InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS issues ransomware guidance
On June 30, NYDFS announced new guidance for preventing ransomware attacks. In the guidance, NYDFS identified cybersecurity controls that decrease the risk of a ransomware attack. In examining ransomware incidents reported by its regulated entities over the past year and a half, NYDFS observed that incidents follow a similar pattern where “hackers enter a victim’s network, obtain administrator privileges once inside, and then use those elevated privileges to deploy ransomware, avoid security controls, steal data, and disable backups.” Following guidance from the Federal Bureau of Investigation, NYDFS recommended that companies avoid making ransomware payments if their networks are compromised. NYDFS also urged all regulated entities to prepare for a ransomware attack by implementing measures such as: (i) training employees in cybersecurity awareness; (ii) implementing a vulnerability and patch management program; (iii) utilizing multi-factor authentications and strong passwords; (iv) using monitoring and response to detect intruders; (v) and having a ransomware-specific incident response plan. NYDFS Superintendent Linda A. Lacewell noted that “[c]ybercriminals are not only extorting individual companies but also jeopardizing the stability of the financial services industry.”
FFIEC releases “Architecture, Infrastructure, and Operations” booklet
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
FinCEN plans to undertake future no-action letter rulemaking
On June 30, the Financial Crimes Enforcement Network (FinCEN) announced the completion of a report on whether to establish a process for issuing no-action letters in response to inquiries concerning the application of the Bank Secrecy Act (BSA) and other anti-money laundering and countering the financing of terrorism laws to specific conduct, “including a request for a statement as to whether FinCEN or any relevant Federal functional regulator intends to take an enforcement action with respect to such conduct.” As required pursuant to Section 6305 the Anti-Money Laundering Act of 2020 (included as part of the National Defense Authorization Act for Fiscal Year 2021 and covered by InfoBytes here), FinCEN submitted its no-action letter assessment to Congress. The assessment involved consultation with the Attorney General and other entities including the federal functional regulators, state bank and credit union supervisors, and other federal agencies.
The agency analyzed various issues when conducting its assessment, including “whether a formal no-action process would help to mitigate or accentuate illicit finance risks in the United States.” Among other things, the report concluded that the majority of the consulting parties agreed that FinCEN should implement a no-action letter policy. “The primary benefits identified by those in favor of a no-action letter process are that it could promote a robust and productive dialogue with the public, spur innovation among financial institutions, and enhance the culture of compliance and transparency in the application and enforcement of the BSA,” FinCEN stated. According to FinCEN acting Director Michael Mosier, the agency concluded “that a no-action letter process would be a useful complement to its current forms of regulatory guidance and relief.” The agency stated it intends to undertake a future rulemaking “subject to resource limitations and competing priorities” to establish a process for issuing no-action letters that will supplement its current forms of regulatory guidance and relief. However, FinCEN noted that the no-action letter process would be most effective and workable if it were limited to the agency’s exercise of its own enforcement authority, instead of also addressing other regulators’ exercise of their own enforcement authorities.
FinCEN issues first government-wide AML/CFT priorities
On June 30, the Financial Crimes Enforcement Network (FinCEN) issued the first government-wide priorities for anti-money laundering and countering the financing of terrorism (AML/CFT) policy (AML/CFT Priorities) pursuant to the Anti-Money Laundering Act of 2020 (AML Act). The AML/CFT Priorities were established in consultation with the Treasury Department’s Office of Foreign Assets Control, SEC, CFTC, IRS, state financial regulators, law enforcement, and national security agencies, and highlight key threat trends as well as informational resources to assist covered institutions manage their risks and meet their obligations under laws and regulations designed to combat money laundering and counter terrorist financing. According to the AML/CFT Priorities, the most significant AML/CFT threats currently facing the U.S. (in no particular order) are corruption, cybercrime, domestic and international terrorist financing, fraud, transnational criminal organization activity, drug trafficking organization activity, human trafficking and human smuggling, and proliferation financing. FinCEN further noted it will update the AML/CFT Priorities to highlight new or evolving threats at least once every four years as required under the AML Act, and issued a separate statement providing additional clarification for covered institutions.
Separately, the Federal Reserve Board, FDIC, NCUA, OCC, state bank and credit union regulators, and FinCEN also issued a joint statement providing clarity for banks on the AML/CFT Priorities. The statement emphasized that the publication of the AML/CFT Priorities “does not create an immediate change to Bank Secrecy Act (BSA) requirements or supervisory expectations for banks.” Rather, within 180 days of the establishment of the AML/CFT Priorities, FinCEN will promulgate regulations, as appropriate, in consultation with the federal functional regulators and relevant state financial regulators. The federal banking agencies noted that they intend to revise their BSA regulations as needed to address how the AML/CFT priorities will be incorporated into BSA requirements for banks, adding that banks will not be required to incorporate the AML/CFT Priorities into their risk-based BSA compliance programs until the effective date of the final revised regulations. However, banks may choose to begin considering how they intend to incorporate the AML/CFT Priorities, “such as by assessing the potential related risks associated with the products and services they offer, the customers they serve, and the geographic areas in which they operate.” Moreover, the statement confirmed that federal and state examiners will not examine banks for the incorporation of the AML/CFT Priorities into their risk-based BSA programs until the final revised regulations take effect.
