On October 20, 2020, a consortium of U.S. federal financial regulators (Regulators), issued a proposed rule (Proposed Rule) that, if enacted, would codify that mere supervisory guidance that is not the product of notice and comment rulemaking—e.g., interagency statements, advisories, bulletins, policy statements, and FAQs—does not have the force of law. The Proposed Rule would further clarify that the Regulators will not take enforcement actions (including less draconian supervisory actions, like issuing “matters requiring attention”) based on violations of, or non-compliance with, such guidance.
The subject of the Proposed Rule has surfaced before. In particular, the Regulators issued guidance in 2018 (2018 Guidance) seeking to clarify this same principle—that supervisory guidance does not have the force of law. In a twist of irony, though, because the 2018 Guidance was just that—guidance—the Regulators are following the Trump Administration’s general “de-regulatory” agenda by seeking to “hard code” this principle into law through notice and comment rulemaking.
In the outsourcing and vendor contracting space, many of the “requirements” with which U.S. regulated financial institutions are familiar (consider, for example, the FFIEC’s various IT Booklets) are often the result of this supervisory guidance, rather than regulatory requirements made through notice and comment rulemaking. Accordingly, if enacted, the Proposed Rule should essentially loosen the screws on such guidance, leaving regulated financial institutions with potentially more room to employ risk-based calculations in structuring their vendor contracting and procurement operations.
With that said, even if the Proposed Rule is enacted, all that supervisory guidance does not suddenly fly out the window.
Significantly, the Proposed Rule clarifies that supervisory guidance still provides examples of practices that the Regulators do deem to be compliant, as well as the Regulators’ “supervisory expectations or priorities and … general views regarding appropriate practices for a given subject area.” The Proposed Rule further states that in some situations, the Regulators may even reference supervisory guidance in writing to provide examples of compliant practices (e.g., in the context of an examination).
While the Proposed Rule notes that the Regulators may still use guidance as examples of compliant practices, it does not address whether a financial institution may rely on such guidance as a safe harbor from enforcement. It also remains to be seen how the Regulators will affirmatively address a financial institution’s observed lack of compliance with supervisory guidance. Query if the Regulators may still seek to leverage such instances of non-compliance as factual evidence to support alleged violations of other, hard-coded legal obligations. This may especially be the case, as many of the laws and regulations under which financial institutions have binding legal obligations are open-ended, and necessarily require detailed “filling in the blanks” from a factual standpoint. See, e.g., the Gramm Leach Bliley Act’s general requirement that financial institutions employ administrative, technical, and physical safeguards to protect consumer information—a law that has launched 1,000 proverbial ships (and even some formal rulemaking)  as financial institutions have tried to ascertain what, exactly, this open-ended requirement demands.
The comment period for the Proposed Rule will be open for 60 days from when the Proposed Rule is published in the Federal Register. (We anticipate that should be any day now.) The Regulators have asked for feedback on the Proposed Rule, generally, including whether they should expressly state that a particular issuance is mere supervisory guidance, and to what extent they should even cite supervisory guidance in demonstrating what compliant practices look like. As it will be much more difficult to influence these issues once an official rule is codified, regulated financial institutions should carefully review the Proposed Rule and submit their comments during the comment period.
 The Regulators include the Office of the Comptroller of the Currency (OCC), the Federal Reserve System (FRS), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Association (NCUA), and the Bureau of Consumer Financial Protection (CFPB).
 See e.g., The Interagency Guidelines Establishing Standards for Safety and Soundness (12 CFR part 30, Appendix A and 12 CFR part. 208, Appendix D-1). The Regulators state in the preamble to the Proposed Rule that such Interagency Guidelines may be the basis for enforcement actions as it was the product of notice and comment rulemaking.