InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: OCC Updates Third-Party Risk Management Guidance
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:
Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.
Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:
- Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
- Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
- Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
- Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
- Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.
Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:
- Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
- Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
- Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
- Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
- Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.
Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:
- Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
- Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
- Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
- Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.
Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.
The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.
These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.
Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Jon David Langlois, (202) 349-8045
Prudential Regulators Issue Joint Agreement On Classification And Appraisal Of Securities Held By Financial Institutions
On October 29, the FDIC, the Federal Reserve Board, and the OCC issued a joint agreement to update and revise the 2004 Uniform Agreement on the Classification of Assets and Appraisal of Securities Held by Banks and Thrifts. The updated agreement reiterates the importance of a robust investment analysis process and the agencies' longstanding asset classification definitions. It also replaces references to credit ratings with alternative standards of creditworthiness consistent with sections 939 and 939A of the Dodd-Frank Act, which directed the agencies to remove any reference to or requirement of reliance on credit ratings in the regulations and replace them with appropriate standards of creditworthiness. The agencies adopted those new standards in 2012 (see, e.g., the OCC’s final rule). The joint agreement provides examples to demonstrate the appropriate application of the new standards to the classification of securities.
Banking Agencies Clarify Guidance On Troubled Debt Restructurings
Last week, the Federal Reserve Board, the FDIC, the NCUA, and the OCC released interagency guidance related to the accounting treatment and regulatory credit risk grade or classification of commercial and residential real estate loans that have undergone troubled debt restructurings (TDRs). The guidance clarifies the definition of collateral-dependent loans and states that impaired collateral-dependent loans should be measured for impairment based on the fair value of the collateral rather than the present value of expected future cash flows.
Special Alert: Agencies Issue Joint Statement On Fair Lending Compliance And The CFPB's ATR/QM Rule
On October 22, the CFPB, the OCC, the FDIC, the Federal Reserve Board, and the NCUA (collectively, the Agencies) issued a joint statement (Interagency Statement) in response to inquiries from creditors concerning their liability under the disparate impact doctrine of the Equal Credit Opportunity Act (ECOA) and its implementing regulation, Regulation B by originating only “qualified mortgages.” Qualified mortgages are defined under the CFPB’s January 2013 Ability-to-Repay/Qualified Mortgage Rule (ATR/QM Rule). The DOJ and HUD did not participate in the Interagency Statement.
The Interagency Statement describes some general principles that will guide the Agencies’ supervisory and enforcement activities with respect to entities within their jurisdiction as the ATR/QM Rule takes effect in January 2014. The Interagency Statement does not state that a creditor’s choice to limit its offerings to qualified mortgage loans or qualified mortgage “safe harbor” loans would comply with ECOA; rather, the Agencies state that they “do not anticipate that a creditor’s decision to offer only qualified mortgages would, absent other factors, elevate a supervised institution’s fair lending risk.” Furthermore, the Interagency Statement will not necessarily preclude civil actions.
The Agencies acknowledge that although there are several ways to satisfy the ATR/QM Rule, some creditors may be inclined to originate all or predominantly qualified mortgages, particularly when the ATR/QM Rule first becomes effective. In selecting business models and product offerings, the Agencies “expect that creditors would consider and balance demonstrable factors that may include credit risk, secondary market opportunities, capital requirements, and liability risk.” The Agencies further understand that creditors may have a “legitimate business need” to fine-tune their product offerings over the next few years in response to the impact of the ATR/QM Rule, just as they have in response to other significant regulatory changes that have occurred in the past.
The Agencies advise creditors to continue to evaluate fair lending risk as they would for other types of product selections, including by carefully monitoring their policies and practices and implementing effective compliance management systems. Nonetheless, the Agencies state that individual cases will be evaluated on their own merits.
The Agencies state that they “believe that the same principles…apply in supervising institutions for compliance with the Fair Housing Act.” However, because neither DOJ nor HUD participated in issuing the Interagency Statement, it remains to be seen how those agencies would view this issue.
