Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FHFA outlines MSR guidance for managing counterparty credit risk

    Agency Rule-Making & Guidance

    On January 12, FHFA released an advisory bulletin communicating supervisory expectations for Fannie Mae and Freddie Mac (the Enterprises) related to the valuation of mortgage servicing rights (MSRs) for managing counterparty credit risk. FHFA emphasized that Fannie and Freddie’s “risk management policies and procedures should be commensurate with an Enterprise’s risk appetite[] and based on an assessment of seller/servicer financial strength and MSR risk exposure levels.” FHFA relayed that while sellers and servicers assign values to their MSRs, the Enterprises should implement their own processes to evaluate the reasonableness of seller/servicer MSR values. FHFA explained that Fannie and Freddie are “exposed to counterparty credit risk when seller/servicers provide representations and warranties that mortgage loans conform with its selling guide requirements,” and reiterated that “[f]ailure to meet such obligations and commitments may cause the Enterprise to incur credit losses and operational costs.”

    The advisory bulletin lays out risk management expectations to ensure MSR values are reasonable, objective, and transparent, and provides guidance covering several areas, including (i) objective evaluation of MSR values; (ii) MSR valuations for mortgage loans owned or guaranteed by Fannie and Freddie as well as stress testing; (iii) MSR valuations for mortgage loans not owned or guaranteed by Fannie or Freddie; (iv) market data input; (v) use of third-party providers; (vi) frequency of evaluations; and (vii) discount to MSR values when servicing rights are terminated. The advisory bulletin is applicable only to MSRs for single-family mortgage loans and is effective April 1.

    Agency Rule-Making & Guidance Federal Issues Mortgages Fannie Mae Freddie Mac GSEs Risk Management Credit Risk

  • Agencies warn banks of crypto-asset risks

    On January 3, the FDIC, Federal Reserve Board, and OCC issued a joint interagency statement highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services. Risks flagged by the agencies include: (i) the possibility of fraud and scams among crypto-asset sector participants; (ii) legal uncertainties related to custody practices, redemptions, and ownership rights; (iii) misleading disclosures made by crypto firms that may be unfair, deceptive, or abusive; (iv) volatility in crypto-asset markets, including the susceptibility of stablecoins to run risk, which could impact deposit flows; (v) contagion risks resulting from interconnections among crypto-asset participants that may present concentration risks for banks with exposure to the crypto-asset sector; (vi) lack of maturity in risk management and governance practices within the crypto-asset sector; and (vii) elevated risks associated with open, public, and/or decentralized networks.

    The agencies commented that while they will continue to take a cautious approach to current or proposed crypto-asset-related activities (and are not prohibiting nor discouraging banks from providing crypto services to customers, as permitted by law or regulation), they currently “believe that issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe-and-sound banking practices.” Moreover, the agencies expressed “significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.” Agencies have developed processes for banks to engage in robust supervisory discussions with their supervisory office about any proposed or existing crypto-asset-related activities, the agencies advised, adding that before launching any activities, banks should take appropriate risk management measures and assess whether the activity can be performed in a safe and sound manner, is legally permissible, and complies with applicable laws and regulations. Additional statements will be released in the future by the agencies.

    “The events of the past year have been marked by significant volatility and the exposure of vulnerabilities in the crypto-asset sector,” the agencies said as they stressed the importance of keeping crypto-asset risks that cannot be mitigated or controlled from migrating to the banking system.

    The OCC separately issued a bulletin advising supervised banks to follow processes outlined in OCC Interpretive Letter 1179 (covered by InfoBytes here) before engaging in certain crypto-asset-related activities.

    Bank Regulatory Federal Issues OCC FDIC Federal Reserve Digital Assets Cryptocurrency Risk Management Fintech

  • FHFA issues model risk management guidance

    Agency Rule-Making & Guidance

    On December 21, FHFA issued guidance to Freddie Mac, Fannie Mae, the Federal Home Loan Banks (FHLBanks), and the Office of Finance on its model risk management framework. According to the bulletin, the purpose of the guidance—formatted as Frequently Asked Questions—“is to provide supplemental guidelines that will address some of the gaps in [FHFA’s 2013 Model Risk Management guidance] prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks.” “The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.”

