntary market must obtain it through the Massachusetts FAIR Plan. Until the law becomes effective, the FAIR Plan's Non-Owner Occupied Dwelling policy only covers the property and not liability, requiring the owner to obtain liability coverage separately. The law, Chapter 346 of the Acts of 2014, amends Section 1 of Chapter 175 of the General Laws of Massachusetts. The law becomes effective on January 8, 2015. 

  • Federal Banking Agencies Approve Credit Risk Retention Rule

The federal banking agencies announced on October 22 that they have approved a final rule requiring sponsors of securitization transactions to retain risk in those transactions as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank Act"). The final rule will be effective 1 year after publication in the Federal Register for residential mortgage-backed securitizations and two years after publication for all other securitization types. Publication is expected shortly.

     Nutter Notes: The final rule generally requires sponsors of asset-backed securities ("ABS") to retain not less than 5% of the credit risk of the assets collateralizing the ABS issuance. The rule also includes prohibitions on transferring or hedging the credit risk that the sponsor is required to retain. As required by the Dodd-Frank Act, the final rule defines a "qualified residential mortgage" ("QRM") and exempts securitizations of QRMs from the risk retention requirement. The QRM definition is aligned with the CFPB's definition of a qualified mortgage.

This update is for information purposes only and should not be construed as legal advice on any specific facts or circumstances. Under the rules of the Supreme Judicial Court of Massachusetts, this material may be considered as advertising.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions