Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
On January 18, the OCC announced the release of its Semiannual Risk Perspective for Fall 2017, identifying key risk areas for national banks and federal savings associations. Top supervisory priorities will focus on credit, operational, and compliance risk. As previously discussed in the spring 2017 semiannual report, compliance risk continues to be an ongoing concern, particularly as banks continue to adopt new technologies to help them comply with anti-money laundering rules and the Bank Secrecy Act (BSA), in addition to addressing increased cybersecurity challenges and new consumer protection laws. (See previous InfoBytes coverage here.) The OCC commented that these types of risks can be mitigated by banks with “appropriate due diligence and ongoing oversight.”
Specific areas of particular concern include the following:
- easing of commercial credit underwriting practices;
- increasing complexity and severity of cybersecurity threats, including phishing scams that are the primary method of breaching bank data systems;
- using limited third-party service providers for critical operations, which can create “concentrated points of failure resulting in systemic risk to the financial services sector”;
- compliance challenges under the BSA; and
- challenges in risk management involving consumer compliance regulations.
The report also raises concerns about new requirements under the Military Lending Act along with pending changes to data collection under the Home Mortgage Disclosure Act, which could pose compliance challenges. It further discusses a new standard taking effect in 2020 for measuring expected credit losses, which “may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”
The data relied on in the report was effective as of June 30, 2017.
CFPB Issues Principles Concerning Security and Transparency for Financial Data Sharing and Third-Party Aggregation
On October 18, the CFPB published guidelines entitled “Consumer Protection Principles” (Principles), which are “intended to reiterate the importance of protecting consumers” when companies, including “fintech” firms, banks, and other financial institutions, get authorization from consumers to access their account data that reside in separate organizations to provide products and services. Earlier this year, industry groups responded to a CFPB request for information and weighed in on the benefits and risks associated with consumers authorizing third parties to access their financial and account information held by financial service providers. (See previous InfoBytes summary here.) Along with the Principles, the CFPB published a summary of stakeholder insights, which highlights the feedback received by the Bureau. Separately, on October 16, Senator Edward J. Markey (D-Mass.) sent a letter to Director Richard Cordray raising concerns about data security during the transfer of consumer data to third-party aggregators and highlighting the need for transparency concerning the use of the data.
The Principles address the following areas: (i) data access; (ii) data scope and usability; (iii) control of data and informed consent; (iv) payment authorizations; (v) data security; (vi) transparency on data access rights; (vii) data inaccuracies; (viii) dispute rights and unauthorized access resolution; and (ix) mechanisms for efficient and effective accountability.
Notably, the Bureau recognized that there already exist statutes and regulations that apply to consumer protections in this market. As such, the Principles “are not intended to alter, interpret, or otherwise provide guidance on—although they may accord with—the scope of those existing protections,” and therefore do not establish “binding requirements.”
On September 18, the Community Home Lenders Association and the Community Mortgage Lenders of America sent a joint letter to Treasury Secretary Mnuchin urging relief for smaller independent mortgage bankers from CFPB supervision, enforcement, and vender management audits. Specifically, the trade groups requested support for legislation that would help eliminate the risk of enforcement actions from the CFPB for smaller nonbanks. The letter cites the conclusions drawn in the Treasury Report on financial regulations, released in June (this report was a product of the February Executive Order, covered by a Buckley Sandler Special Alert). Of particular interest from the trade groups was the report’s conclusion that Congress should repeal the CFPB’s supervisory authority and return the supervision of nonbanks to state regulators.
On August 30, the CFPB posted revisions to its Compliance Management Review Examination Procedures—part of its Supervision and Examination Manual—that is intended to provide guidance for institutions when developing and maintaining compliance management systems (CMS). The Bureau advises that to maintain legal compliance, institutions must integrate and support an effective CMS “into the overall framework for product design, delivery, and administration across their entire product and service lifecycle,” and are required to manage relationships with service providers to ensure compliance with applicable federal consumer financial laws. The CFPB notes that an effective CMS is comprised of two interdependent control components: (i) “Board and Management Oversight”; and (ii) a “Compliance Program,” including policies and procedures, training, monitoring and/or auditing, and consumer complaint response processes. Updates have been made to the Examination Report Template–which provides the scope of review and consumer compliance rating based on the findings of the exam—and the Supervisory Letter Template–which references matters requiring attention or that need to be corrected based on the Bureau’s review.