It is noteworthy that the standard articulated in the Interagency Statement (“legitimate business needs”) differs from HUD’s disparate impact rule relating to the Fair Housing Act. In its rule, HUD codified a three-step burden-shifting approach to determine liability under a disparate impact claim. Once a practice has been shown by the plaintiff to have a disparate impact on a protected class, the rule states that the defendant would have the burden of showing that the challenged practice “is necessary to achieve one or more substantial, legitimate, nondiscriminatory interests of the respondent…or defendant…A legally sufficient justification must be supported by evidence and may not be hypothetical or speculative.” (Emphasis added.)
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
Special Alert: CFPB Announces First HMDA Enforcement Actions, Issues HMDA Guidance
On October 9, the CFPB (or Bureau) announced it had assessed civil money penalties totaling $459,000 against two financial institutions—one bank and one nonbank—after examinations identified significant data errors in mortgage loans reported pursuant to the Home Mortgage Disclosure Act (HMDA). The Bureau simultaneously issued a HMDA bulletin to all mortgage lenders regarding the elements of an effective HMDA compliance management system, resubmission thresholds, and factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action and related civil money penalties.
Enforcement Actions
According to the consent orders (available here and here), both financial institutions maintained inadequate HMDA compliance systems that resulted in the reporting of “severely compromised mortgage lending data.” The nonbank, which reported 21,015 applications in its 2011 HMDA Loan Application Register (LAR), agreed to pay a penalty of $425,000. The consent order notes previous violations identified by the state regulator and states that the Bureau sampled 32 loans and concluded that the sample error rate unreasonably exceeded the Bureau’s resubmission threshold, although the error rate was not disclosed. The investigation of the nonbank was conducted in cooperation with the Massachusetts Division of Banks, which announced its own consent order imposing a $50,000 administrative fine at the same time that the CFPB announced its order. The bank, which reported 5,785 applications in its 2011 HMDA LAR, agreed to pay a penalty of $34,000. The consent order against the bank states that the bank’s sample error rate was 38 percent but does not disclose the size of the sample. Both institutions will be required to correct and resubmit their 2011 HMDA data and develop and implement an effective HMDA compliance management system to prevent future violations. Neither of the orders reveals the specific deficiencies in the institutions’ HMDA compliance programs.
Guidance
As noted above, the Bureau also issued a bulletin regarding HMDA compliance along with HMDA resubmission guidelines. The bulletin discusses the components of an effective HMDA compliance management system, including: (i) comprehensive policies, procedures, and internal controls; (ii) comprehensive and regular internal, pre-submission HMDA audits; (iii) a process for reviewing regulatory changes; (iv) reporting systems commensurate with lending volume; (v) one or more individuals responsible for oversight, data entry, and data updates, including timely and accurate reporting; (vi) appropriate, sufficient, and periodic employee training on HMDA, Regulation C, and reporting requirements; (vii) a process for effective corrective action in response to deficiencies identified; and (viii) appropriate board and management oversight.
In addition, the bulletin announces the Bureau’s new HMDA Resubmission Schedule and Guidelines, which sets forth thresholds that will apply when determining whether resubmission is required when errors are discovered in a HMDA data integrity examination. The new resubmission schedule creates a two-tier system in which resubmission thresholds are lower for institutions reporting fewer than 100,000 entries on the HMDA LAR. Under the guidance, institutions that report 100,000 or more entries on their LAR should correct and resubmit their entire HMDA LAR if the error rate exceeds four percent of the total sample (or two percent in any individual data field), while institutions with fewer than 100,000 entries on their LAR should correct and resubmit their LAR if the error rate exceeds ten percent in the total sample (or five percent in any individual data field). The guidance states that resubmission for error rates below the applicable thresholds may be called for if “the errors prevent an accurate analysis of the institution’s lending.” Under the Bureau’s current standards, institutions, regardless of size, must resubmit a corrected LAR if any “key fields” have an error rate of five percent, or if at least ten percent of the institution’s records have an error in at least one of the key fields. The new resubmission schedule and guidelines will apply to all HMDA data integrity reviews initiated on or after January 18, 2014.
