Skip to main content
Menu Icon Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations
Section Content

Upcoming Events


Subscribe to our InfoBytes Blog weekly newsletter for news affecting the financial services industry.

  • OCC to Host Operational Risk Workshop, Will Hold Innovation "Office Hours"

    Agency Rule-Making & Guidance

    On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.

    Additionally, on July 24 through the 26, the OCC’s Office of Innovation will hold “Office Hours” in New York City for national banks, federal savings associations, and fintech companies to provide an opportunity for attendees to discuss matters related to financial technology, new products and services, bank or fintech partnerships, as well as other items related to financial innovation. Meeting requests are due by July 5 and may be submitted here.

    Agency Rulemaking & Guidance OCC Risk Management Vendor Management Privacy/Cyber Risk & Data Security

    Share page with AddThis
  • OCC, Fed Supervisory Guidance on Model Risk Management Followed by FDIC

    Agency Rule-Making & Guidance

    On June 7, the FDIC issued Financial Institution Letter FIL-22-2017 announcing that, in order to provide consistency across institutions and agencies, it is adopting the 2011 model risk management supervisory guidance that was issued by the Federal Reserve (SR 11-7 ) and the OCC (OCC Bulletin 2011-12) thereby making the guidance applicable to certain FDIC-supervised institutions, namely those with $1 billion or more in total assets. The FDIC guidance defines the term “model” as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” The FDIC indicated that banks’ heavy reliance on models in financial decision-making can come with costs, especially when the decisions are “based on models that are incorrect or misused.”

    According to the FIL, the guidance contains “technical conforming changes” that make it relevant to institutions that are regulated by the FDIC, such as a “revised definition of 'banks' to reflect the FDIC's supervisory authority.”

    Among other things, the FIL highlights that an effective model risk management framework should include the following:

    • “disciplined and knowledgeable development that is well documented and conceptually sound”;
    • “controls to ensure proper implementation”;
    • “processes to ensure correct and appropriate use”;
    • “effective validation processes”; and
    • “strong governance, policies, and controls.”

    For institutions with assets totaling less than $1 billion, the guidance will only apply in certain circumstances, such as when “the institution's model use is significant, complex, or poses elevated risk to the institution.”

    Agency Rulemaking & Guidance FDIC Risk Management OCC Federal Reserve Bank Supervision

    Share page with AddThis
  • OCC Supplement Answers Frequently Asked Questions Covering Third-Party Relationships: Risk Management Guidance

    Agency Rule-Making & Guidance

    On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:

    • defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
    • provides insight on how to adjust risk management practices specific to each relationship;
    • discusses ways to structure third-party risk management processes;
    • discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
    • outlines bank-specific requirements when using collaborative arrangements;
    • provides information-sharing forums that offer resources to help banks monitor cyber threats;
    • discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
    • addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
    • covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
    • clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
    • outlines the OCC’s compliance management requirements;
    • discusses banks’ rights to access interagency technology service provider reports; and
    • answers whether a bank can rely on the accuracy of a third-party’s risk management report.

    As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.

    Agency Rulemaking & Guidance OCC Vendor Management Risk Management Marketplace Lending Fintech Prudential Regulators

    Share page with AddThis
  • OCC to Host Workshops for Community Bank Directors in June

    Agency Rule-Making & Guidance

    On June 20 and 21, the OCC will be hosting two workshops in Nashville for directors of national community banks and federal savings associations supervised by the OCC. The June 20 “Credit Risk” workshop will focus on ways to identify trends and recognize problems within a loan portfolio. In addition, the workshop will discuss board and management roles, how to stay informed of changes in credit risk, and how to effect change. The June 21 “Operational Risk” workshop will focus on the key components of operational risk, and also cover governance, third-party risk, vendor management, and cybersecurity.

    Additionally, from June 26 to 28, the OCC will be hosting a “Building Blocks for Directors” workshop in Atlanta for directors, senior management team members, and other key executives of national community banks and federal savings associations supervised by the OCC. The workshop will: (i) focus on the duties and core responsibilities of directors and management; (ii) discuss major laws and regulations; and (ii) provide insight on the examination process.

    Agency Rulemaking & Guidance OCC Risk Management Vendor Management

    Share page with AddThis
  • OCC Updates Comptroller’s Handbook, Issues New Guidance for Evaluating Retail Lending Risk Management

    Agency Rule-Making & Guidance

    On April 12, the OCC issued Bulletin OCC 2017-15 announcing its new booklet, “Retail Lending,” which discusses retail lending risks and measures for evaluating retail credit risk management activities. The booklet, part of the Comptroller’s Handbook, applies to “examinations of all institutions engaged in retail lending” and supplements the following core assessment sections: “Large Bank Supervision,” “Community Bank Supervision,” and “Federal Branches and Agency Supervision.” According to the Bulletin, Examiners should reference this booklet when review beyond the core assessment is appropriate because the specific products, services, or activities “have a material impact on the risk profile and financial condition” of banks. The new booklet describes (i) “characteristics of an effective retail credit risk management framework”; (ii) “criteria examiners should consider when evaluating retail credit originations, account management, collections, and portfolio management activities and processes”; and (iii) “objectives of control functions commonly used in a retail lending business to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel.”

