Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • OCC highlights key risks affecting the federal banking system in spring 2018 semiannual risk report

    Federal Issues

    On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)

    Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.

    Federal Issues Agency Rule-Making & Guidance OCC Risk Management Bank Regulatory Third-Party Bank Secrecy Act Anti-Money Laundering TILA RESPA Privacy/Cyber Risk & Data Security Vendor Management

    Share page with AddThis
  • FDIC Chairman delivers remarks on the impact of technology in the business of banking

    Fintech

    On May 7, FDIC Chairman, Martin J. Gruenberg, spoke at the Forum on the Use of Technology in the Business of Banking about the importance of understanding the ways in which emerging technology is positively affecting banking operations, while also recognizing associated risk management challenges. Gruenberg noted that the benefits of technology—such as reduced transaction costs, operational efficiency, payment speed improvements, and economic inclusion and access to mainstream banking—also pose challenges to financial institutions that may be amplified as new products and services are adopted. Challenges include: (i) cybersecurity risks; (ii) Bank Secrecy Act/anti-money laundering concerns; and (iii) various other consumer protection issues. Gruenberg also discussed the role of the FDIC’s Emerging Technology Steering Committee, which was established to address these issues, and its two working groups responsible for “monitoring trends, opportunities, and risks in this area, and evaluating impacts on banking, general safety and soundness, deposit insurance, financial reporting, economic inclusion, and consumer protection.” He stressed that the committee’s work will inform the agency’s “supervisory strategy for responding to opportunities and risks presented by the use of emerging technologies to supervised institutions.”

    Fintech FDIC Consumer Finance Risk Management

    Share page with AddThis
  • FinCEN updates FATF-identified jurisdictions with AML/CFT deficiencies

    Financial Crimes

    On April 27, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to financial institutions concerning the Financial Action Task Force’s (FATF) updated list of jurisdictions identified as having “strategic deficiencies” in their anti-money laundering/combatting the financing of terrorism (AML/CFT) regimes. FinCEN urges financial institutions to consider this list when reviewing due diligence obligations and risk-based policies, procedures, and practices. 

    As further described in the Improving Global AML/CFT Compliance: On-going Process, FAFT identified the following jurisdictions as having developed action plans to address AML/CFT deficiencies: Ethiopia, Iraq, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, Vanuatu, and Yemen. Notably Serbia has been added to the list for failing to effectively implement its AML/CFT framework, whereas Bosnia and Herzegovina has been removed from the list due to “significant progress in improving its AML/CFT regime . . . [and] establishing the legal and regulatory framework to meet the commitments in its action plan.” The Democratic People’s Republic of Korea and Iran remain the two jurisdictions subject to countermeasures and enhanced due diligence due to AML/CFT deficiencies.

    Financial Crimes FinCEN FAFT Anti-Money Laundering Combating the Financing of Terrorism Risk Management

    Share page with AddThis
  • OCC updates Comptroller’s Handbook to include recovery planning standards for large financial institutions

    Agency Rule-Making & Guidance

    On April 26, the OCC released the “Recovery Planning” booklet as part of its Comptroller’s Handbook. The booklet explains the purpose of effective recovery planning and provides guidance for OCC examiners to use when assessing the “appropriateness and adequacy of [a] covered bank’s recovery planning process and the integration of that process into the covered bank’s overall risk governance framework.” According to the OCC, unless determined otherwise, a bank is subject to the Recovery Planning guidelines if the bank has average total consolidated assets of (i) $50 billion or more; (ii) less than $50 billion, if the bank was previously a covered bank; or (iii) less than $50 billion, if the OCC determines that the bank is highly complex or otherwise presents a heightened risk. Recovery plans are designed to identify triggers and options for responding to a range of “severe internal and external stress scenarios” for the purpose of timely restoring financial strength and viability, and should, among other things, include measures to reduce risk as well as strategies to develop and maintain plans specific and appropriate to the size and complexity of the covered bank. The booklet states that recovery plans “may not assume or rely on any extraordinary government support.”

