InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal agencies seek comments on third-party relationships
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
CFPB and FDIC release enhancements to financial education program for seniors
On July 14, the CFPB and FDIC announced enhancements to Money Smart for Older Adults, the agencies’ financial education program geared toward preventing elder financial exploitation. The enhanced version includes sections to help people avoid romance scams, which, according to data from the FTC, led to $304 million in losses in 2020. In addition, the agencies are also releasing an informational brochure on Covid-19 related scams. FDIC training materials and other resources for older adults are available from the CFPB here.
Biden orders federal agencies to evaluate banking, consumer protections
On July 9, President Biden issued a broad Executive Order (E.O.) that includes provisions related to the financial services industry.
- CFPB. The E.O. encourages the CFPB director to issue rules under Section 1033 of Dodd-Frank “to facilitate the portability of consumer financial transaction data so consumers can more easily switch financial institutions and use new, innovative financial products.” As previously covered by InfoBytes, last October, the Bureau issued an advanced notice of proposed rulemaking on Section 1033, seeking comments on questions related to consumers’ access to their financial records. The E.O. also instructs the Bureau to enforce Section 1031 of Dodd-Frank, which prohibits unfair, deceptive, or abusive acts or practices in consumer financial products or services, “to ensure that actors engaged in unlawful activities do not distort the proper functioning of the competitive process or obtain an unfair advantage over competitors who follow the law.”
- Treasury Department. The E.O. calls on Treasury to submit a report within 270 days on the effects on competition of large technology and other non-bank companies’ entry into the financial services space.
- FTC. The E.O. tasks the FTC with establishing rules to address concerns about “unfair data collection and surveillance practices that may damage competition, consumer autonomy, and consumer privacy.” The FTC already commenced that process on July 1, when it approved changes to its Rules of Practice to amend and simplify the agency’s procedures for initiating rulemaking proceedings. According to Commissioner Rebecca Kelly Slaughter, “[s]treamlined procedures for Section 18 rulemaking means that the Commission will have the ability to issue timely rules on issues ranging from data abuses to dark patterns to other unfair and deceptive practices widespread in our economy.”
- Bank Mergers. The E.O. encourages the Attorney General, in consultation with the Federal Reserve Board, FDIC, and OCC, to “review current practices and adopt a plan, not later than 180 days after the date of this order, for the revitalization of merger oversight under the Bank Merger Act and the Bank Holding Company Act of 1956.”
FDIC Chairman discusses innovation in banking
On June 29, FDIC Chairman Jelena McWilliams spoke at the “Fintech: A Bridge to Economic Inclusion” conference on technology’s role in creating and facilitating a more inclusive financial system. McWilliams noted that while the proportion of U.S. households that were banked in 2019 was 94.6 percent, 7 million households still reported no banking relationship. Moreover, she noted that “the rates for Black and Hispanic households who do not have a checking or savings account at a bank remain substantially higher than the overall ‘unbanked’ rate.” McWilliams discussed the FDIC’s multi-pronged approach to tackle the issue of financial inclusion, which includes: (i) looking at financial innovations in the private sector; (ii) taking steps, including hosting tech sprints, to identify solutions; (iii) coordinating with Minority Depository Institutions and Community Development Financial Institutions; and (iv) conducting targeted public awareness campaigns on the importance of having a banking relationship. In explaining the initiatives, McWilliams pointed out that encouraging the use of alternative data that is not usually found in consumer credit files can “help firms evaluate the creditworthiness of consumers who might not otherwise have access to credit in the mainstream credit system.” She also discussed the use of artificial intelligence, updating brokered deposits rulemaking, and establishing a public/private standard-setting organization for due diligence of vendors and for the technologies they develop. According to McWilliams, “FDiTech is also leading tech sprints to identify data, tools, and technology to help community banks meet the needs of the unbanked, including how to measure impact.” (Covered by InfoBytes here.) McWilliams concluded her remarks by explaining that “[a]lthough the FDIC has limited ability to address directly the issue of unbanked Americans, there are things that [it] can do – and which [it is] doing – to foster innovation across all banks and to reduce the regulatory cost of and barriers to innovation.”
