Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On April 9, Senators Elizabeth Warren (D-Mass) and Sherrod Brown (D-Ohio) released responses to inquiries sent last month to the Federal Reserve Board, the OCC, and the CFPB, which expressed, among other things, concern about the level of response taken by a national bank regarding its auto-lending practices, as well as the bank’s remediation plans and compliance risk management efforts. In response, the regulators individually discussed the bank’s progress to satisfy its obligations under existing consent orders.
Federal Reserve Chairman Jerome Powell wrote that the asset cap imposed on the bank will remain in place until the bank has implemented—to the Board’s satisfaction—remedies to address risk management breakdowns. Powell noted that the bank and the Board are comprehensively addressing the progress.
OCC Comptroller Joseph Otting emphasized that the agency continues “to monitor the bank’s work to remediate deficiencies” identified in previously issued orders, and commented that while the OCC is disappointed with the bank’s current corporate governance and risk management programs, it “is fully engaged and prepared to bring [the bank’s] matters to resolution.”
CFPB Director Kathy Kraninger stated that “while the Bureau is working with [the bank] to ensure its compliance with the consent order, I am not satisfied with the [b]ank’s progress to date and have instructed staff to take all appropriate actions to ensure the [b]ank complies with the consent order and [f]ederal consumer financial law.”
On September 26, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (Plan) for fiscal year 2019. The Plan outlines the agency’s supervision priorities and specifically highlights the following supervisory focus areas: (i) cybersecurity and operational resiliency; (ii) commercial and retail credit loan underwriting, concentration risk management, and the allowance for loan and lease losses; (iii) Bank Secrecy Act/anti-money laundering compliance; (iv) change management to address new regulatory requirements; and (v) internal controls and end-to-end processes necessary for product and service delivery.
The annual plan guides the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes previously has covered.
On September 5, the FDIC released its summer 2018 issue of Supervisory Insights (see FIL-44-2018), which contains articles discussing bank lending to the oil and gas sector and an overview of bank credit risk grading systems. Information and analysis from examiner observations is presented in the article, “Credit Risk Grading Systems: Observations from a Horizontal Assessment.” Sixteen large state nonmember banks’ credit risk grading programs are analyzed for (i) their use of expert judgment based systems and/or quantitative scorecards and models to assign credit grades; (ii) data usage and retention needs; and (iii) governance and risk management frameworks established by grade definitions. The article advises that “a bank’s credit risk grading system should align with the bank’s size and complexity to facilitate accurate risk identification, measurement, monitoring, and reporting,” and should include internal systems to allow for effective risk assessment, timely and accurate reporting, and procedures for safeguarding and managing assets. In addition, the issue includes an overview of recently released regulations and supervisory guidance in its Regulatory and Supervisory Roundup.
On May 24, the OCC released its Semiannual Risk Perspective for Spring 2018, identifying and reiterating key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. Priorities focus on credit, operational, compliance, and interest risk, and while the OCC commented on the improved financial performance of banks from 2016 to early 2018, in addition to the “incremental improvement in banks’ overall risk management practices,” the agency also noted that risks previously highlighted in its Fall 2017 report have “changed only modestly.” (See previous InfoBytes coverage here.)
Specific areas of concern noted by the OCC include: (i) easing of commercial credit underwriting practices; (ii) increasing complexity and severity of cybersecurity threats; (iii) use of third-party service providers for critical operations; (iv) compliance challenges under the Bank Secrecy Act; (v) challenges in risk management involving consumer compliance regulations; and (vi) rising market interest rates, including certain risks associated with the “potential effects of rising interest rates, increasing competition for retail and commercial deposits, and post-crisis liquidity regulations for banks with total assets of $250 billion or more, on the mix and cost of deposits.” Additionally, concerns related to integrated mortgage disclosure requirements under TILA and RESPA previously considered a key risk have been downgraded to an issue to be monitored.
