InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC Deputy Comptroller Discusses Risk Management Practices
On February 25, OCC Deputy Comptroller Darrin Benhart delivered remarks at the 16th Annual Global Association of Risk Professionals (GARP) Risk Management Conference on the OCC’s efforts to improve its ability to “identify, monitor, and respond to emerging risks” that continue to affect the financial services industry. Benhart highlighted the newly formed Supervision Risk Management team, emphasizing its work with the OCC’s National Risk Committee in monitoring emerging threats to the safety and soundness of the federal banking system. More significantly, Benhart commented on the agency’s growing concern with banks’ recent re-evaluations of their business models as they pursue “new ways to generate returns against the backdrop of low interest rates.” In light of this concern, Benhart cautioned bank management to consider the following three risk management areas when assessing potential updates to their existing business models: (i) concentration risk management – ensure that concentrations for financial institutions are effectively identified and measured to prevent heightened credit, interest rate, liquidity, or operational risks; (ii) correlation risk – recognize that the impact of the risk goes beyond the obvious affected borrowers and should focus as well on those indirectly correlated borrowers for whom the exposure is often more difficult to measure and understand; and (iii) over-reliance on historical performance – acknowledge that the financial environment can change and “paradigms can shift.”
Digital Insights & Trends: What Keeps You Up At Night - Data INsecurity
We’re still wide awake, focusing on what keeps us (and our financial institution clients) up at night. Let’s pick up where we left off following our December webinar, but this time address data INsecurity from the perspective of its “other” victims, i.e., consumers. Last months’ webinar reviewed the benefits of risk-based approaches to organizational cybersecurity frameworks and identified potential obstacles to their achievement. Today, we’re thinking about another risk of cybersecurity breakdowns – the loss of consumer confidence. This risk threatens companies as surely as the regulatory, media and legal fallout.Despite the proliferation of data breach notification and consumer financial privacy laws, data-breach-fueled identity theft is increasing. A recent report of the National Consumers League & Javelin Strategy reveals that consumer fraud victims don’t discriminate between business organizations and financial institutions when assigning blame for data breaches. Rather, they avoid doing business with all organizations involved. Ironically, nearly one-third of fraud victims take no action to prevent further fraud, even when they’ve been notified that their data has been compromised. The majority of consumer victims, according to the NCL/Javelin report, say both businesses and FIs should be held accountable, and want to be able to sue the breached companies. An even greater majority think the federal government should protect them -- and lawmakers are listening. Senator Amy Klobuchar (D-MN), for example, favors a national security breach notification law.
Financial institutions are between a rock and the proverbial hard place. Compromised financial information results in greatly increased fraud against affected consumers. However, many consumers don’t take action to prevent a breach from escalating into further incidents of fraud. (Partly, this results from lack of faith in the effectiveness of solutions like credit monitoring, and partly, consumers don’t know where to go for help.) Some consumers contact law enforcement or government agencies, but many simply avoid patronizing the companies involved as a result of diminished trust. An overwhelming number of victims believe the right course is action against companies where their information was breached.
Trust lost is hard to regain. Data breach responses are key to effective enterprise risk management, not only because of legal and enforcement risk, but because consumer loyalty, and its loss, have real, tangible, operational and financial consequences. In an effort to bolster consumer trust, companies should: be transparent in communicating their practices and controls with respect to the management and use of data; and provide guidance to their customers on actions that can be taken to protect their own data.
Note: Information in this article is based in part on the “Consumer Data Insecurity Report” produced by Javelin Strategy & Research (2014).
OCC Provides Workshops to National Community Bank Directors
On January 14, the OCC released its schedule of workshops for directors of national community banks and federal savings associations. The OCC examiner-led workshops provide practical training and guidance to directors of national community banks and federal savings associations to support the safe and sound operation of community-based financial institutions. The four workshops planned are (i) “Building Blocks for Directors,” (ii) “Risk Governance,” (iii) “Compliance Risk,” and (iv) “Credit Risk.” Each workshop costs $99.00. Registration is required.
Treasury Official Urges Banks to Consider Cyber Insurance, Assess Cybersecurity Readiness
On December 3, Deputy Secretary Raskin delivered remarks at the Texas Bankers’ Association Executive Leadership Cybersecurity Conference. During her prepared remarks, Raskin noted recent data security breaches across many business sectors, including financial services, and presented ten questions for bank CEOs to consider when assessing their institutions’ cybersecurity readiness. Notably, Raskin urged the bank executives to consider relatively new cyber risk insurance for the financial recovery it provides because the underwriting processes could enhance other cybersecurity controls and provide helpful information for assessing a bank’s risk level. Currently, over 50 insurance carriers offer some form of cyber insurance coverage. Raskin’s remarks come only weeks after Congressional leaders sent a letter to financial institutions requesting that they provide information about their ability to protect consumers and safeguard personal information in the event of a data breach or cyber-attack.
New York Federal Reserve Bank Establishes Integrated Policy Analysis Group
On December 3, the New York Fed announced the formation of its Integrated Policy Analysis Group (IPA). Designed to develop the New York Fed’s view of the economic and financial environment globally, the IPA will (i) integrate information from within and outside the Bank to assess the developing economic and financial environment; (ii) assess risks with the potential to impact the Fed’s objectives and “consider policy options to mitigate those risks;” and (iii) manage international relationships. Alberto G. Musalem was appointed as the head of IPA, and the new group is scheduled to begin its work in January 2015.
