Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 20, the OCC announced it will propose to rescind the agency’s May 2020 final rule overhauling the Community Reinvestment Act (CRA), signaling the OCC’s intention to collaborate with the Federal Reserve Board and the FDIC on a separate joint rulemaking. As previously covered by a Buckley Special Alert, the OCC’s final rule was intended to modernize the regulatory framework implementing the CRA by, among other things: (i) updating deposit-based assessment areas; (ii) mandating the inclusion of consumer loans in CRA evaluations; (iii) including quantitative metric-based benchmarks for determining a bank’s CRA rating; and (iv) including a non-exhaustive illustrative list of activities that qualify for CRA consideration.
The announcement follows the completion of a review undertaken by acting Comptroller Michael Hsu (covered by InfoBytes here). Hsu stated that although “the OCC deserves credit for taking action to modernize the CRA,” the adoption of the final rule was “a false start” in attempting to overhaul the regulation. According to Hsu, the OCC intends to work with the Fed and the FDIC to develop a joint Notice of Proposed Rulemaking and build on an Advance Notice of Proposed Rulemaking issued by the Fed last September (covered by InfoBytes here). The federal agencies issued an interagency statement noting that they have “broad authority and responsibility for implementing the CRA” and that “[j]oint agency action will best achieve a consistent, modernized framework across all banks to help meet the credit needs of the communities in which they do business, including low- and moderate-income neighborhoods.”
FDIC proposes changes to deposit insurance regulations for trust accounts and mortgage servicing accounts
On July 20, the FDIC published a notice of proposed rulemaking (NPRM) that would amend the deposit insurance regulations for trust accounts and mortgage servicing accounts. The changes are intended to clarify the deposit insurance rules for depositors and bankers, enable more timely insurance determinations for trust accounts in the circumstance of a bank failure, and increase consistency of insurance coverage for mortgage servicing account deposits. According to the FDIC, some highlights include, among other things, that: (i) a deposit owner’s trust deposits would be insured up to $250,000 per beneficiary, but must not exceed five beneficiaries, regardless of if a trust is revocable or irrevocable, and regardless of contingencies or the allocation of funds among the beneficiaries; (ii) a maximum amount of deposit insurance coverage would be $1.25 million per owner, per insured depository institution for trust deposits; and (iii) “mortgage servicers’ advances of principal and interest funds on behalf of mortgagors in a mortgage servicing account would be insured up to $250,000 per mortgagor, consistent with the coverage for payments of principal and interest collected directly from mortgagors.” Additionally, the FDIC published a Fact Sheet on the NPRM, which provides an overview of simplifying deposit insurance rules for trust accounts and enhancing consistency for mortgage servicing account deposits. FDIC Chairman Jelena McWilliams released a statement specifying that the NPRM would, “merge the revocable and irrevocable trust categories into one uniform trust accounts category with one set of rules; establish a simple formula for calculating deposit insurance based on the number of beneficiaries; and eliminate the ability for a trust account to be structured to obtain unlimited deposit insurance at a bank, which is the case today, and certainly contrary to the spirit of the Federal Deposit Insurance Act.” Comments on the NPRM will be due 60 days after publication in the Federal Register.
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
On July 14, the CFPB and FDIC announced enhancements to Money Smart for Older Adults, the agencies’ financial education program geared toward preventing elder financial exploitation. The enhanced version includes sections to help people avoid romance scams, which, according to data from the FTC, led to $304 million in losses in 2020. In addition, the agencies are also releasing an informational brochure on Covid-19 related scams. FDIC training materials and other resources for older adults are available from the CFPB here.
On July 1, the Federal Reserve Board announced plans to launch a new tool to assist community banks with assets of less than $1 billion implement the Current Expected Credit Losses (CECL) accounting standard. The new spreadsheet-based tool, known as the “Scaled CECL Allowance for Losses Estimator” (or SCALE) will use publicly available regulatory and industry data and is intended to simplify CECL compliance for community banks. The SCALE tool will be launched during an “Ask the Fed” webinar on July 15.