FFIEC releases “Architecture, Infrastructure, and Operations” booklet
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
FinCEN issues first government-wide AML/CFT priorities
On June 30, the Financial Crimes Enforcement Network (FinCEN) issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy (AML/CFT Priorities) pursuant to the Anti-Money Laundering Act of 2020 (AML Act). The AML/CFT Priorities were established in consultation with the Treasury Department’s Office of Foreign Assets Control, SEC, CFTC, IRS, state financial regulators, law enforcement, and national security agencies, and highlight key threat trends as well as informational resources to assist covered institutions manage their risks and meet their obligations under laws and regulations designed to combat money laundering and counter terrorist financing. According to the AML/CFT Priorities, the most significant AML/CFT threats currently facing the U.S. (in no particular order) are corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organization activity, drug trafficking organization activity, human trafficking and human smuggling, and proliferation financing. FinCEN further noted it will update the AML/CFT Priorities to highlight new or evolving threats at least once every four years as required under the AML Act, and issued a separate statement providing additional clarification for covered institutions.
Separately, the Federal Reserve Board, FDIC, NCUA, OCC, state bank and credit union regulators, and FinCEN also issued a joint statement providing clarity for banks on the AML/CFT Priorities. The statement emphasized that the publication of the AML/CFT Priorities “does not create an immediate change to Bank Secrecy Act (BSA) requirements or supervisory expectations for banks.” Rather, within 180 days of the establishment of the AML/CFT Priorities, FinCEN will promulgate regulations, as appropriate, in consultation with the federal functional regulators and relevant state financial regulators. The federal banking agencies noted that they intend to revise their BSA regulations as needed to address how the AML/CFT priorities will be incorporated into BSA requirements for banks, adding that banks will not be required to incorporate the AML/CFT Priorities into their risk-based BSA compliance programs until the effective date of the final revised regulations. However, banks may choose to begin considering how they intend to incorporate the AML/CFT Priorities, “such as by assessing the potential related risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate.” Moreover, the statement confirmed that federal and state examiners will not examine banks for the incorporation of the AML/CFT Priorities into their risk-based BSA programs until the final revised regulations take effect.
FDIC outlines revised approach for insured depository institution resolution planning
On June 25, the FDIC announced PR-58-2021, which outlines a modified approach to implementing its rule requiring insured depository institutions (IDIs) with $100 billion or more in total assets (CIDIs) to submit resolution plans under the Federal Deposit Insurance Act. Among other things, the modified approach extends the resolution plan’s submission frequency to a three-year cycle and lays out new details regarding the FDIC’s emphasis on engagement with firms. The new approach “exempts filers from other content requirements that have been less useful or are obtainable through other supervisory channels.” In addition, on a case-by-case basis, the FDIC plans to “expressly exempt certain content requirements based on the FDIC’s evaluation of how useful or material the information would be in planning to resolve the specified CIDI.” Resolution plans will be submitted in two groups. The first group will contain IDIs whose top tier parent company is not regarded as a U.S. global systemically important bank or a category II banking organization. The second group encompass all other IDIs with $100 billion or more in total assets. For institutions with less than $100 billion in total assets, the moratorium on submission of IDI plans announced in November 2018 remains in effect.
FDIC releases May enforcement actions
On June 25, the FDIC released a list of administrative enforcement actions taken against banks and individuals in May. During the month, the FDIC issued 10 orders and one notice consisting of “two Orders to Pay Civil Money Penalties, four Section 19 Applications, three Orders Terminating Consent Orders, one Order of Prohibition from Further Participation, and Notice of Intention to Prohibit from Further Participation, one Notice of Assessment of Civil Money Penalties, Findings of Fact, Conclusions of Law, Order to Pay, and Notice of Hearing.” Among the orders is a civil money penalty imposed against an Oregon-based bank concerning allegations of unfair and deceptive practices related to a wholly-owned subsidiary’s debt collection practices for commercial equipment financing. As previously covered by InfoBytes, the bank’s subsidiary allegedly violated Section 5 of the FTC Act by, among other things, unfairly and deceptively charging various undisclosed collection fees—such as collection call and letter fees and third-party collection fees—to borrowers with past due accounts. The bank, which did not admit or deny the violations, agreed to voluntarily pay an approximately $1.8 million civil money penalty.
