InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FSB report addresses financial risk concerns with third-party relationships
On December 4, the Financial Stability Board (FSB) published a report titled “Enhancing Third-Party Risk Management and Oversight: A Toolkit for Financial Institutions and Financial Authorities,” as summarized in this press release. The report provides a toolkit that: (i) defines common terms to improve consistency among financial institutions, including “third-party service relationship,” “service provider,” and “critical service,” among others; (ii) outlines tools for financial institutions to identify critical third-party services and manage potential risks throughout the service lifecycle, onboarding and monitoring of service providers, and reporting incidents, among others; and (iii) outlines tools for financial authorities to manage third-party risks, including how to identify third-party dependencies and potential systemic risks. In preparing the report, the FSB received public feedback over the past summer regarding risk concerns stemming from outsourcing and third-party service relationships.
Bank to pay Fed, NYDFS almost $30 million for deficient third-party risk management practices
On October 19, the Fed and NYDFS announced an enforcement action against a New York-based bank for alleged violations of consumer identification rules and deficient third-party risk management practices. NYDFS Superintendent Adrienne A. Harris stated that the bank failed to prevent a “massive, ongoing fraud” related to its prepaid card program. According to the Fed’s cease-and-desist order, illicit actors managed to open prepaid card accounts through a third-party, and moved hundreds of millions of dollars of direct deposit payroll payments and state unemployment benefits through the accounts. The Fed’s order requires the bank to, among other things, improve its oversight, create a new product review program, enhance its customer identification program, and submit a plan to enhance its third-party risk management program. The bank’s plan must include (i) policies and procedures to ensure third-party service providers are complying with federal and state law; (ii) a third-party risk management oversight program; (iii) policies and procedures to ensure the bank’s Chief Compliance Officer has sufficient resources to properly access the bank’s prepaid card program and is adequately staffed; and (iv) a comprehensive identity theft prevention program. The Fed also requires the bank to pay a civil money penalty of approximately $14.5 million. Under NYDFS’s consent order, the bank agreed to pay an additional $15 million civil monetary penalty, and to submit remediation and program reporting.
OCC releases bank supervision operating plan for FY 2024
On September 28, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2024. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) asset and liability management; (ii) credit; (iii) allowances for credit losses; (iv) cybersecurity; (v) operations; (vi) digital ledger technology activities; (vii) change in management; (viii) payments; (ix) Bank Secrecy Act/AML compliance; (x) consumer compliance; (xi) Community Reinvestment Act; (xii) fair lending; and (xiii) climate-related financial risks.
Two of the top areas of focus are asset and liability management and credit risk. In its operating plan the OCC says that “Examiners should determine whether banks are managing interest rate and liquidity risks through use of effective asset and liability risk management policies and practices, including stress testing across a sufficient range of scenarios, sensitivity analyses of key model assumptions and liquidity sources, and appropriate contingency planning.” With respect to credit risk, the OCC says that “Examiners should evaluate banks’ stress testing of adverse economic scenarios and potential implications to capital” and “focus on concentrations risk management, including for vulnerable commercial real estate and other higher-risk portfolios, risk rating accuracy, portfolios of highest growth, and new products.”
The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
SEC proposes rules for addressing conflicts of interest raised by predictive data analytics
On July 26, the SEC issued proposed rules under the Securities Exchange Act of 1924 and the Investment Advisors Act of 1940 to address certain conflicts of interest associated with the use of predictive data analytics, including artificial intelligence (AI) and similar technologies, “that optimize for, predict, guide, forecast, or direct investment-related behaviors or outcomes.” The SEC explained that broker-dealers and investment advisors (collectively, “firms”) are increasingly using AI to improve efficiency and returns but cautioned that, due to the scalability of these technologies and the potential for firms to quickly reach a large audience, any resulting conflicts of interest could result in harm to investors that is more pronounced and on a broader scale than previously possible.
