Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 7, the Federal Reserve Board, the FDIC, and the OCC issued guidance regarding the HMDA key data fields that Federal Reserve examiners use to evaluate the accuracy of HMDA data collected since January 1 pursuant to the CFPB’s October 2015 and August 2017 amendments and the May 2018 Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act) exemptions (all of which have been previously covered by InfoBytes here, here, and here).
The guidance cites to the October 2017 list of 37 key data fields identified by the agencies and notes that “[o]nce examiners have selected a random sample of entries from an institution’s HMDA Loan Application Register (HMDA LAR) and have received the corresponding loan files, they would verify the accuracy of the applicable HMDA key data fields in the entries in the HMDA LAR sample(s) against information in the loan files.” Additionally, for institutions eligible for the partial exemption granted by the Act, and covered by the Bureau’s August interpretive and procedural rule (InfoBytes coverage here), the guidance notes that these institutions are responsible for collecting, recording, and reporting only 21 of the 37 designated HMDA key data fields, as the exemption covers the other 16 fields.
The Federal Financial Institutions Examination Council members are currently developing a set of revised interagency HMDA examination procedures regarding HMDA requirements relating to data collected from January 1, 2018 onward.
On November 27, the Federal Financial Institutions Examination Council (FFIEC) issued the second update on the status of its Examination Modernization Project. The project’s objective is to identify and assess measures to improve the community bank safety and soundness examination process, pursuant to the Economic Growth and Regulatory Paperwork Reduction Act’s review of regulations. As previously covered by InfoBytes, in March, the FFIEC released the first update, which identified four areas with potential for the most “meaningful supervisory burden reduction.” The second update focuses on tailoring examination plans and procedures based on risk in order to reduce burden. Specifically, after a review of risk-based procedures and processes, the Federal Reserve Board, the FDIC, the NCUA, the OCC, and the State Liaison Committee have committed to issue reinforcing and clarifying examiner guidance to their examination staffs on risk-focused examination principles for community financial institutions, if necessary. The guidance covers, among other things, the following practices (i) consideration of the unique risk profile, complexity, and business model of the institution when developing the exam plan; (ii) tailoring of the document request list based on the financial institution’s business model, complexity, risk profile and planned scope of review; and (iii) applying examination procedures in a way that reduces the level of review of low risk institutions or low risk areas.
The FFIEC noted it may take further action to improve the examination process as the project progresses.
On November 5, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement alerting financial institutions to the potential impact that the U.S. Treasury Department’s Office of Foreign Assets Control’s (OFAC) recent actions under its Cyber-Related Sanctions Program may have on financial institutions’ risk management programs. OFAC implemented the Cyber-Related Sanctions Program in response to Executive Order 13694 to address individuals and entities that threaten national security, foreign policy, and the economy of the U.S. by malicious cyber-enabled activities. FFIEC’s press release announcing the joint statement references OFAC’s June action against five Russian entities and three Russian individuals who, through “malign and destabilizing cyber activities,” provided material and technological support to Russia’s Federal Security Service (previously covered by InfoBytes here), noting that these entities may offer services to financial institutions operating in the U.S.
The joint statement reminds financial institutions to ensure that their compliance and risk management processes address possible interactions with an OFAC sanctioned entity. The statement notes that continued use of products or services from a sanctioned entity may cause the financial institution to violate the OFAC sanctions. Additionally, use of software or technical services from a sanctioned entity may increase a financial institution’s cybersecurity risk. The statement encourages financial institutions to take appropriate corrective action, as well as to ensure their third-party service providers comply with OFAC’s requirements.
The OCC also released Bulletin 2018-40, which corresponds with the FFIEC’s joint statement.
On October 25, the FDIC published a proposed rule in the Federal Register to rescind the annual disclosure requirement applicable to all state nonmember banks and insured state-licensed branches of foreign banks (collectively, “banks”). Specifically, the FDIC is proposing to eliminate 12 CFR Part 350, which, in general, required banks to prepare annual disclosure statements consisting of (i) required financial data comparable to specified schedules in the Call Reports filed for the previous two years; (ii) information that the FDIC may request, such as enforcement actions; and (iii) other information the bank chooses to disclose. According to the proposal, the FDIC has determined that the regulation is “outdated and no longer necessary,” because, with widespread access to the internet, information about the financial condition and performance of individual banks is now “reliably and directly offered to the public through the FDIC’s and the Federal Financial Institutions Examination Council’s (FFIEC) websites” in the form of Call Reports and Uniform Bank Performance Reports. This eliminates the need for the annual disclosure statement requirements. Similar disclosure requirements have already been rescinded in recent years by the Federal Reserve Board and OCC. Comments on the proposed rule must be received by November 26.