    Agency Rulemaking & Guidance OCC Risk Management

    Share page with AddThis
  • Bank Holding Company and Nonbank Auto Lender Subsidiary Sign New Written Agreement with Boston Fed

    Consumer Finance

    On March 21, the Federal Reserve Bank of Boston (Boston Fed) and a national bank holding company and its nonbank subsidiary (a Dallas-based auto lender) entered into a Written Agreement to address concerns related to their July 2015 Written Agreement, which required a detailed description of the holding company’s efforts to strengthen board oversight specifically with regard to committees, executive positions, and lines of reporting (see July 2015 InfoBytes summary). The 2017 Written Agreement is a result of deficiencies identified by the Boston Fed in the subsidiary’s compliance risk management program. The terms of the current Written Agreement require, among other things, the board of directors of the subsidiary to submit a revised compliance risk management plan addressing, among others: (i) comprehensive compliance risk assessments to identify “risks associated with applicable consumer compliance laws”; (ii) enhanced written policies and procedures to address risks arising from noncompliance; and (iii) a revised code of conduct for employees that outlines rules governing compliance and reporting processes for known or suspected violations of consumer compliance laws, regulations, and supervisory guidance. Furthermore, the company must submit written revisions to its firmwide internal audit program with respect to auditing its revised compliance risk management program.

    Consumer Finance Bank Compliance Compliance Federal Reserve Risk Management

    Share page with AddThis
  • OCC to Host Workshops for Community Bank Directors in April

    Agency Rule-Making & Guidance

    On April 25 and 26, the OCC will be hosting two workshops for directors of national community banks and federal savings associations supervised by the OCC. The April 25 workshop will cover “Risk Governance,” including both practical information to help directors effectively measure and manage risks, and insight into the OCC’s approach to risk-based supervision and major risks in the financial industry. The April 26 workshop will focus specifically on credit risk within a loan portfolio, including how to stay informed of changes in credit risk, identifying trends, recognizing problems, the roles of the board and management, and how to effect change.

    Agency Rulemaking & Guidance OCC Risk Management

    Share page with AddThis
  • FDIC Releases Winter 2016 “Supervisory Insights”


    On March 7, the FDIC released its Winter 2016 Supervisory Insights, which contains articles discussing credit risk trends and balance sheet growth, emphasizes the importance of strong risk management practices, and provides a roundup of recently released regulatory and supervisory guidance. Doreen Eberley, Director of the FDIC’s Division of Risk Management Supervision, stated in the release that “[h]istorically, financial institutions that have prudently managed loan growth have been better positioned to withstand periods of stress and continue to serve the credit needs of their local communities.” Her statement goes on to “encourage bankers to identify and correct loan underwriting and administration problems before they adversely affect the bottom line.” The Supervisory Insights note that nearly 80 percent of insured institutions grew their loan portfolios during the third quarter of 2016, which is “a figure not far from the peak of nearly 83 percent of institutions that grew their portfolios in 2005.” While this edition focused primarily on lending in the following sectors—commercial real estate, agriculture, and oil and gas—it also stressed the need for managing loan concentrations through strong, forward-looking risk management practices that allow for early intervention.

    Lending FDIC Risk Management

    Share page with AddThis
  • BAFT Issues Comments on Proposed AML/CFT Guidance Revisions

    Financial Crimes

    On February 22, the Bankers Association for Finance and Trade (BAFT), an international financial services association for organizations engaged in international transaction banking, together with the Institute of International Finance (IIF) issued a letter to the Basel Committee on Banking Supervision (BCBS) with comments on BCBS’ proposed revisions to its risk management guidance related to anti-money laundering and counter-terrorism financing. In the letter, BAFT and IFF note that, while both associations are “particularly pleased with [BCBS’] recognition that not all correspondent banking relationships bear the same level of risk and [BCBS’] acknowledgment of the difference between inherent and residual risk,” they do summarize several areas where enhancements would assist with the “general usefulness” of the final guidance:

    • BCBS should “design guidance that explicitly permits a correspondent bank to rely upon appropriate utilities for the vast majority of cases rather than simply permitting a correspondent bank to use a utility as another source of information supporting the due diligence process” with the purpose of “establishing international standards or sound practices for such utilities to create greater assurance of achieving official ALM/CFT goals.”
    • BCBS should adopt “regulatory practices [that] include standards for ‘verification’ that national authorities could administer or supervise.”

    The “[s]tandardization of information requirements (or templates) for utilities could also be extended to include [the] international standardization of basic due diligence information and ‘enhanced due diligence’ information for higher-risk relationships.” A “basic standardization would give both parties a ground of expectations to build upon in making judgments about how to do business. It could [also] eliminate a degree of unnecessary duplication of effort and costs.”

    Financial Crimes Agency Rulemaking & Guidance International BAFT BCBS IIF Risk Management Anti-Money Laundering Combating the Financing of Terrorism

    Share page with AddThis
  • OCC Supplements Exam Procedures Covering Third-Party Relationships: Risk Management Guidance

    Federal Issues

    On January 24, the OCC released Bulletin 2017-7 advising national banks, federal savings associations and technology service providers of examination procedures issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. As previously summarized in BuckleySandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Following the OCC's issuance of Bulletin 2013-29, the Federal Reserve Board, on December 5, 2013, issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (SR 13-19). The FRB Guidance is substantially similar to Bulletin 2013-29.

    Bulletin 2017-7 outlines procedures designed to help prudential bank examiners: (i) tailor supervisory examinations of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships; (ii) assess the quantity of the bank’s risk associated with its third-party relationships; (iii) assess the quality of the bank’s risk management of third-party relationships involving critical activities; and (iv) determine whether there is an effective risk management process throughout the life cycle of the third-party relationship. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management relative to each phase of the life cycle.

    For additional background, please see our Spotlight Series: Vendor Management in 2015 and Beyond.

    Federal Issues Banking Federal Reserve OCC Risk Management Vendor Management

    Share page with AddThis