Based on existing legal standards, the proposed rules generally would require a firm to identify and eliminate, or neutralize, the effects of conflicts of interest that result in the firm’s (or associated persons) interests being placed ahead of investors’ interests. Firms, however, would be permitted to employ tools that they believe would address such risks and that are specific to the particular technology being used. Firms that use covered technology for investor interactions would also be required to have written policies and procedures in place to ensure compliance with the proposed rules, the SEC said. These policies and procedures must include a process for evaluating the use of covered technology in investor interactions and addressing any conflicts of interest that may arise. Firms must also maintain books and records related to these requirements. Comments on the proposed rules are due 60 days after publication in the Federal Register.
OCC warns banks to “guard against complacency” in risk management
On June 14, the OCC released its Semiannual Risk Perspective for Spring 2023, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The agency reported that the overall strength of the federal banking system is sound but warned banks to remain diligent and maintain effective risk management practices over critical functions in order to withstand current and future economic and financial challenges.
The OCC highlighted liquidity, operational, credit, and compliance risk as key risk themes in the report. Observations include: (i) in response to recent bank failures and investment portfolio depreciation, liquidity levels have been strengthened; (ii) credit risk remains moderate, however in certain commercial real estate segments, signs of stress are increasing (high inflation and rising interest rates are also causing credit conditions to deteriorate); (iii) operational risk, including persistent cyber threats, is elevated, while opportunities and risks are created by banks’ increased use of third parties and the digitalization of banking products and service; and (iv) compliance risk remains heightened as banks continue to navigate a dynamic environment where compliance management systems try to keep pace with evolving products, services, and delivery channel offerings.
The report also discussed challenges banks face when trying to manage climate-related financial risks, as well as the importance of investing and aligning technology with banks’ business goals. Acting Comptroller of the Currency Michael Hsu urged banks “to ‘be on the balls of their feet’ with regards to risk management” and “guard against complacency.”
Agencies finalize guidance on managing third parties
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
G7 Cyber Expert Group releases reports on ransomware and third-party risk
On December 8, the G7 Cyber Expert Group (CEG) – co-chaired by the Bank of England and the U.S. Treasury Department’s Office of Cybersecurity and Critical Infrastructure – released two reports addressing ransomware and third-party risk in the financial sector. According to the announcement, the reports “are intended to help financial sector entities better understand cybersecurity topics as agreed upon by a multilateral consensus.”
The Fundamental Elements of Ransomware Resilience for the Financial Sector provides financial entities with high-level building blocks for addressing ransomware threats. The “non-prescriptive and non-binding” report is meant to guide public and private financial institutions for their own internal ransomware mitigation activities and “provide[s] an overview of the current policy approaches, industry guidance, and best practices in place throughout the G7.”
The Fundamental Elements of Third-Party Risk Management for the Financial Sector updates a previous version published in 2018. According to the announcement, the updated report was necessary due to the increase in use of service providers by financial institutions in their central operational functions and subsequent vulnerabilities as a result of such reliance. The update includes explicit recommendations for monitoring risks along the supply chain and identifying systemically important third-party providers and concentration risks.
OCC warns of crypto-asset and cybersecurity risks facing the federal banking system
On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”
The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”
The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.
The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”
The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
OCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational resiliency; (iii) third-party oversight and risk management; (iv) credit risk management with a focus on new products, areas of highest growth, and portfolios representing concentrations; (v) allowances for credit losses (ACL), including instances where ACL processes use third-party modeling techniques; (vi) interest rate risk; (vii) liquidity risk management; (viii) consumer compliance management systems with a focus on how programs are disclosed in relation to UDAP and UDAAP statutes; (ix) Bank Secrecy Act/AML compliance; (x) fair lending risks; (xi) Community Reinvestment Act strategies and the potential for modernization rulemaking; (xii) new products and services in areas such as payments, fintech, and digital assets; and (xiii) climate-change risk management. The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.