    Agency Rule-Making & Guidance OCC Comptroller's Handbook Risk Management

    Share page with AddThis
  • OCC announces enforcement actions targeting BSA/AML compliance deficiencies

    Federal Issues

    On April 19, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include cease and desist orders, civil money penalty orders, and removal/prohibition orders. The consent orders described below were among those in the OCC’s list:

    Cease and Desist Consent Order. On February 28, the OCC issued a consent order against a Washington-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Among other things, the consent order requires the bank to (i) maintain a Compliance Committee consisting of at least three board members; (ii) develop and implement an ongoing BSA/AML risk assessment program; (iii) create and implement BSA internal controls to mitigate risks; (iv) develop and implement policies and procedures for an automated suspicious activity monitoring system; (v) conduct a “Look-Back” to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for previously unreported suspicious activity; (vi) adopt an independent third-party audit program to conduct a review of the bank’s BSA/AML compliance program; and (viii) create a comprehensive training program for appropriate bank personnel. The bank has neither admitted nor denied the findings.

    Civil Money Penalty Consent Order. On March 3, the OCC issued a consent order (2018 Order) against an officer of a California-based bank for violating consent orders issued in 2010 and 2014 related to deficiencies identified in the bank’s BSA/AML rules and regulations and for violations of 12 C.F.R. § 21.21 (Procedures for Monitoring Bank Secrecy Act Compliance). According to the 2018 Order, the officer, who was responsible for overseeing the bank’s operations department, allegedly engaged in “unsafe or unsound practices”; made false statements to the OCC and advised other bank employees to corroborate the statements; and “failed to take the necessary actions to ensure that the [b]ank corrected the deficiencies. . .” The 2018 Order requires the officer to, among other things, pay a $5,000 civil money penalty, and—under the cease and desist terms—participate in BSA/AML compliance training and refrain from making any BSA/AML staffing decisions. The officer, while agreeing to the terms of the consent order, has not admitted or denied any wrongdoing.

    Federal Issues OCC Enforcement Bank Secrecy Act Anti-Money Laundering Risk Management

    Share page with AddThis
  • National Institute of Standards and Technology issues updated cybersecurity framework

    Privacy, Cyber Risk & Data Security

    On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”

    As previously covered in InfoBytes, last year President Trump issued an Executive Order directing federal agencies to follow NIST’s Framework to manage cybersecurity risk.

    Privacy/Cyber Risk & Data Security NIST Risk Management

    Share page with AddThis
  • FFIEC joint statement addresses role of cyber insurance in risk management programs

    Federal Issues

    On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.

    Federal Issues FFIEC Privacy/Cyber Risk & Data Security Cyber Insurance Risk Management

    Share page with AddThis
  • Financial Stability Board releases supplementary guidance on sound compensation practices

    Federal Issues

    On March 9, the Financial Stability Board (FSB) announced the release of its Supplementary Guidance to the FSB Principles and Standards on Sound Compensation Practices (Supplementary Guidance) relating to FSB’s Principles and Standards published in 2009. The Supplementary Guidance arises out of a 2015 workplan implemented to address concerns about compensation practices that could create misaligned incentives within financial institutions. The Supplementary Guidance, which does not contain new or additional principles and standards, provides recommendations presented in three parts: (i) “governance of compensation and misconduct risk”; (ii) “effective alignment of compensation with misconduct risk”; and (iii) “supervision of compensation and misconduct risk.” The Supplementary Guidance notes that “inappropriately structured compensation arrangements can provide individuals with incentives to take imprudent risks,” which may lead to potential harm for financial institutions and their customers or stakeholders. The Supplementary Guidance suggests that financial institutions use compensation tools as part of an overall strategy to limit risks and address misconduct, and cautions that “compensation should be adjusted for all types of risk.” 