The FDIC also imposed a civil money penalty against an Iowa-based bank related to alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank (i) “[m]ade, increased, extended or renewed loans secured by a building or mobile home located or to be located in a special flood hazard area without requiring that the collateral be covered by flood insurance”; (ii) “[f]ailed to timely notify the borrower that the borrower should obtain flood insurance, at the borrower’s expense, upon determining that the collateral was not covered by flood insurance at some time during the term of the loan”; and (iii) “[f]ailed to timely purchase flood insurance on the borrower’s behalf when the borrower failed to do so within 45 days of being advised to obtain adequate flood insurance.” The order requires the payment of a $8,000 civil money penalty.
State AGs argue FDIC’s “valid-when-made rule” violates APA
On June 17, eight state attorneys general (from California, Illinois, Massachusetts, Minnesota, New Jersey, New York, North Carolina, and the District of Columbia) filed an opposition to the FDIC’s motion for summary judgment and reply in support of their motion for summary judgment in a lawsuit challenging the FDIC’s “valid-when-made rule.” As previously covered by InfoBytes, last August the AGs filed a lawsuit in the U.S. District Court for the Northern District of California arguing, among other things, that the FDIC does not have the power to issue the rule, and asserting that the FDIC has the power to issue “‘regulations to carry out’ the provisions of the [Federal Deposit Insurance Act]” but not regulations that would apply to non-banks. The AGs also claimed that the rule’s extension of state law preemption would “facilitate evasion of state law by enabling ‘rent-a-bank’ schemes,” and that the FDIC failed to explain its consideration of evidence contrary to its assertions, including evidence demonstrating that “consumers and small businesses are harmed by high interest-rate loans.” The complaint asked the court to declare that the FDIC violated the Administrative Procedures Act (APA) in issuing the rule and to hold the rule unlawful. The FDIC countered in May (covered by InfoBytes here) that the AGs’ arguments “misconstrue” the rule, which “does not regulate non-banks, does not interpret state law, and does not preempt state law.” Rather, the FDIC argued that the rule clarifies the FDIA by “reasonably” filling in “two statutory gaps” surrounding banks’ interest rate authority.
In response, the AGs argued that the rule violates the APA because the FDIC’s interpretation in its “Non-Bank Interest Provision” (Provision) conflicts with the unambiguous plain-language statutory text, which preempts state interest-rate caps for federally insured, state-chartered banks and insured branches of foreign banks (FDIC Banks) alone, and “impermissibly expands the scope of § 1831d to preempt state rate caps as to non-bank loan buyers of FDIC Bank loans.” Additionally, the AGs challenged the FDIC’s claim that its Provision “does not implicate rent-a-bank schemes or the true lender doctrine because the Provision only applies ‘if a bank actually made the loan,’” emphasizing that the FDIC’s “mere statement that it does not condone rent-a-bank schemes” is insufficient and that “choosing to not address true-lender issues is an insufficient response to comments that the Provision creates significant uncertainty about those issues.” Moreover, the AGs claimed that the Provision is “arbitrary and capricious” and fails to meaningfully address valid concerns and criticisms raised by commenters, and that the rule constitutes “in substance if not form, a reversal of the FDIC’s previous stance” that the FDIC is “obligated to acknowledge and explain.”
FFIEC updates BSA/AML examination manual
On June 21, the Federal Financial Institutions Examinations Council (FFIEC) published updated versions of four sections of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (Manual), which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and compliance with BSA regulatory requirements. The revisions can be identified by a 2021 date label on the FFIEC BSA/AML InfoBase and include the following updated sections: International Transportation of Currency or Monetary Instruments Reporting, Purchase and Sale of Monetary Instruments Recordkeeping, Reports of Foreign Financial Accounts, and Special Measures. The FFIEC notes that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but are intended to “offer further transparency into the examination process and support risk-focused examination work.” In addition, the Manual itself does not establish requirements for financial institutions as these requirements are found in applicable statutes and regulations. (See also FDIC FIL-12-2021 and OCC Bulletin 2021-10.) As previously covered by InfoBytes, in February the FFIEC updated the following sections of the Manual: Assessing Compliance with Bank Secrecy Act Regulatory Requirements, Customer Identification Program, Currency Transaction Reporting, and Transactions of Exempt Persons.