On May 7, FDIC Chairman, Martin J. Gruenberg, spoke at the Forum on the Use of Technology in the Business of Banking about the importance of understanding the ways in which emerging technology is positively affecting banking operations, while also recognizing associated risk management challenges. Gruenberg noted that the benefits of technology—such as reduced transaction costs, operational efficiency, payment speed improvements, and economic inclusion and access to mainstream banking—also pose challenges to financial institutions that may be amplified as new products and services are adopted. Challenges include: (i) cybersecurity risks; (ii) Bank Secrecy Act/anti-money laundering concerns; and (iii) various other consumer protection issues. Gruenberg also discussed the role of the FDIC’s Emerging Technology Steering Committee, which was established to address these issues, and its two working groups responsible for “monitoring trends, opportunities, and risks in this area, and evaluating impacts on banking, general safety and soundness, deposit insurance, financial reporting, economic inclusion, and consumer protection.” He stressed that the committee’s work will inform the agency’s “supervisory strategy for responding to opportunities and risks presented by the use of emerging technologies to supervised institutions.”
On April 27, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to financial institutions concerning the Financial Action Task Force’s (FATF) updated list of jurisdictions identified as having “strategic deficiencies” in their anti-money laundering/combatting the financing of terrorism (AML/CFT) regimes. FinCEN urges financial institutions to consider this list when reviewing due diligence obligations and risk-based policies, procedures, and practices.
As further described in the Improving Global AML/CFT Compliance: On-going Process, FATF identified the following jurisdictions as having developed action plans to address AML/CFT deficiencies: Ethiopia, Iraq, Sri Lanka, Syria, Trinidad and Tobago, Tunisia, Vanuatu, and Yemen. Notably Serbia has been added to the list for failing to effectively implement its AML/CFT framework, whereas Bosnia and Herzegovina has been removed from the list due to “significant progress in improving its AML/CFT regime . . . [and] establishing the legal and regulatory framework to meet the commitments in its action plan.” The Democratic People’s Republic of Korea and Iran remain the two jurisdictions subject to countermeasures and enhanced due diligence due to AML/CFT deficiencies.
OCC updates Comptroller’s Handbook to include recovery planning standards for large financial institutions
On April 26, the OCC released the “Recovery Planning” booklet as part of its Comptroller’s Handbook. The booklet explains the purpose of effective recovery planning and provides guidance for OCC examiners to use when assessing the “appropriateness and adequacy of [a] covered bank’s recovery planning process and the integration of that process into the covered bank’s overall risk governance framework.” According to the OCC, unless determined otherwise, a bank is subject to the Recovery Planning guidelines if the bank has average total consolidated assets of (i) $50 billion or more; (ii) less than $50 billion, if the bank was previously a covered bank; or (iii) less than $50 billion, if the OCC determines that the bank is highly complex or otherwise presents a heightened risk. Recovery plans are designed to identify triggers and options for responding to a range of “severe internal and external stress scenarios” for the purpose of timely restoring financial strength and viability, and should, among other things, include measures to reduce risk as well as strategies to develop and maintain plans specific and appropriate to the size and complexity of the covered bank. The booklet states that recovery plans “may not assume or rely on any extraordinary government support.”
On April 19, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. The new enforcement actions include cease and desist orders, civil money penalty orders, and removal/prohibition orders. The consent orders described below were among those in the OCC’s list:
Cease and Desist Consent Order. On February 28, the OCC issued a consent order against a Washington-based bank for deficiencies related to its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program. Among other things, the consent order requires the bank to (i) maintain a Compliance Committee consisting of at least three board members; (ii) develop and implement an ongoing BSA/AML risk assessment program; (iii) create and implement BSA internal controls to mitigate risks; (iv) develop and implement policies and procedures for an automated suspicious activity monitoring system; (v) conduct a “Look-Back” to determine whether suspicious activity was timely identified and reported by the bank and whether additional SARs should be filed for previously unreported suspicious activity; (vi) adopt an independent third-party audit program to conduct a review of the bank’s BSA/AML compliance program; and (viii) create a comprehensive training program for appropriate bank personnel. The bank has neither admitted nor denied the findings.
Civil Money Penalty Consent Order. On March 3, the OCC issued a consent order (2018 Order) against an officer of a California-based bank for violating consent orders issued in 2010 and 2014 related to deficiencies identified in the bank’s BSA/AML rules and regulations and for violations of 12 C.F.R. § 21.21 (Procedures for Monitoring Bank Secrecy Act Compliance). According to the 2018 Order, the officer, who was responsible for overseeing the bank’s operations department, allegedly engaged in “unsafe or unsound practices”; made false statements to the OCC and advised other bank employees to corroborate the statements; and “failed to take the necessary actions to ensure that the [b]ank corrected the deficiencies. . .” The 2018 Order requires the officer to, among other things, pay a $5,000 civil money penalty, and—under the cease and desist terms—participate in BSA/AML compliance training and refrain from making any BSA/AML staffing decisions. The officer, while agreeing to the terms of the consent order, has not admitted or denied any wrongdoing.