Basel Committee on Banking Supervision Issues Consultative Document on Implications of Fintech for the Banking Industry
As waves of innovative financial technology (fintech) continue to reshape the financial services landscape, banking institutions and their supervisors have invested significant effort in analyzing its impact and developing an appropriate response. On August 31, the Basel Committee on Banking Supervision (BCBS), the primary global standard setter for the prudential regulation of banks, weighed in. Through the release of a consultative document, Sound Practices: Implications of fintech developments for banks and bank supervisors, the BCBS identified 10 key observations, accompanied by 10 recommendations, for banks and bank supervisors to address the challenges posed by advances in fintech.
The report summarizes the main findings of a BCBS task force established to analyze developments in fintech and their impact on the banking industry. Quantifying the size and growth of fintech is difficult; among other reasons, most jurisdictions have not formally defined “fintech” (notably, the report includes a glossary of terms and acronyms related to the delivery of fintech products and services, and is the first attempt by the BCBS to provide a common definition in this space). Yet the significant number of financial products and services derived from fintech innovations and the trend of rising investment in fintech companies globally warrants attention. As the BCBS acknowledges, while the impact of fintech on banking remains uncertain, “that change could be fast-paced and significant.”
In its report, the BCBS observes that the rise of fintech innovation has resulted in “a battle for the customer relationship and customer data,” the result of which “will be crucial in determining the future role of banks.” To assess the impact of the evolution of fintech products and services, the BCBS identified five stylized scenarios describing the potential impact of fintech on banks. In addition, the BCBS assessed six case studies focused on specific innovations (e.g., big data, cloud computing, innovative payment services, and neo-banks), in order to understand the individual risks and opportunities of a specific fintech development through the different scenarios. The extent to which banks or new fintech entrants will own the customer relationship varied across each scenario. However, in almost every scenario, the position of the incumbent banks will be challenged. The BCBS finds that “a common theme across the various scenarios is that banks will find it increasingly difficult to maintain their current operating models, given technological change and customer expectations.”
In analyzing fintech’s potential impact, the BCBS analyzes previous waves of innovation in banking, such as ATMs, electronic payments, and the Internet. While each of these have changed the face of banking, the BCBS highlights two key differences as it concerns fintech’s potential impact: the current pace of innovation is faster now than in previous decades and the pace of adoption has also increased. As a result, the Committee warns, “the effects of innovation and disruption can happen more quickly than before, implying that incumbents may need to adjust faster.”
The BCBS stated that banking standards and supervisory expectations “should be adaptive to new innovations, while maintaining appropriate prudential standards.” Against this backdrop, the Committee concluded its report with 10 key observations and recommendations for consideration by banks and bank supervisors.
- The overarching need to ensure safety and soundness and high compliance standards without inhibiting beneficial innovation in the banking sector;
- Key risks for banks related to fintech developments, including strategic/profitability risks, operational, cyber and compliance risks;
- Implications for banks of the use of innovative enabling technologies;
- Implications for banks of the growing use of third parties, via outsourcing and/or partnerships;
- Cross-sectoral cooperation between supervisors and other relevant authorities;
- International cooperation between banking supervisors;
- Adaptation of the supervisory skillset;
- Potential opportunities for supervisors to use innovative technologies ("suptech");
- Relevance of existing regulatory frameworks for new innovative business models; and
- Key features of regulatory initiatives set up to facilitate fintech innovation.
By issuing this guidance, BCBS is prompting global regulators to address technological advancements and novel business models with the same sense of urgency that the banking and fintech industries are employing. It will be incumbent on the financial services industry – traditional and novel business models alike – to work together to inform and shape what those supervisory guidelines will look like.
Comments on BCBS’s consultative document will be accepted through October 31, 2017.