    Agency Rule-Making & Guidance FHFA FHLB Fannie Mae Freddie Mac GSEs Risk Management

  • NYDFS releases proposed guidance for mitigating climate-related risks

    State Issues

    On December 21, NYDFS proposed guidance for regulated banking and mortgage institutions to support efforts for responding to evolving risks stemming from climate change. The proposed guidance—which was developed to align with the climate-related work of federal and international banking regulators—will aid institutions in identifying, measuring, monitoring, and controlling material climate-related financial risks, consistent with existing risk management principles. Institutions should “minimize and affirmatively mitigate adverse impacts on low- and moderate-income communities while managing climate-related financial risks,” NYDFS said, explaining that the proposed guidance focuses on areas of risk management related to corporate governance, internal control frameworks, risk management processes, data aggregation and reporting, and scenario analysis that also accounts for unknown future risks. Among other things, the proposed guidance warned institutions of the importance of ensuring fair lending is provided to all communities, including low- to moderate-income neighborhoods that may face heightened risks, when managing climate-related financial risks. The proposed guidance also outlined tools institutions should use to measure and protect against climate change risks. NYDFS warned institutions that they may have to directly absorb a greater portion of losses and should plan for insurance coverage premiums to either increase or be withdrawn entirely in areas where climate risks are prevalent.

    NYDFS commented that the proposed guidance serves as a basis for supervisory dialogue and instructed interested parties to provide input as it undertakes a data-driven approach to formulating the final guidance. Comments are due by March 21, 2023. A webinar will be held on January 11, 2023 to provide an overview of the proposed guidance.

    “Regulators must anticipate and respond to new risks to operational resiliency and safety and soundness, jeopardizing an institution’s future,” Superintendent Adrienne A. Harris said. “NYDFS is committed to working with all stakeholders to further refine expectations and finalize guidance appropriate for institutions to address material climate-related financial risks.”

    State Issues State Regulators Bank Regulatory NYDFS Climate-Related Financial Risks Redlining New York Mortgages Risk Management Supervision Fair Lending

  • OCC warns of crypto-asset and cybersecurity risks facing the federal banking system

    On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”

    The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”

    The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.

    The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”

    The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.

    Bank Regulatory Federal Issues Digital Assets Privacy, Cyber Risk & Data Security OCC Risk Management Cryptocurrency Supervision Third-Party Risk Management Fintech Financial Crimes Climate-Related Financial Risks

  • Treasury official flags “de-risking” as a concern in combating illicit financial risks

    Financial Crimes

    On December 5, Assistant Secretary for Terrorist Financing and Financial Crimes at the U.S. Department of Treasury Elizabeth Rosenberg outlined key illicit finance risks impacting the broader financial system during the ABA/ABA Financial Crimes Enforcement Conference. Rosenberg noted that for many nations, the illicit finance threat posed by Russia related to its invasion into Ukraine is a top priority. She commented that more than 30 countries immediately implemented sanctions or other economic measures against Russia, and that since then, the U.S. and other countries have created an expansive, multilateral web of restrictions targeting Russia’s ability to fund its war. Rosenberg also recognized that by reassessing their understanding of Russian illicit financial risks and implementing adaptive measures, companies and financial institutions play an important role in providing critical insight into emerging threats. Rosenberg also discussed Treasury’s risk-based approach to crafting policy responses, including those related to beneficial ownership transparency, investment adviser misuse, and the use of residential and commercial real estate to hide and grow illicit funds.

    Rosenberg warned, however, that there are challenges in implementing a truly risk-based approach. She pointed to observations made by the Financial Action Task Force, which showed that while many countries and their financial institutions “are keenly aware of where enhanced due diligence is needed,” many “often can not readily identify the inverse: places where simplified due diligence should be expected and permitted.” She cautioned that focusing on high-risk areas rather than lower-risk parts “is not without costs,” and illustrated a common form of de-risking that occurs “when financial institutions categorically cut off relationships or services to avoid perceived risks—for example, certain geographic regions—rather than applying a nuanced, risk-based approach.” Doing so can lead to “deleterious effects,” she warned, such as excluding businesses based on their location or status, or impacting emerging markets that could serve underbanked populations. Rosenberg said Treasury intends to study these concerns through the Anti-Money Laundering Act of 2020, and will develop a strategy for addressing de-risking, including recommendations on ways to improve public-private engagement on the issue, regulatory guidance and adjustments, and international supervision.