OCC Shuffles Management, Creates Senior Position to Oversee Risk
On October 27, the OCC announced the appointment of Darrin Benhart as Deputy Comptroller for Supervision Risk Management and Bethany Dugan as Deputy Comptroller for Operational Risk. Mr. Benhart will assume the position of full-time chair of the agency’s National Risk Committee, responding to a recommendation from a peer review that the agency create such a role. Mr. Benhart’s position is intended to strengthen the OCC’s ability to address risk in the national banking system. Prior to his appointment, Mr. Benhart served as the Deputy Comptroller for Credit and Market Risk. In her new role, Ms. Dugan will oversee the policy and examination procedures developments, specifically those that address operational risk issues.
Fed Issues Final Rule Affecting Financial Market Utilities, Updates Policy on Payment System Risk
On October 28, the Federal Reserve announced its final rule to amend Regulation HH, standards for financial market utilities (FMUs) that have been designated as systemically important by the FSOC. The new rule will implement a common set of risk-management standards for all designated FMUs and revise certain definitions. Further, the Fed also announced final revisions to part 1 of its Federal Reserve Policy on Payment System Risk. The final rule and revisions to the policy are based on the Principles for Financial Market Infrastructures, which were developed jointly by the Committee on Payment and Settlement Systems and the International Organization of Securities Commissions. Specifically, the amendments and revisions will establish (i) separate standards to address credit risk and liquidity risk; (ii) new plans for recovery and orderly wind-down; (iii) new standards on general business risk and on tiered participation arrangements; and (iv) increased requirements on transparency and disclosure. The final rule will be effective on December 31, 2014. FMUs have until December 31, 2015 to comply with specific additional requirements set forth in the rule.
FHFA Director Outlines Plan To Refine Representation and Warranty Framework
On October 20, FHFA Director Melvin Watt delivered remarks at the Mortgage Bankers Association Annual Conference in Las Vegas, Nevada. Watt addressed the Agency’s progress in ensuring safety and soundness and liquidity in the housing finance market. Specifically, Director Watt focused on the Agency’s continued work to revise the Representation and Warranty Framework (Framework) under which lenders and Enterprises function, stressing the importance of providing “clear rules of the road to allow lenders to manage their risk and lend throughout the Enterprises’ credit box.” In January 2013, the Agency implemented the first improvements to the Framework, which ultimately “relieved lenders of representation and warranties obligations related to the underwriting of the borrower, the property, or the project for loans that had clean payment histories for 36 months;” and in May, the Agency announced additional clarifications on the 36 month benchmark. Now, the Agency is focusing on improving the Framework by (i) clearly defining the life-of-loan exclusions to ensure lenders know what the exclusions are and when the exclusions apply to loans that are eligible for repurchase relief. These exclusions range into six categorical types: 1) misrepresentations, misstatements and omissions; 2) data inaccuracies; 3) charter compliance issues; 4) first-lien priority and title matters; 5) legal compliance violations; and 6) unacceptable mortgage products. Details regarding the definitions of the life-of-loan exclusion types will be released by the Enterprises in the coming weeks; (ii) clarifying that only life-of-loan exclusions can trigger a repurchase; and (iii) adding a “significance” test that requires the Enterprises to “determine that the loan would have been ineligible for purchase initially if the loan information had been accurately reported.” By making these revisions to the Framework, the Agency anticipates that the Enterprises will continue to conduct quality control reviews, enhance their risk management practices, and “engage in transactions that sell a portion of the credit risk from new mortgage purchases to the private market.”
Federal Reserve Board Finalizes Enhanced Prudential Standards For Large Bank Holding Companies, Foreign Banks
On February 18, the Federal Reserve Board issued a final rule that incorporates elements of two previously proposed rules related to U.S. bank holding companies with assets of $50 billion or more and foreign banking organization with assets of $50 billion or more. For covered domestic bank holding companies, the final rule (i) incorporates as an enhanced prudential standard previously-issued capital planning and stress testing requirements; and (ii) imposes enhanced risk-management, including liquidity risk-management standards. The rule further imposes a 15-1 debt-to-equity limit for companies that pose a grave threat to U.S. financial stability, as determined by the FSOC. For covered foreign banking organizations, the rule (i) implements enhanced risk-based and leverage capital requirements, liquidity requirements, risk-management requirements, stress testing requirements, and the debt-to-equity limit for FSOC-designated companies; and (ii) requires foreign banking organizations with U.S. non-branch assets of $50 billion or more to form a U.S. intermediate holding company (IHC) and imposes the same enhanced requirements on the IHC. The rule also establishes enterprise-wide risk-committee requirements for publicly traded domestic bank holding companies with total consolidated assets of $10 billion or more and for publicly traded foreign banking organizations with total consolidated assets of $10 billion or more, and implements stress-testing requirements for foreign banking organizations and foreign savings and loan holding companies with total consolidated assets of more than $10 billion. The final rule does not apply to non-bank financial firms designated as systemically important by the FSOC. The rule takes effect on June 1, 2014, but covered U.S. bank holding companies have until January 1, 2015 to comply. Foreign banking organizations must submit an implementation plan by January 1, 2015, but have until July 1, 2016 to comply. The final rule generally defers application of the leverage ratio to IHCs until 2018.
Basel Committee Finalizes AML/CFT Risk Management Guidance
On January 15, the Basel Committee on Banking Supervision issued final guidance regarding anti-money laundering/combating the financing of terrorism (AML/CFT) risk management. The Committee states that the guidelines are consistent with and supplement the 2012 International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation issued by the Financial Action Task Force. The guidelines supersede two previously-issued Basel Committee publications: Customer due diligence for banks (October 2001) and Consolidated KYC management (October 2004). The final guidelines detail the “essential elements” of sound AML/CFT risk management, including those related to (i) assessing and understanding risks; (ii) customer acceptance policies; (iii) customer and beneficial owner identification; (v) ongoing monitoring; (vi) information management and record keeping; and (vii) reporting suspicious transactions and asset freezing. The guidelines also address AML/CTF in the group-wide and cross-border context, and outlines expectations for banking supervisors.
