InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
Agencies propose new standards for AVMs
On June 1, the CFPB joined the Federal Reserve Board, OCC, FDIC, NCUA, and FHFA in issuing a notice of proposed rulemaking (NPRM) to implement quality control standards mandated by the Dodd-Frank Act concerning automated valuation models (AVMs) used by mortgage originators and secondary market issuers. Specifically, institutions that engage in certain credit decisions or make securitization determinations would be required to adopt quality control standards to ensure a high level of confidence that estimates produced by an AVM are fair and nondiscriminatory. Other requirements would necessitate institutions to protect against data manipulation and avoid conflicts of interest. Institutions would also be required to conduct random sample testing and reviews and comply with applicable nondiscrimination laws. The agencies acknowledged that while advances in AVM technology and data availability may contribute to lower costs and reduce loan cycle times, institutions’ reliance on AMV technology must not be used as an excuse to evade the law.
CFPB Director Rohit Chopra explained that, while AVMs rely on mathematical formulas and number crunching to produce estimates (and are often used to “check” human appraisers or used in place of an appraisal), they can still embed the human biases they are meant to correct. This is due in part to the data fed into the AVMs, the algorithms used within the machines, and biases and blind spots attributed to the individuals who develop the models, Chopra warned, commenting that AVMs can actually “make bias harder to eradicate in home valuations because the algorithms used cloak the biased inputs and design in a false mantle of objectivity.”
Chopra went on to explain that inaccurate or biased algorithms can lead to serious harms to consumers, neighborhoods, and the housing market, and may also impact the tax base. A focus common to all the agencies, Chopra said, is ensuring that automated systems and artificial intelligence modeling technologies are developed and used in accordance with federal laws to avert discriminatory outcomes and prevent negative impacts on consumer financial stability.
Comments on the NPRM are due within 60 days of publication in the Federal Register.
OCC’s new enforcement policy targets banks with “persistent weaknesses”
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.
Hsu discusses progress on reducing unbanked
On May 23, acting Comptroller of the Currency Michael J. Hsu discussed the agency’s commitment to promote a fair and inclusive financial system. During remarks presented at the Bank On National Conference, Hsu observed that while progress has been made to reduce the number of unbanked households in recent years and broadly improve account access, 5.9 million U.S. households remain outside the banking system. Higher unbanked rates are found among consumers with lower incomes and less education, as well as consumers who are young, Black or Hispanic, have disabilities, or are single mothers, Hsu added. He commented that to continue expanding financial access, innovations and adjustments should be made to banks’ screening processes, such as allowing for more forms of identification, streamlining remote account opening, partnering with benefits providers and employers, and training frontline staff to consistently offer Bank On accounts to new customers. “One of the ‘strongly recommended’ features of Bank On certified accounts is the acceptance of alternative forms of identification such as consular identification cards and municipal IDs,” Hsu said. “Bank On also ‘strongly recommends’ that accounts only be denied for customers with past incidences of actual fraud.” Hsu further recommended that banks pay particular attention to how they measure and manage financial crime risks specifically associated with Bank On accounts as account opening processes evolve “so that those who lack traditional forms of identification or fixed addresses and those who cannot physically visit a branch can still open an account.” Hsu warned banks to continue considering risks associated with overdraft protection programs and encouraged banks to explore other measures such as low-cost accounts and lower-cost alternatives for covering overdrafts.
OCC releases enforcement actions
On May 18, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Among the enforcement actions is a consent order against an Indiana-based bank for allegedly engaging in unsafe or unsound practices relating to, among other things, its strategic and capital planning, risk management processes, audit program, and consumer compliance program (including alleged violations of TILA and Regulation Z). In addition to complying with measures to address the alleged deficiencies, the bank (which neither admits nor denies the allegations) is also required to submit written consumer compliance policies and procedures designed to ensure compliance with TILA and Regulation Z. The bank also must undergo an independent compliance review and audit and ensure bank officers and employees are appropriately trained.
Republicans say regulators are coordinating on de-banking digital assets
On April 26, House Financial Services Committee Chairman Patrick McHenry (R-NC), Digital Assets, Financial Technology and Inclusion Subcommittee Chairman French Hill (R-AR), and Oversight and Investigations Subcommittee Chairman Bill Huizenga (R-MI) sent separate letters to the Federal Reserve Board Chair Jerome Powell, FDIC Chair Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu seeking information to help the lawmakers determine whether there exists a “coordinated strategy to de-bank the digital asset ecosystem in the United States” and “suppress innovation.”