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
On June 30, the Financial Crimes Enforcement Network (FinCEN) announced the completion of a report on whether to establish a process for issuing no-action letters in response to inquiries concerning the application of the Bank Secrecy Act (BSA) and other anti-money laundering and countering the financing of terrorism laws to specific conduct, “including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action with respect to such conduct.” As required pursuant to Section 6305 the Anti-Money Laundering Act of 2020 (included as part of the National Defense Authorization Act for Fiscal Year 2021 and covered by InfoBytes here), FinCEN submitted its no-action letter assessment to Congress. The assessment involved consultation with the Attorney General and other entities including the federal functional regulators, state bank and credit union supervisors, and other federal agencies.
The agency analyzed various issues when conducting its assessment, including “whether a formal no-action process would help to mitigate or accentuate illicit finance risks in the United States.” Among other things, the report concluded that the majority of the consulting parties agreed that FinCEN should implement a no-action letter policy. “The primary benefits identified by those in favor of a no-action letter process are that it could promote a robust and productive dialogue with the public, spur innovation among financial institutions, and enhance the culture of compliance and transparency in the application and enforcement of the BSA,” FinCEN stated. According to FinCEN acting Director Michael Mosier, the agency concluded “that a no-action letter process would be a useful complement to its current forms of regulatory guidance and relief.” The agency stated it intends to undertake a future rulemaking “subject to resource limitations and competing priorities” to establish a process for issuing no-action letters that will supplement its current forms of regulatory guidance and relief. However, FinCEN noted that the no-action letter process would be most effective and workable if it were limited to the agency’s exercise of its own enforcement authority, instead of also addressing other regulators’ exercise of their own enforcement authorities.
On June 30, the Financial Crimes Enforcement Network (FinCEN) issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy (AML/CFT Priorities) pursuant to the Anti-Money Laundering Act of 2020 (AML Act). The AML/CFT Priorities were established in consultation with the Treasury Department’s Office of Foreign Assets Control, SEC, CFTC, IRS, state financial regulators, law enforcement, and national security agencies, and highlight key threat trends as well as informational resources to assist covered institutions manage their risks and meet their obligations under laws and regulations designed to combat money laundering and counter terrorist financing. According to the AML/CFT Priorities, the most significant AML/CFT threats currently facing the U.S. (in no particular order) are corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organization activity, drug trafficking organization activity, human trafficking and human smuggling, and proliferation financing. FinCEN further noted it will update the AML/CFT Priorities to highlight new or evolving threats at least once every four years as required under the AML Act, and issued a separate statement providing additional clarification for covered institutions.
Separately, the Federal Reserve Board, FDIC, NCUA, OCC, state bank and credit union regulators, and FinCEN also issued a joint statement providing clarity for banks on the AML/CFT Priorities. The statement emphasized that the publication of the AML/CFT Priorities “does not create an immediate change to Bank Secrecy Act (BSA) requirements or supervisory expectations for banks.” Rather, within 180 days of the establishment of the AML/CFT Priorities, FinCEN will promulgate regulations, as appropriate, in consultation with the federal functional regulators and relevant state financial regulators. The federal banking agencies noted that they intend to revise their BSA regulations as needed to address how the AML/CFT priorities will be incorporated into BSA requirements for banks, adding that banks will not be required to incorporate the AML/CFT Priorities into their risk-based BSA compliance programs until the effective date of the final revised regulations. However, banks may choose to begin considering how they intend to incorporate the AML/CFT Priorities, “such as by assessing the potential related risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate.” Moreover, the statement confirmed that federal and state examiners will not examine banks for the incorporation of the AML/CFT Priorities into their risk-based BSA programs until the final revised regulations take effect.
On June 25, the FDIC announced PR-58-2021, which outlines a modified approach to implementing its rule requiring insured depository institutions (IDIs) with $100 billion or more in total assets (CIDIs) to submit resolution plans under the Federal Deposit Insurance Act. Among other things, the modified approach extends the resolution plan’s submission frequency to a three-year cycle and lays out new details regarding the FDIC’s emphasis on engagement with firms. The new approach “exempts filers from other content requirements that have been less useful or are obtainable through other supervisory channels.” In addition, on a case-by-case basis, the FDIC plans to “expressly exempt certain content requirements based on the FDIC’s evaluation of how useful or material the information would be in planning to resolve the specified CIDI.” Resolution plans will be submitted in two groups. The first group will contain IDIs whose top tier parent company is not regarded as a U.S. global systemically important bank or a category II banking organization. The second group encompass all other IDIs with $100 billion or more in total assets. For institutions with less than $100 billion in total assets, the moratorium on submission of IDI plans announced in November 2018 remains in effect.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute