1: ISO 20022
For wire transactions, community banks need to be ready for the Federal Reserve Banks’ transition to the ISO 20022 message format for the Fedwire Funds Service by March 10. ISO 20022 is a harmonized set of extensible markup language (XML) messaging standards across major financial services domains—securities, trade, card and foreign exchange—based on a shared data dictionary and business process model.
For international wires, the Society for Worldwide Interbank Financial Telecommunication (SWIFT) will be converting to ISO 20022 in November. FedNow and The Clearing House’s RTP use this message format.
“[ISO 20022’s adoption is] going to lead to more interoperability because everyone’s using the same fields for the same information,” says Kari Mitchum, ICBA’s vice president of payments policy. “The data is also more robust, so if there’s ever a problem with the payment or if it’s found to be fraudulent, then there are more ways to identify and track it down.”
The Fed provides a reference guide for implementing the standard. Banks should also engage with their technology providers and any other relevant third parties to ensure their software updates will accommodate these changes, Mitchum says.
Also by March 10, banks will need to use the ISO 20022 message format when wiring federal tax payments to the Internal Revenue Service on behalf of customers, she says. The instructions are included in the Treasury Department’s Electronic Federal Tax Payment System Financial Institution Handbook.
“This is not for consumers using the IRS’s self-service online tool for ACH payments,” Mitchum says. “I’m expecting this to be for larger corporations that give their banks wire instructions to pay their corporate taxes to the IRS, or any other entity that wires tax payments.”
2: FFIEC’s CAT
The Federal Financial Institutions Examination Council will be sunsetting its Cybersecurity Assessment Tool (CAT) on Aug. 31. Banks will instead refer to more updated tools.
“There are a lot of other assessment tools out there to measure your cybersecurity risk and your thresholds,” Mitchum says, “and it’s up to each bank to determine which tool would be best depending on their risk exposures.”
3: CFPB’s Section 1071 rule
While legal challenges against the Consumer Financial Protection Bureau in regards to the Dodd-Frank Section 1071 small business data collection rule are still going forward, banks should still familiarize themselves with this entirely new set of regulations, says Mickey Marshall, ICBA assistant vice president and regulatory counsel.
“Banks should begin to work with their cores and other technology providers to try to figure out technologically how they’re going to solve for the new data collection and reporting requirements,” Marshall says.
Indeed, that will be a focus in early 2025 for the compliance team at Western State Bank in Devils Lake, N.D., says Kelan Oster, vice president and senior compliance officer.
Under the CFPB’s new rules, the $2.2 billion-asset community bank is considered a Tier 1 institution with high small business loan volume and therefore must comply by July 18—the first group that must comply, Oster says.
When preparing for the new rule based on your bank’s tier level, it’s critical to get “the right people at the table,” Oster says. “Those of us that are HMDA reporters already know that every data point has opportunity for different interpretation based on different types of loans or different situations—and Section 1071 is going to be no different. So, we need to be very careful to make sure that we’re talking through each one of those points with the appropriate team members.”
Oster adds that whoever is charged with compiling a bank’s small business loan data needs to be “on the same page” when interpreting what the bank should do in each situation and for each loan type.
34 CRA modernization
In February 2024, ICBA and other groups filed a lawsuit against the federal banking regulators for exceeding their statutory authority with the Community Reinvestment Act final rule.
Among other issues, the complaint contends the rule evaluates bank lending well beyond banks’ deposit-taking footprint, as required by CRA. The final rules will evaluate bank lending across the entire country, eliminating the statutory focus on a bank’s lending in its “local community.”
“We’re optimistic that our challenge has merit and that we’re going to prevail. At the same time banks should remember that the CRA rule hasn’t been substantively updated since 1995,” Marshall says. “It’s highly likely that there will be some form of CRA modernization going forward.”
The regulators will likely want to take a more quantitative approach to the CRA, so bankers should familiarize themselves with some of the quantitative aspects of the new rule to better prepare for eventual compliance “once the dust settles,” Marshall says.
Western State Bank’s Oster agrees. While the new CRA rules are currently on hold, the “spirit” of what examiners are trying to do with the new rule is not. “We’re still working on trying to find ways to fine-tune our program,” he says, “making sure that we’re a little more intentional about the things we do, the decisions we make, and that we’re evidencing that we’re serving our community in the way we want to.”