Finally, the bulletin provides a non-exclusive list of factors the Bureau may consider when evaluating whether to pursue a public HMDA enforcement action, including: (i) size of the institution’s HMDA LAR and observed error rates; (ii) whether errors were self-identified and independently corrected outside of an examination; and (iii) history of previous HMDA errors that exceed the permissible threshold. In addition, the guidance states that the Bureau may seek civil money penalties for HMDA violations depending on such factors as (i) size of financial resources and good faith effort of compliance by the institution; (ii) gravity of the violations or failure to pay; (iii) severity of harm to consumers; (iv) history of previous violations; and (v) such other matters as justice may require.
Outlook
These recent CFPB announcements reinforce BuckleySandler’s experience to date that the CFPB is stepping up scrutiny of HMDA practices both at banks and nonbanks. These examination and enforcement initiatives dovetail with the CFPB’s other recent HMDA-related activities. The CFPB recently launched new tools to allow the public—including consumer and housing advocates—to leverage HMDA data to attempt to identify lending patterns. The CFPB also has started internally drafting a proposed rule to implement changes to HMDA data collection requirements, as required by the Dodd-Frank Act. Though a final rule is a distant prospect, once finalized the CFPB may require institutions to report, among other things: (i) ages of loan applicants and mortgagors; (ii) the difference between the annual percentage rate associated with the loan and benchmark rates for all loans; (iii) the term of any prepayment penalty; (iv) the term of the loan and of any introductory interest rate for the loan; (v) the origination channel; and (vi) the credit scores of applicants and mortgagors.
All of these developments suggest bank and nonbank mortgage originators should review their HMDA practices and processes to ensure they are reporting data that are accurate or at least within the CFPB’s revised tolerances.
Prudential Regulators Encourage Private Student Loan Workouts
On July 25, the FDIC, the OCC, and the Federal Reserve Board issued a joint statement to encourage financial institutions to “work constructively with private student loan borrowers experiencing financial difficulties.” The statement explains that prudent workout arrangements are consistent with safe-and-sound lending practices and are generally in the long-term best interest of both the financial institution and the borrower. Specifically, under the Retail Credit Policy, which covers student loans, “extensions, deferrals, renewals, and rewrites of closed-end loans can be used to help borrowers overcome temporary financial difficulties.” As such, the agencies promise not to criticize institutions for engaging in prudent workout arrangements with borrowers who have encountered financial problems, even if the restructured loans result in adverse credit classifications or troubled debt restructurings in accordance with accounting requirements under GAAP. Further, the regulators state that modification programs should provide borrowers with clear and easily accessible practical information about the available options, general eligibility criteria, and the process for requesting a modification.
HUD Proposes Framework for Affirmatively Furthering Fair Housing, HUD Secretary Promises Increased Enforcement
On July 18, HUD released a proposed rule to refine the fair housing elements of the existing planning process that recipients of HUD funds – states, local governments, insular areas, and public housing agencies (Program Participants) – already undertake. To aid Program Participants, HUD will provide local and regional data to allow Program Participants (i) to evaluate patterns of integration and segregation in their area, (ii) to identify disparities in access to community assets by members of protected classes, (iii) to locate racial and ethnic concentrations of poverty, and disproportionate housing needs based on protected class; (iv) to uncover areas for improvement in their fair housing programs; and (v) to develop the tools, strategies, and priorities to respond to problems identified by the data.
