Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 26, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (Plan) for fiscal year 2019. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; (iii) Bank Secrecy Act/anti-money laundering compliance; (iv) change management to address new regulatory requirements; and (v) internal controls and end-to-end processes necessary for product and service delivery.
The annual plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes previously has covered.
On September 5, the FDIC released its summer 2018 issue of Supervisory Insights (see FIL-44-2018), which contains articles discussing bank lending to the oil and gas sector and an overview of bank credit risk grading systems. Information and analysis from examiner observations is presented in the article, “Credit Risk Grading Systems: Observations from a Horizontal Assessment.” Sixteen large state nonmember banks’ credit risk grading programs are analyzed for (i) their use of expert judgment based systems and/or quantitative scorecards and models to assign credit grades; (ii) data usage and retention needs; and (iii) governance and risk management frameworks established by grade definitions. The article advises that “a bank’s credit risk grading system should align with the bank’s size and complexity to facilitate accurate risk identification, measurement, monitoring, and reporting,” and should include internal systems to allow for effective risk assessment, timely and accurate reporting, and procedures for safeguarding and managing assets. In addition, the issue includes an overview of recently released regulations and supervisory guidance in its Regulatory and Supervisory Roundup.
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
On May 7, FDIC Chairman, Martin J. Gruenberg, spoke at the Forum on the Use of Technology in the Business of Banking about the importance of understanding the ways in which emerging technology is positively affecting banking operations, while also recognizing associated risk management challenges. Gruenberg noted that the benefits of technology—such as reduced transaction costs, operational efficiency, payment speed improvements, and economic inclusion and access to mainstream banking—also pose challenges to financial institutions that may be amplified as new products and services are adopted. Challenges include: (i) cybersecurity risks; (ii) Bank Secrecy Act/anti-money laundering concerns; and (iii) various other consumer protection issues. Gruenberg also discussed the role of the FDIC’s Emerging Technology Steering Committee, which was established to address these issues, and its two working groups responsible for “monitoring trends, opportunities, and risks in this area, and evaluating impacts on banking, general safety and soundness, deposit insurance, financial reporting, economic inclusion, and consumer protection.” He stressed that the committee’s work will inform the agency’s “supervisory strategy for responding to opportunities and risks presented by the use of emerging technologies to supervised institutions.”
On April 27, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to financial institutions concerning the Financial Action Task Force’s (FATF) updated list of jurisdictions identified as having “strategic deficiencies” in their anti-money laundering/combatting the financing of terrorism (AML/CFT) regimes. FinCEN urges financial institutions to consider this list when reviewing due diligence obligations and risk-based policies, procedures, and practices.
As further described in the Improving Global AML/CFT Compliance: On-going Process, FATF identified the following jurisdictions as having developed action plans to address AML/CFT deficiencies: Ethiopia, Iraq, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, Vanuatu, and Yemen. Notably Serbia has been added to the list for failing to effectively implement its AML/CFT framework, whereas Bosnia and Herzegovina has been removed from the list due to “significant progress in improving its AML/CFT regime . . . [and] establishing the legal and regulatory framework to meet the commitments in its action plan.” The Democratic People’s Republic of Korea and Iran remain the two jurisdictions subject to countermeasures and enhanced due diligence due to AML/CFT deficiencies.
OCC updates Comptroller’s Handbook to include recovery planning standards for large financial institutions
On April 26, the OCC released the “Recovery Planning” booklet as part of its Comptroller’s Handbook. The booklet explains the purpose of effective recovery planning and provides guidance for OCC examiners to use when assessing the “appropriateness and adequacy of [a] covered bank’s recovery planning process and the integration of that process into the covered bank’s overall risk governance framework.” According to the OCC, unless determined otherwise, a bank is subject to the Recovery Planning guidelines if the bank has average total consolidated assets of (i) $50 billion or more; (ii) less than $50 billion, if the bank was previously a covered bank; or (iii) less than $50 billion, if the OCC determines that the bank is highly complex or otherwise presents a heightened risk. Recovery plans are designed to identify triggers and options for responding to a range of “severe internal and external stress scenarios” for the purpose of timely restoring financial strength and viability, and should, among other things, include measures to reduce risk as well as strategies to develop and maintain plans specific and appropriate to the size and complexity of the covered bank. The booklet states that recovery plans “may not assume or rely on any extraordinary government support.”
On April 19, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include cease and desist orders, civil money penalty orders, and removal/prohibition orders. The consent orders described below were among those in the OCC’s list:
Cease and Desist Consent Order. On February 28, the OCC issued a consent order against a Washington-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Among other things, the consent order requires the bank to (i) maintain a Compliance Committee consisting of at least three board members; (ii) develop and implement an ongoing BSA/AML risk assessment program; (iii) create and implement BSA internal controls to mitigate risks; (iv) develop and implement policies and procedures for an automated suspicious activity monitoring system; (v) conduct a “Look-Back” to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for previously unreported suspicious activity; (vi) adopt an independent third-party audit program to conduct a review of the bank’s BSA/AML compliance program; and (viii) create a comprehensive training program for appropriate bank personnel. The bank has neither admitted nor denied the findings.
Civil Money Penalty Consent Order. On March 3, the OCC issued a consent order (2018 Order) against an officer of a California-based bank for violating consent orders issued in 2010 and 2014 related to deficiencies identified in the bank’s BSA/AML rules and regulations and for violations of 12 C.F.R. § 21.21 (Procedures for Monitoring Bank Secrecy Act Compliance). According to the 2018 Order, the officer, who was responsible for overseeing the bank’s operations department, allegedly engaged in “unsafe or unsound practices”; made false statements to the OCC and advised other bank employees to corroborate the statements; and “failed to take the necessary actions to ensure that the [b]ank corrected the deficiencies. . .” The 2018 Order requires the officer to, among other things, pay a $5,000 civil money penalty, and—under the cease and desist terms—participate in BSA/AML compliance training and refrain from making any BSA/AML staffing decisions. The officer, while agreeing to the terms of the consent order, has not admitted or denied any wrongdoing.
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”
On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.
On March 9, the Financial Stability Board (FSB) announced the release of its Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices (Supplementary Guidance) relating to FSB’s Principles and Standards published in 2009. The Supplementary Guidance arises out of a 2015 workplan implemented to address concerns about compensation practices that could create misaligned incentives within financial institutions. The Supplementary Guidance, which does not contain new or additional principles and standards, provides recommendations presented in three parts: (i) “governance of compensation and misconduct risk”; (ii) “effective alignment of compensation with misconduct risk”; and (iii) “supervision of compensation and misconduct risk.” The Supplementary Guidance notes that “inappropriately structured compensation arrangements can provide individuals with incentives to take imprudent risks,” which may lead to potential harm for financial institutions and their customers or stakeholders. The Supplementary Guidance suggests that financial institutions use compensation tools as part of an overall strategy to limit risks and address misconduct, and cautions that “compensation should be adjusted for all types of risk.”