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury Risk Management Russia Ukraine Invasion FATF Anti-Money Laundering Act of 2020 Beneficial Ownership Illicit Finance

  • OCC discusses credit risk management, diversity and inclusion

    On December 5, acting Comptroller of the Currency Michael J. Hsu delivered remarks at the RMA Risk Management and Internal Audit Virtual Conference, where he spoke about the current expected credit losses standard (CECL) and the importance of workforce diversity and inclusion. Hsu started by discussing CECL and mentioning that though loan portfolios have generally remained resilient and widespread, “deterioration isn’t currently evident in credit quality metrics, the effects of high inflation, rising interest rates, lagging wage growth, supply chain disruptions, and stress from geopolitical events threaten the unexpectedly strong credit performance observed over the past few years.” He further pointed out that the longer-term effects of the Covid-19 pandemic, such as the shift in preferences toward online shopping and remote work, and other circumstances, can erode business profit margins, debt service capacity, and collateral valuations, in addition to adversely affecting credit risk levels at financial institutions. When speaking about sound practice, Hsu stated that maintaining safe and sound credit risk management practices through this period of economic uncertainty is critical. He also noted that “timely risk identification and ratings, increased focus on concentrated portfolios and vulnerable borrowers, and stress testing and sensitivity analysis are particularly critical risk management activities at this time.” He further warned that the “flexibility” provided by CECL must ensure safety and soundness, arguing that there needs to be “appropriate support and documentation of management’s judgments,” as well as management’s assumptions, decisions, expectations, and qualitative adjustments. He emphasized that the first step to improving diversity, equity, and inclusion requires more transparency from the financial services industry regarding the diversity of their boards and executive leadership, and organizations need to develop diversity plans and monitor outcomes. He also emphasized that financial institutions should actively “foster a true sense of belonging for everyone.” In closing, Hsu stated that “improving diversity and inclusion is a ‘need to have’ for [the OCC] to achieve our mission of assuring safety and soundness, fair access to financial services, and fair treatment of customers.”

    Bank Regulatory Federal Issues OCC Diversity Credit Risk Risk Management CECL Covid-19

  • Fed solicits feedback on proposed climate-related risk principles

    On December 2, the Federal Reserve Board issued a notice requesting public comments on proposed Principles for Climate-Related Financial Risk Management for Large Financial Institutions. The proposed principles would provide a high-level framework for the safe and sound management of exposures to climate-related financial risks for the largest financial institutions (those with over $100 billion in total consolidated assets), as well as address the physical and transition risks associated with climate change. Notably the notice acknowledged that all financial institutions, regardless of size, can have material exposures to climate-related financial risks. Intended to support large financial institutions’ efforts in addressing climate-related financial risk management, the proposed principles cover six major areas related to: (i) governance; (ii) policies, procedures, and limits; (iii) strategic planning; (iv) risk management; (v) data, risk measurement, and reporting; and (vi) scenario analysis. The Fed noted that the proposed principles are substantially similar to those issued by the OCC and FDIC (covered by InfoBytes here and here), and said that the agencies intend to issue final interagency guidance to promote consistency. Comments on the proposed principles are due 60 days after publication in the Federal Register.

    Governor Bowman stated that while she voted in favor of seeking input on the proposed principles, she reserves the right to vote against its finalization. She also emphasized that excluding financial institution with less than $100 billion in assets from the guidance “is appropriate based not only on the size of such firms, but also in light of the robust risk management expectations already applicable to such firms.”

    However, Governor Waller issued a dissenting statement: “Climate change is real, but I disagree with the premise that it poses a serious risk to the safety and soundness of large banks and the financial stability of the United States. The Federal Reserve conducts regular stress tests on large banks that impose extremely severe macroeconomic shocks and they show that the banks are resilient.”

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance Federal Reserve Climate-Related Financial Risks Risk Management Supervision

  • Fed finalizes updates to policy on payment system risk

    On December 2, the Federal Reserve Board finalized clarifying and technical updates to its Policy on Payment System Risk (PSR). The changes, which are adopted largely as proposed in May 2021 (covered by InfoBytes here), expand depository institutions’ eligibility to request collateralized intraday credit from the Federal Reserve Banks (FRBs), and ease the process for submitting such requests. The final updates also clarify eligibility standards for accessing uncollateralized intraday credit; modify the PSR policy to support the launch of the FedNow instant-payments platform, which is scheduled for mid-year 2023 (covered by InfoBytes here); and simplify and incorporate the related Overnight Overdrafts policy into the PSR policy. Updates related to FedNow and the Overnight Overdrafts policy will take effect once the FRBs start processing live transactions for FedNow. The remaining updates are effective 60 days following publication in the Federal Register.

    Bank Regulatory Federal Issues Agency Rule-Making & Guidance Federal Reserve Federal Reserve Banks Payments FedNow Risk Management

  • Senate Banking grills regulators on crypto

    Federal Issues

    On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.

    Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.

    Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.

    Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”

    The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help [] examiners focus on the controls [] found to be most effective in defending against these attacks.”

    The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.

    Federal Issues Digital Assets Privacy, Cyber Risk & Data Security Senate Banking Committee House Financial Services Committee FDIC OCC NCUA Federal Reserve Risk Management Third-Party Climate-Related Financial Risks Fintech

Pages

Upcoming Events