The proposed rule also (i) defines “affirmatively furthering fair housing” to clarify that the phrase requires proactive steps to foster more inclusive communities and greater access to community assets for all groups protected by the Fair Housing Act; (ii) refines current Analysis of Impediment requirements; (iii) requires Program Participants to incorporate fair housing planning in existing planning processes, such as the consolidated plan and PHA Annual Plan; and (iv) encourages Program Participants to take regional approaches to address fair housing issues.
In a speech earlier in the week in which he previewed the proposed rule, HUD Secretary Donovan also promised increased enforcement of the Fair Housing Act, stating: “I want to send a message to all those outside these doors. There are no stones we won’t turn. There are no places we won’t go. And there are no complaints we won’t explore in order to eliminate housing discrimination. Period. . . . HUD is enhancing its enforcement techniques by initiating investigations on our own without waiting for individuals to file complaints. We have more than tripled the number of Secretary-initiated complaints that we have filed since 2008.”
CFPB, Federal Reserve Board, DOJ Plan Indirect Auto Fair Lending Compliance Event
On July 15, the Federal Reserve Board announced that it will co-host an upcoming consumer compliance webinar with the CFPB and the DOJ entitled “Indirect Auto Lending – Fair Lending Considerations.” The event, which will be held August 6, 2013, 11:30 a.m. – 12:30 p.m. (ET), will feature Maureen Yap, special counsel and manager of the Federal Reserve’s Fair Lending Enforcement Section; Coty Montag, deputy chief of the DOJ’s Housing and Civil Enforcement Section of the Civil Rights Division; and Patrice Ficklin, assistant director of the CFPB’s Office of Fair Lending and Equal Opportunity. The panelists plan to discuss (i) the CFPB’s indirect auto lending bulletin and compliance with ECOA; (ii) supervisory guidance; (iii) examination procedures; (iv) public settlements; and (v) “emerging issues.” Following their presentations, the panelists will take audience questions, which may be submitted in advance.
FTC Extends Time to Comment on Proposed TSR Changes
On July 12, the FTC extended the comment deadline on proposed changes to its Telemarketing Sales Rule (TSR). In May, the FTC proposed to prohibit the use of certain payment methods it believes are favored by “fraudulent telemarketers,” and sought comments by July 29, 2013. Because a slightly modified version of the original proposal was published in the Federal Register on July 9, 2013, the FTC now will accept comments through August 8, 2013.
HUD Seeks Comments on Potential Changes to FHA's Quality Assurance Process
Recently, HUD published a notice seeking public comments on “ways to improve the efficiency and effectiveness” of FHA’s quality assurance process (QAP). In the notice, HUD explains that it is seeking to enhance its oversight of FHA single-family lenders by evaluating single family quality assurance alternatives that would better align with FHA’s mission. Specifically, HUD aims to ensure that it maintains and improves a quality assurance framework that (i) does not hinder or dissuade lending to FHA-targeted populations; (ii) enhances the efficiency and effectiveness of the QAP; (iii) ensures compensation to FHA for defects resulting from the lender manufacturing process; and (iv) applies fairly to all lenders. In addition, HUD also endeavors to establish a framework that ensures that loans are reviewed within a reasonable time period, post-endorsement; in order to allow FHA to use loan quality findings to improve credit policy and to allow lenders to improve their FHA origination practices. HUD particularly seeks public comments on (i) the types of loan manufacturing or compliance defects found in the QAP that should be subject to indemnification or other administrative remedies or a combination of responses; (ii) how the FHA’s review and comparison of early defaults and claims may achieve an improved assessment of a mortgagee’s performance – for example, HUD is considering establishing a specific standard of defaults and claims which mortgagees should not exceed within a given construct; (iii) whether FHA should establish a threshold manufacturing (or loan deficiency) risk tolerance; and (iv) whether FHA should establish a process to review a statistically significant random sample of loans for each mortgagee within a prescribed time frame after loan endorsement to estimate defect rates. Comments on the potential changes are due by September 9, 2013.