On April 16, the National Institute of Standards and Technology (NIST) announced the release of enhancements to its cybersecurity framework guidance that critical infrastructures, including the financial services industry, should voluntarily follow to mitigate cybersecurity risk. Updates to Cybersecurity Framework Version 1.1 (Framework) incorporate comments received from public feedback, team members, and workshops held over the past two years, as well as stakeholder input on draft versions. Changes include the addition of (i) explanations to clarify that the Framework can be used to promote compliance with an organization’s own cybersecurity requirements; (ii) a cybersecurity risk self-assessment section; (iii) an expanded section addressing ways in which the Framework can be used to manage cybersecurity within the supply chain; (iv) refinements to authentication and identity processes; (v) new language explaining the “relationship between Implementation Tiers and Profiles” in regard to risk management programs; and (vi) a new subcategory on the lifecycle of vulnerability disclosure. The process for which changes are made to the Framework may be viewed on NIST’s website. NIST further notes that both first-time and current Framework users should experience minimal to no disruptions when implementing the updated Framework, and are encouraged to customize the Framework “to maximize individual organizational value.”
On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement advising financial institutions to consider the role of cyber insurance as a component of their overall risk management programs in light of the increasing number of sophisticated cyber-attacks. While financial institutions are not required to have cyber insurance, the FFIEC stated that it can be an effective tool to help mitigate risk. However, the FFIEC emphasized that cyber insurance does not diminish the need for a sound control environment; rather, it “may be a component of a broader risk management strategy that includes identifying, measuring, mitigating and monitoring cyber risk exposure.” Additionally, cyber insurance may offset financial losses resulting from data breaches that may not be covered by traditional insurance policies. Considerations for financial institutions assessing the costs and benefits of adding cyber insurance include: (i) involving multiple stakeholders in the decision, (ii) conducting proper due diligence to understand coverage and identify any gaps; and (iii) reviewing cyber insurance as part of a financial institution’s annual insurance review and budgeting process.
- Buckley Webcast: Maintaining privilege in cross-border internal investigations
- Moorari K. Shah to discuss "State regulatory and disclosures" at the Equipment Leasing and Finance Association Legal Forum
- Daniel P. Stipano to discuss "The state of the BSA 2019: What’s working, what’s not, and how to improve it" at the West Coast Anti Money-Laundering Forum
- Buckley Webcast: The future of the Community Reinvestment Act
- Hank Asbill to discuss "Creative character evidence in criminal and civil trials" at the Litigation Counsel of America Spring Conference & Celebration of Fellows
- Buckley Webcast: Amendments to the CFPB's proposed debt collection
- Brandy A. Hood to discuss "Flood NFIP in the age of extreme weather events" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Michelle L. Rogers to discuss "UDAAP compliance" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Major state law developments" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Leveraging big data responsibly" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "State examination/enforcement trends" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- Benjamin K. Olson to discuss "LO compensation" at the Mortgage Bankers Association Legal Issues and Regulatory Compliance Conference
- APPROVED Webcast: State and SAFE Act licensing requirements for banks
- John C. Redding to discuss "TCPA compliance in the era of mobile" at the Auto Finance Risk Summit
- Buckley Webcast: The next consumer litigation frontier? Assessing the consumer privacy litigation and enforcement landscape in 2019 and beyond
- Buckley Webcast: Data breach litigation and biometric legislation
- Buckley Webcast: Trends in e-discovery technology and case law
- Hank Asbill to discuss "Pay no attention to the man behind the curtain: Addressing prosecutions driven by hidden actors" at the National Association of Criminal Defense Lawyers West Coast White Collar Conference
- Daniel P. Stipano to discuss "Keep off the grass: Mitigating the risks of banking marijuana-related businesses" at the ACAMS AML Risk Management Conference
- Daniel P. Stipano to discuss "Mid-year policy update" at the ACAMS AML Risk Management Conference
- Benjamin W. Hutten to discuss "Requirements for banking inherently high-risk relationships" at the Georgia Bankers Association BSA Experience Program