    Federal Issues Financial Stability Board Risk Management Compensation

    Share page with AddThis
  • Federal Reserve blocks national bank’s growth, cites internal governance and risk management oversight failures

    Federal Issues

    On February 2, the Federal Reserve Board (Fed) cited compliance breakdowns and widespread consumer abuses as the primary factors behind its decision to issue an order to cease and desist against a national bank. In addition to blocking the bank from growing beyond $1.95 trillion in assets until the Fed approves internal governance and risk management reforms, the order also requires the bank to take actions in the areas of board effectiveness, risk management program improvement, third party reviews of plans and improvements, and reports on progress. The bank must, among other things, (i) create “separate and independent reporting lines” to the chief risk officer and the board, and (ii) enhance risk management oversight and functions, which includes creating “an effective risk identification and escalation framework.” The bank concurrently agreed to replace four current board members in 2018, with three replaced by April. Notably, the order does not require the bank to cease current activities such as accepting customer deposits or making consumer loans.

    The Fed also sent letters to the bank’s former lead independent director and former chair of the board of directors (see letters here and here) to address the “many pervasive and serious compliance and conduct failures” that occurred during their tenures. Citing ineffective oversight following awareness of alleged consumer abuses, the Fed stated that the former directors failed to initiate any serious inquiry or request that the board do so. Further, the Fed asserted that the former chair of the board continued to support the sales goals that were a major cause of the identified sales practice problems and failed to initiate a serious investigation or inquiry. A third letter sent to the current board of directors outlines steps the board must take to improve senior management reporting, maintain an effective risk management structure, and ensure compensation and other incentive programs are “consistent with sound risk management objectives and promote . . . compliance with laws and regulations.” (See here and here for previous InfoBytes coverage on the alleged improper sales practices.)

    In response, the bank issued a press release stating it will commit to the Fed’s requirements and will provide a compliance plan for oversight, compliance, and operational risk management to the Fed within 60 days. The plan will also outline measures already completed by the bank, and if approved by the Fed, the bank will engage independent third parties to review its adoption and implementation of the plan.

    Federal Issues Federal Reserve Bank Regulatory CFPB OCC Consumer Finance Risk Management

    Share page with AddThis
  • FHFA releases 2018-2022 strategic plan

    Federal Issues

    On January 29, the Federal Housing Finance Agency (FHFA) released its strategic plan for 2018-2022, which sets three strategic goals and discusses multiple factors associated with achieving each goal. FHFA’s three strategic goals for 2018-2022 are:

    • Ensure safe and sound regulated entities. FHFA intends to, among other things, use a risk based system to identify supervisory concerns and monitor entities for timely remediation. Additionally, FHFA intends to monitor industry trends and market conditions for emerging risks and issue supervisory guidance and policies related to expectations for safety and soundness.
    • Ensure liquidity, stability, and access in housing finance. FHFA intends to, among other things, promote ongoing liquidity in the marketplace for new and refinanced mortgages. FHA will monitor access to mortgage credit and collaborate with other regulators to identify emerging issues. FHA will support multifamily housing needs of the underserved market and promote policies that support fair access to financial services for qualified borrowers.
    • Manage Fannie Mae and Freddie Mac’s ongoing conservatorships. FHFA will continue, among other things, to oversee Fannie Mae and Freddie Mac staffing, will address outstanding claims involving Fannie Mae and Freddie Mac, and will oversee the implementation of the Uniform Mortgage Data Program.

    The strategic plan also identifies critical factors that may affect achievement of the above goals, including (i) economic conditions and government policies of foreign markets; (ii) market developments and legislative reform affecting the U.S. housing market; (iii) financial performance of Fannie Mae and Freddie Mac; (iv) the status of the Fannie Mae and Freddie Mac conservatorship; and (v) management of FHFA resources.

    Federal Issues FHA Risk Management Fannie Mae Freddie Mac Mortgages

    Share page with AddThis

Pages