InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies put out policy on CRE workouts
On June 29, the FDIC, OCC, Federal Reserve Board, and NCUA, in consultation with state bank and credit union regulators, jointly issued a final policy statement addressing prudential commercial real estate loan accommodations and workouts for borrowers experiencing financial difficulty. The policy statement applies to all supervised financial institutions and supersedes previous guidance issued in 2009. Building on existing supervisory guidance, the policy statement advises financial institutions “to work prudently and constructively with creditworthy borrowers during times of financial stress.” The policy statement (i) updates interagency supervisory guidance on commercial real estate loan workouts; (ii) adds a new section on short-term loan accommodations (for purposes of the policy statement, “an accommodation includes any agreement to defer one or more payments, make a partial payment, forbear any delinquent amounts, modify a loan or contract, or provide other assistance or relief to a borrower who is experiencing a financial challenge”); (iii) addresses relevant accounting standard changes on estimating loan losses; and (iv) provides updated examples on how to classify and account for loans modified or affected by loan accommodations or loan workout activity. The policy statement takes effect upon publication in the Federal Register.
OCC updates cybersecurity exam procedures
On June 26, the OCC issued Bulletin 2023-22 announcing recent updates to the agency’s approach to cybersecurity assessment procedures. The Cybersecurity Supervision Work Program (CSW) provides high-level examination objectives and procedures aligned with the National Institute of Standards and Technology Cybersecurity Framework (NIST-CFS) and is part of the agency’s risk-based bank information technology supervision process. The CSW is intended to provide examiners an effective approach for identifying cybersecurity risks in supervised banks.
According to an overview provided by the OCC, the CSW “provides examiners with a common framework and terminology in discussions with bank management” and is structured according to the following NIST-CSF functions: identify, protect, detect, respond, and recover (as well as related categories and subcategories). The OCC also developed an additional function, Specialty Areas, to address areas of risk that may be part of OCC cybersecurity assessments, where applicable. Examiners will use these procedures to supplement those outlined in the “Community Bank Supervision,” “Large Bank Supervision,” and “Federal Branches and Agencies Supervision” booklets of the Comptroller’s Handbook, the FFIEC’s Information Technology Examination Handbook booklets, and other related supervisory guidance.
The OCC encourages supervised banks to use standardized approaches to assess and improve cybersecurity preparedness. Banks may choose from a variety of standardized tools and available frameworks, and should use the agency’s CSW cross-references table for further guidance. No new regulatory expectations are established with the issuance of the CSW.
Agencies release 2023 list of distressed, underserved communities
On June 23, the FDIC, Federal Reserve Board, and the OCC released the 2023 list of distressed or underserved nonmetropolitan middle-income geographies where revitalization or stabilization activities are eligible to receive Community Reinvestment Act (CRA) consideration. According to the joint release, the list of distressed nonmetropolitan middle-income geographies and underserved nonmetropolitan middle-income geographies are designated by the agencies under their CRA regulations and reflect local economic conditions such as unemployment, poverty, and population changes. Under CRA, banks are encouraged to help meet the credit needs of the local communities listed. For any geographies that were designated by the agencies in 2022 but not in 2023, the agencies apply a one-year lag period, so such geographies remain eligible for CRA consideration for another 12 months.
Hsu tells banks to approach AI cautiously
On June 16, Acting Comptroller of the Currency Michael J. Hsu warned that the unpredictability of artificial intelligence (AI) can pose significant risks to the financial system. During remarks presented at the American Bankers Association’s Risk and Compliance Conference, Hsu cautioned that banks must manage risks when adopting technologies such as tokenization and AI. Although Hsu reiterated his skepticism of cryptocurrency (covered by InfoBytes here), he acknowledged that AI and blockchain technology (where most tokenization efforts are currently focused) have the potential to present “significant” benefits to the financial system. He explained that trusted blockchains may improve settlement efficiency through tokenization of real-world assets and liabilities by minimizing lags and thereby reducing related frictions, costs, and risks. However, he warned that legal frameworks and risk and compliance capabilities for tokenizing real-world assets and liabilities at scale require further development, especially considering cross-jurisdictional situations and ownership and property rights.
With respect to banks’ adoption of AI, Hsu flagged AI’s “potential to reduce costs and increase efficiencies; improve products, services and performance; strengthen risk management and controls; and expand access to credit and other bank services.” But there are significant challenges, Hsu said, including bias and discrimination challenges in consumer lending, fraud, and risks created from the use of “generative” AI. Alignment is also the core challenge, Hsu said, explaining that because AI systems are built to learn and may not do what they are programed to do, governance and accountability challenges may become an issue. “Who can and should be held accountable for misaligned, unexpected, and harmful outcomes?” Hsu asked, pointing to banks’ use of third parties to develop and support their AI systems as an area of concern.
Hsu advised banks to approach innovation “responsibly and purposefully” and to proceed cautiously while keeping in mind three principles for managing risks: (i) innovate in stages, expand only when ready, and monitor, adjust and repeat; (ii) “build the brakes while building the engine” and ensure risk and compliance professionals are part of the innovation process; and (iii) engage with regulators early and often during the process and ask for permission, not forgiveness.
OCC warns banks to “guard against complacency” in risk management
On June 14, the OCC released its Semiannual Risk Perspective for Spring 2023, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The agency reported that the overall strength of the federal banking system is sound but warned banks to remain diligent and maintain effective risk management practices over critical functions in order to withstand current and future economic and financial challenges.