The text common to each letter pointed to actions taken by the federal prudential regulators as discouraging banks from offering services to digital asset firms. The lawmakers cited OCC guidance issued in 2021 (Interpretive Letter 1179, covered by InfoBytes here), which stated that banks can engage in certain cryptocurrency activities as long as they are able to “demonstrate, to the satisfaction of its supervisory office, that it has controls in place to conduct the activity in a safe and sound manner” and the banks receive a regulator’s written non-objection. Also discussed were FDIC instructions released in April 2022, which directed banks to promptly notify the agency if they intend to engage in, or are currently engaged in, any digital-asset-related activities, as well as a joint statement issued by the regulators in January that highlighted key risks banks should consider when choosing to engage in cryptocurrency activities. (Covered by InfoBytes here and here.)
Referring to certain recent bank collapses, the lawmakers argued that they do not believe that the underlying problems were caused by digital asset-related customers. The lawmakers requested information related to non-public records and communications between agency employees and supervised banks relating to the aforementioned guidance by May 9.
Agencies release statement on LIBOR sunset; CFPB amends Reg Z to reflect transition
On April 26, the CFPB joined the Federal Reserve Board, FDIC, NCUA, and OCC in issuing a joint statement on the completion of the LIBOR transition. (See also FDIC FIL-20-2023 and OCC Bulletin 2023-13.) According to the statement, the use of USD LIBOR panels will end on June 30. The agencies reiterated their expectations that financial institutions with USD LIBOR exposure must “complete their transition of remaining LIBOR contracts as soon as practicable.” Failure to adequately prepare for LIBOR’s discontinuance may undermine financial stability and institutions’ safety and soundness and could create litigation, operational, and consumer protection risks, the agencies stressed, emphasizing that institutions are expected to take all necessary steps to ensure an orderly transition. Examiners will monitor banks’ efforts throughout 2023 to ensure contracts have been transitioned away from LIBOR in a manner that complies with applicable legal requirements. The agencies also reminded institutions that safe-and-sound practices include conducting appropriate due diligence to ensure that replacement alternative rate selections are appropriate for an institution’s products, risk profile, risk management capabilities, customer and funding needs, and operational capabilities. Institutions should also “understand how their chosen reference rate is constructed and be aware of any fragilities associated with that rate and the markets that underlie it,” the agencies advised. Both banks and nonbanks should continue efforts to adequately prepare for LIBOR’s sunset, the Bureau said in its announcement, noting that the agency will continue to help institutions transition affected consumers in an orderly manner.
The Bureau also issued an interim final rule on April 28 amending Regulation Z, which implements TILA, to update various provisions related to the LIBOR transition. The interim final rule updates the Bureau’s 2021 LIBOR Transition Rule (covered by InfoBytes here) to reflect the enactment of the Adjustable Interest Rate Act of 2021 and its implementing regulation promulgated by the Federal Reserve Board (covered by InfoBytes here). Among other things, the interim final rule further addresses LIBOR’s sunset on June 30, by incorporating references to the SOFR-based replacement—the Fed-selected benchmark replacement for the 12-month LIBOR index—into Regulation Z. The interim final rule also (i) makes conforming changes to terminology used to identify LIBOR replacement indices; and (ii) provides an example of a 12-month LIBOR tenor replacement index that meets certain standards within Regulation Z. The Bureau also released a Fast Facts summary of the interim final rule and updated the LIBOR Transition FAQs.
The interim final rule is effective May 15. Comments are due 30 days after publication in the Federal Register.
OCC, FDIC say some overdraft fees may be unfair or deceptive
On April 26, the OCC and FDIC issued supervisory guidance addressing consumer compliance risks associated with bank overdraft practices. (See OCC Bulletin 2023-12 and FDIC FIL-19-2023.) The guidance highlighted certain practices that may result in increased risk exposure, including assessing overdraft fees on “authorize positive, settle negative” (APSN) transactions and assessing representment fees each time a third party resubmits the same item for payment after being returned by a bank for non-sufficient funds. The agencies provided guidance for banks that may help control risks associated with overdraft protection programs and achieve compliance with Dodd-Frank’s UDAAP prohibitions and section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices.