On October 18, the Federal Financial Institutions Examination Council (FFIEC) released a newly updated Bank Secrecy Act/Anti-Money Laundering (BSA/AML) InfoBase website, which provides examiners and financial institutions access to BSA/AML examination procedures and resources, including the BSA/AML Examination Manual. According to the FFIEC, the InfoBase will “provide just-in-time training for new regulations and for other topics of specific concern to examiners within the FFIEC's member agencies.”
On July 26, the Federal Reserve Board released its inaugural Consumer Compliance Supervision Bulletin (Bulletin) to share information about the agency’s supervisory observations and other noteworthy developments related to consumer protection, and provide practical steps for banking organizations to consider when addressing consumer compliance risk. The first Bulletin focuses on fair lending issues related to the practice of redlining and outlines key risk factors the Fed considers in its review, such as (i) whether a bank’s Community Reinvestment Act (CRA) assessment areas inappropriately exclude minority census tracts; (ii) whether a bank’s Home Mortgage Disclosure Act or CRA lending data show “statistically significant disparities in majority minority census tracts when compared with similar lenders”; or (iii) whether the bank’s branches, loan production offices, or marketing strategies appear to exclude majority minority census tracts. Practical steps for mitigating redlining risk are also provided. The Bulletin also discusses fair lending risk related to mortgage pricing discrimination against minority borrowers, small dollar loan pricing that discriminates against minorities and women, disability discrimination, and maternity leave discrimination.
The Bulletin additionally addresses unfair or deceptive acts or practices risks related to overdrafts, misrepresentations made by loan officers, and the marketing of student financial products and services. The Bulletin also highlights regulatory and policy developments related to the Federal Financial Institutions Examination Council’s updated Uniform Interagency Consumer Compliance Rating System along with recent changes to the Military Lending Act.
Federal banking agencies release policy statement on interagency notification of enforcement actions
On June 12, the OCC, Federal Reserve, and FDIC (collectively, “Federal Banking Agencies” or “FBAs”) published in the Federal Register a policy statement on interagency notification of formal enforcement actions to assure ongoing coordination after the Federal Financial Institutions Examination Council rescinded its 1997 revised policy statement on “Interagency Coordination of Formal Corrective Action by the Federal Bank Regulatory Agencies.” According to the new policy statement, when making a determination to bring a formal enforcement action, an FBA should evaluate whether a potential enforcement action involves the interests of another FBA and if so, should notify the agency prior to notifying the financial institution about the pending action. The notice to the FBA should contain enough information for the agency to take necessary action to examine or investigate the financial institution. The statement clarifies that the policy is not intended to substitute or replace the informal communication that routinely occurs between FBAs in advance of an enforcement action.
On May 11, the Federal Financial Institutions Examination Council released updated examination procedures for the Financial Crimes Enforcement Network's (FinCEN) final rule, “Customer Due Diligence Requirements for Financial Institutions” (CDD rule). Compliance with the CDD rule became mandatory on May 11. The updated customer due diligence exam procedures were developed in close collaboration with FinCEN and replace those in the current Bank Secrecy Act/Anti-Money Laundering Examination Manual. Additionally, a new set of exam procedures address the CDD rule’s beneficial ownership requirements.
According to an OCC bulletin released the same day, the examination procedures reflect federal and state banking agencies’ “ongoing commitment to examine financial institutions for compliance with the Bank Secrecy Act . . . in accordance with uniform standards and principles.”
See here for continuing InfoBytes coverage of the CDD rule.
FFIEC releases 2017 HMDA data; CFPB releases new annual report on mortgage market activity and trends
On May 7, the Federal Financial Institutions Examinations Council released the 2017 Home Mortgage Disclosure Act (HMDA) data on mortgage lending transactions covering information submitted by financial institutions on or before April 18. The data will not remain static, but instead will be updated on an on-going basis to reflect late submissions and resubmissions. The data currently include information on 14.1 million actions: 12.1 million home loan applications, 7.3 million of which resulted in loan originations, and 2.1 million in purchased loans. Observations from the CFPB on the data include: (i) total number of originated loans decreased by 12.4 percent; home-purchase lending increased by 4 percent; (ii) nondepository, independent mortgage companies accounted for 56.1 percent of first-lien owner-occupied home purchase loans (up from 53.3 percent in 2016); and (iii) the share of refinance loans to low- and moderate-income borrowers increased from 16.9 percent to 22.9 percent.
On the same day, the CFPB also released its first annual series of data points describing mortgage market activity based on data reported under HMDA. The report summarizes the 2017 HMDA data and recent trends in the mortgage market.
On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.
- Jonice Gray Tucker to discuss "Trends in regulatory enforcement" at the American Bar Association Banking Law Committee Meeting
- Jessica L. Pollet to discuss "Your career is impacting your life..." at the Ark Group Women Legal Conference
- Jon David D. Langlois to discuss "Successors in interest updates" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo
- Brandy A. Hood to discuss "Keeping your head above water in flood insurance compliance" at the Mortgage Bankers Association National Mortgage Servicing Conference & Expo