On August 15, the FTC issued a press release announcing a settlement with a ride-sharing company over allegations that it violated the Federal Trade Commission Act by making deceptive claims about its privacy and data practices. According to the complaint, the company allegedly failed to closely monitor and audit its employees’ internal access to consumer and driver data. Furthermore, the company represented to consumers and drivers that personal information stored in its databases were secure, but, according to the FTC, failed to implement reasonable measures to prevent unauthorized access to consumers and driver data maintained by the ride-sharing company’s third-party cloud service provider. Both counts, the FTC alleged, demonstrated false or misleading representations. In the press release, FTC Acting Chairman Maureen K. Ohlhausen said, “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
Under the terms of the decision and order, the company has agreed to establish, implement, and maintain a written “comprehensive privacy program,” reasonably designed to: (i) “address privacy risks related to the development and management of new and existing products and services for consumers,” and (ii) “protect the privacy and confidentiality of Personal Information.” The company is also required to obtain biennial independent third-party assessments to address privacy controls requirements and “certify that the privacy controls are operating with sufficient effectiveness to provide reasonable assurance to protect the privacy of Personal Information and that the controls have operated throughout the reporting period.”
The agreement with the FTC will be subject to public comment for 30 days through September 15, at which point the FTC will decide whether to make the proposed consent order final.
On August 7, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert entitled “Observations from Cybersecurity Examinations,” which provides findings and observations concerning industry practices and legal and compliance issues related to cybersecurity preparedness. The SEC examined 75 SEC registered firms as part of its Cybersecurity 2 Initiative and noted an improvement overall in terms of (i) creating and implementing cybersecurity policies and procedures and response plans; (ii) conducting periodic risk assessments to identify threats and vulnerabilities; (iii) implementing measures to ensure regular system maintenance checks; (iv) maintaining processes for identifying cybersecurity roles and responsibilities; (v) receiving authority from customers and shareholders concerning fund transfer authority; and (vi) conducting vendor risk assessments or requiring risk management from vendors. However, the SEC identified areas in need of improvement, such as failure to tailor or enforce policies and procedures or conduct adequate system maintenance to safeguard customer information. Also included in the alert are examples of best practices and guidance for firms to follow when implementing cybersecurity-related policies and procedures.
Separately, that same day the International Monetary Fund (IMF) released a working paper discussing cyber risk awareness and the policy measures, regulatory frameworks, and supervisory measures affecting financial institutions’ approaches to systemic cyber risk. The IMF paper, entitled “Cyber Risk, Market Failures, and Financial Stability,” presents an overview of recent cyberattacks on the financial services industry, and stresses that cyber risk management requires that risks identified as part of a threat identification process must be “actively managed” to “ensure that cybersecurity-related measures are appropriate for and commensurate with the underlying risk.” Risk avoidance, risk reduction, and risk transfer are options for effective management. The paper further notes that, as a result of a predominance of cyber risk assessment centering on individual institutions (which constructs a relatively narrow view), insufficient attention has been given to systemic cyber risk that occurs commonly when financial institutions are exposed to “access vulnerabilities, risk concentration, risk correlations, or contagion effects (including through reputational channels).” The paper states that a need exists for regulatory reform and effective policy change “to build resilience through investment in cyber security while giving institutions flexibility to address the risks in the way they see as optimal.” Suggestions for measures—including national and international coordination—to strengthen resilience to cyber risk are also provided.
On July 31, the FTC announced it has approved TRUSTe’s proposed modifications to its Children’s Online Privacy Protection Rule's (COPPA) safe harbor program. As previously covered in InfoBytes, COPPA regulates what websites and online services are required to do to ensure the protection of children’s privacy and safety online. The safe harbor program allows the FTC to review and approve “self-regulatory guidelines” submitted by industry groups that implement “the same or greater protections for children” as those contained in the COPPA Rule, and subjects approved groups to safe harbor review and disciplinary procedures instead of formal enforcement action. Among the approved modifications is a change which requires all participants to conduct a comprehensive annual internal assessment of any third-party or service provider that collects personal information from children on their websites or through online services.
On July 26, the FDIC issued Financial Institution Letter FIL-31-2017 to announce updates to its Risk Management Manual of Examination Policies. The revisions, which incorporated guidance from the FDIC’s Board of Directors, updated the Report of Examination Instructions regarding matters requiring board attention and “deviations from the safety and soundness principles underlying statements of policy.” The revision also included updated instructions for examiners to use when complying with examination schedules. The letter applies to all FDIC-supervised financial institutions.