The FDIC’s supervisory guidance expanded on the 2019 Consumer Compliance Supervisory Highlights (covered by InfoBytes here), and warned that APSN overdraft fees present risks of unfairness under both statutes as consumers “cannot reasonably avoid” receiving these fees because they lack “the ability to effectively control payment systems and overdraft processing systems practices.” The FDIC cited the “complicated nature of overdraft processing systems” as another impediment to a consumer’s ability to avoid injury. The FDIC also emphasized that risks of unfairness exist both in “available balance” or “ledger balance” methods of assessing overdraft fees, but cautioned that risks may be “more pronounced” when a bank uses an available balance method. Furthermore, the FDIC warned that disclosures describing how transactions are processed may not mitigate UDAAP and UDAP risk. Banks are encouraged to “ensure customers are not charged overdraft fees for transactions consumers may not anticipate or avoid,” and should take measures to ensure overdraft programs provided by third parties comply with all applicable laws and regulations, as such arrangements may present additional risks if not properly managed, the FDIC explained.
The OCC’s guidance also warned that disclosures may be deceptive under section 5 if they fail to clearly explain that multiple or additional fees may result from multiple presentments of the same transaction. Recognizing that some banks have already implemented changes to their overdraft protection programs, the OCC also acknowledged that “[w]hen supported by appropriate risk management practices, overdraft protection programs may assist some consumers in meeting short-term liquidity and cash-flow needs.” The OCC encouraged banks to explore other options, such as offering low-cost accounts and low-cost alternatives for covering overdrafts, such as overdraft lines of credit and linked accounts.
Hsu discusses open banking
Acting Comptroller of the Currency Michael J. Hsu recently discussed the evolution and impact of open banking during remarks at the Spring FDX Global Summit. Defining open banking as “enabling consumer-permissioned sharing of financial data with third parties to empower consumers, foster competition, and expand financial inclusion,” Hsu explained that, under the concept, consumers may eventually be able to access a wide range of financial service providers and move checking and savings accounts between providers more readily. Hsu cautioned, however, that new risks may arise due to increases in the “volume and complexity of consumer-permissioned sharing.” Hsu highlighted the interconnectedness of open banking, safety and soundness, and the changing culture of banking due to the digitalization of banking and the associated promises of innovation. “The potential for open banking to provide consumers with greater control over their financial data, to increase the portability of banking accounts, and to foster greater competition and fairness in the provision of financial services is significant and may impact banking in a variety of ways,” he said.
Hsu commented that, while the OCC supports opening banking, it is also cautious about potential increases to liquidity, operational, and compliance risks. While account portability “will be empowering for consumers, in isolation this would likely increase the liquidity risk of retail deposits for banks,” Hsu said. Additionally, increasing the volume and complexity of consumer-permissioned sharing has the potential to introduce new risks and necessitate new controls, Hsu said, adding that banks operating as data providers will need to “interact with aggregators, fintechs, technology firms, and competitor banks,” and “expand from reliably handling their customers’ money, to also reliably handling their financial data.” Underscoring the blurred lines between banking and commerce in the digital arena, Hsu emphasized that “[o]pen banking cannot be accomplished by banks alone. Data aggregators and fintechs already play a significant role, which will expand as open banking is more fully adopted.”
FFIEC releases 2023 HMDA reporting guide
On April 13, the OCC issued Bulletin 2023-10 announcing the Federal Financial Institutions Examinations Council’s issuance of the 2023 edition of the revised “A Guide to HMDA Reporting: Getting It Right!” The guide focuses on HMDA data submissions due March 1, 2024, and includes requirements and instructions for reporting and disclosing data for institutions and transactions covered by Regulation C. The guide also reflects a technical amendment to the 2020 HMDA Rule to adjust the loan volume thresholds (which took effect January 1) for reporting HMDA data on closed-end mortgage loans. As previously covered by InfoBytes, the CFPB issued the technical amendment last December to establish that the threshold for reporting data about closed-end mortgage loans is 25 mortgage loans in each of the two preceding calendar years, the threshold established by the 2015 HMDA Rule.