The OCC highlighted liquidity, operational, credit, and compliance risk as key risk themes in the report. Observations include: (i) in response to recent bank failures and investment portfolio depreciation, liquidity levels have been strengthened; (ii) credit risk remains moderate, however in certain commercial real estate segments, signs of stress are increasing (high inflation and rising interest rates are also causing credit conditions to deteriorate); (iii) operational risk, including persistent cyber threats, is elevated, while opportunities and risks are created by banks’ increased use of third parties and the digitalization of banking products and service; and (iv) compliance risk remains heightened as banks continue to navigate a dynamic environment where compliance management systems try to keep pace with evolving products, services, and delivery channel offerings.
The report also discussed challenges banks face when trying to manage climate-related financial risks, as well as the importance of investing and aligning technology with banks’ business goals. Acting Comptroller of the Currency Michael Hsu urged banks “to ‘be on the balls of their feet’ with regards to risk management” and “guard against complacency.”
Hsu discusses significance of consumer trust in banking
On June 8, acting Comptroller of Currency Michael J. Hsu discussed the significance of consumer trust in banking, and announced the OCC is considering designing and releasing an annual survey to measure the extent of consumer trust in banking. (See OCC’s request for comments on its proposed annual trust survey.) Hsu noted that public trust in banking is imperative to a good relationship with the communities served and to ensure consumers do not rely on risky means for storing funds. Distrust also presents risks for banks, Hsu said, explaining that “banks that have material fairness and compliance deficiencies may face stiff civil money penalties, restrictions on growth, and sustained reputational damage, limiting their capacities to make loans.” Hsu’s focus on trust in the banking system is also inspired by the threatening impact of unfairness and a lack of inclusivity. Therefore, in addition to the survey, the OCC is focusing on methods of consumer protection to underpin public trust in banks. Efforts include strengthening and modernizing the Community Reinvestment Act to create more lending opportunities to those in low- and moderate-income areas, reforming overdrafts by issuing guidance on overdraft protection programs, and addressing bias in the appraisal of homes by issuing a proposed rule to implement quality control standards for automated valuation models.
Agencies propose ROV guidance
On June 8, the CFPB joined the Federal Reserve Board, FDIC, NCUA, and the OCC to request comments on proposed interagency guidance relating to reconsiderations of value (ROV) for residential real estate valuations. The proposed guidance advises financial institutions on policies that would afford consumers an opportunity to introduce evidence that was not previously considered in the original appraisal. The proposal references the occurrence of “deficiencies” in real estate valuations, which can be due to errors or omissions, valuation methods, assumptions, or other factors. According to the proposed guidance, these kind of valuation deficiencies can “prevent individuals, families, and neighborhoods from building wealth through homeownership by potentially preventing homeowners from accessing accumulated equity, preventing prospective buyers from purchasing homes, making it harder for homeowners to sell or refinance their homes, and increasing the risk of default.” Also noted is the risk non-credible valuations pose to financial institutions, which may lead to loan losses, violations of law, fines, civil money penalties, damages, and civil litigation.
The proposed guidance (i) provides direction on how ROVs overlap with appraisal independence requirements and compliance with relative laws and regulations; (ii) identifies how financial institutions can implement and improve existing ROV policies while remaining compliant with regulations, preserving appraiser independence, and being responsive to consumers; (iii) explains how deficiencies can pose risk to financial institutions and describes how ROV policies should be factored into risk management functions; and (iv) provides examples of ROV policies, procedures, control systems, and complaint processes to address deficient valuations.
Comments on the proposed guidance are due within 60 days of publication in the Federal Register.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
Agencies propose new standards for AVMs
On June 1, the CFPB joined the Federal Reserve Board, OCC, FDIC, NCUA, and FHFA in issuing a notice of proposed rulemaking (NPRM) to implement quality control standards mandated by the Dodd-Frank Act concerning automated valuation models (AVMs) used by mortgage originators and secondary market issuers. Specifically, institutions that engage in certain credit decisions or make securitization determinations would be required to adopt quality control standards to ensure a high level of confidence that estimates produced by an AVM are fair and nondiscriminatory. Other requirements would necessitate institutions to protect against data manipulation and avoid conflicts of interest. Institutions would also be required to conduct random sample testing and reviews and comply with applicable nondiscrimination laws. The agencies acknowledged that while advances in AVM technology and data availability may contribute to lower costs and reduce loan cycle times, institutions’ reliance on AMV technology must not be used as an excuse to evade the law.
CFPB Director Rohit Chopra explained that, while AVMs rely on mathematical formulas and number crunching to produce estimates (and are often used to “check” human appraisers or used in place of an appraisal), they can still embed the human biases they are meant to correct. This is due in part to the data fed into the AVMs, the algorithms used within the machines, and biases and blind spots attributed to the individuals who develop the models, Chopra warned, commenting that AVMs can actually “make bias harder to eradicate in home valuations because the algorithms used cloak the biased inputs and design in a false mantle of objectivity.”
Chopra went on to explain that inaccurate or biased algorithms can lead to serious harms to consumers, neighborhoods, and the housing market, and may also impact the tax base. A focus common to all the agencies, Chopra said, is ensuring that automated systems and artificial intelligence modeling technologies are developed and used in accordance with federal laws to avert discriminatory outcomes and prevent negative impacts on consumer financial stability.
Comments on the NPRM are due within 60 days of publication in the Federal Register.
OCC’s new enforcement policy targets banks with “persistent weaknesses”
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.