FDIC outlines revised approach for insured depository institution resolution planning
On June 25, the FDIC announced PR-58-2021, which outlines a modified approach to implementing its rule requiring insured depository institutions (IDIs) with $100 billion or more in total assets (CIDIs) to submit resolution plans under the Federal Deposit Insurance Act. Among other things, the modified approach extends the resolution plan’s submission frequency to a three-year cycle and lays out new details regarding the FDIC’s emphasis on engagement with firms. The new approach “exempts filers from other content requirements that have been less useful or are obtainable through other supervisory channels.” In addition, on a case-by-case basis, the FDIC plans to “expressly exempt certain content requirements based on the FDIC’s evaluation of how useful or material the information would be in planning to resolve the specified CIDI.” Resolution plans will be submitted in two groups. The first group will contain IDIs whose top tier parent company is not regarded as a U.S. global systemically important bank or a category II banking organization. The second group encompass all other IDIs with $100 billion or more in total assets. For institutions with less than $100 billion in total assets, the moratorium on submission of IDI plans announced in November 2018 remains in effect.
HUD proposes restoring 2013 discriminatory effects rule
On June 25, HUD published a notice of proposed rulemaking (NPRM) that would rescind the agency’s 2020 disparate impact regulation (2020 Rule) and reinstate the agency’s 2013 rule (2013 Rule). The 2020 Rule (covered by a Buckley Special Alert) was intended to align its disparate impact regulation, adopted in 2013, with the U.S. Supreme Court’s 2015 ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. The 2020 Rule included, among other things, a modification of the three-step burden-shifting framework in its 2013 Rule, several new elements that plaintiffs must show to establish that a policy or practice has a “discriminatory effect,” and specific defenses that defendants can assert to refute disparate impact claims. Prior to the effective date of the 2020 Rule, the U.S. District Court for the District of Massachusetts issued a preliminary injunction staying HUD’s implementation and enforcement of the 2020 Rule.
After a period of reconsideration, “HUD is proposing to recodify its previously promulgated rule titled, ‘Implementation of the Fair Housing Act’s Discriminatory Effects Standard’[], which, as of the date of publication of this [NPRM], remains in effect due to the preliminary injunction,” the NPRM stated, adding that HUD “believes the 2013 Rule better states Fair Housing Act jurisprudence and is more consistent with the Fair Housing Act's remedial purposes.” HUD emphasized that the 2013 Rule codified longstanding judicial and agency consensus concerning discriminatory effects law. “Under the 2013 rule, the discriminatory effects framework was straightforward: a policy that had a discriminatory effect on a protected class was unlawful if it did not serve a substantial, legitimate, nondiscriminatory interest or if a less discriminatory alternative could also serve that interest,” HUD said in its press release. “The 2020 rule complicated that analysis by adding new pleading requirements, new proof requirements, and new defenses, all of which made it harder to establish that a policy violates the Fair Housing Act. HUD now proposes to return to the 2013 rule’s straightforward analysis.” Comments on the NPRM are due August 24.
FFIEC updates BSA/AML examination manual
On June 21, the Federal Financial Institutions Examinations Council (FFIEC) published updated versions of four sections of the Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (Manual), which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and compliance with BSA regulatory requirements. The revisions can be identified by a 2021 date label on the FFIEC BSA/AML InfoBase and include the following updated sections: International Transportation of Currency or Monetary Instruments Reporting, Purchase and Sale of Monetary Instruments Recordkeeping, Reports of Foreign Financial Accounts, and Special Measures. The FFIEC notes that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but are intended to “offer further transparency into the examination process and support risk-focused examination work.” In addition, the Manual itself does not establish requirements for financial institutions as these requirements are found in applicable statutes and regulations. (See also FDIC FIL-12-2021 and OCC Bulletin 2021-10.) As previously covered by InfoBytes, in February the FFIEC updated the following sections of the Manual: Assessing Compliance with Bank Secrecy Act Regulatory Requirements, Customer Identification Program, Currency Transaction Reporting, and Transactions of Exempt Persons.
CFPB resumes MLA exams
On June 16, the CFPB issued an interpretive rule explaining the reversal of its prior determination that it lacked the authority to examine supervised financial institutions for compliance with the Military Lending Act (MLA). As previously covered by InfoBytes, in 2018, the Bureau discontinued MLA-related examination activities, contending the law does not explicitly prescribe the Bureau the authority to examine financial institutions for compliance with the MLA. In January 2019, the Bureau issued a statement from former Director Kathy Kraninger announcing that she had asked Congress to grant the agency “clear authority to supervise for compliance with the [MLA],” and in March 2019, Senate Democrats issued a letter urging the resumption of reviews for compliance with the MLA during routine lender examinations (covered by InfoBytes here and here).
The CFPB’s interpretive rule states that the Bureau has statutory authority to conduct MLA examinations “[b]ecause conduct that violates the MLA is associated with activities that are subject to TILA and the CFPA.” The Bureau also indicated it may “conduct examinations of very large banks and credit unions for purposes of detecting and assessing those ‘risks to consumers’ that are ‘associated’ with ‘activities subject to’ Federal consumer financial laws.” The interpretive rule states that the Bureau can use formal administrative adjudications, civil enforcement actions, and other authorities to enforce the MLA, which is “complemented by the Bureau’s use of the examination process to detect and assess risks to consumers arising from violations of the MLA.” The rule also points out that the Bureau “believes that the very harmful conduct that Congress sought to prevent in the MLA, which the Bureau has the authority to remedy through its other authorities (specifically enforcement action), sits within the core of this authority.” CFPB acting Director Dave Uejio further emphasizes in the Bureau’s press release that “[t]hrough our enforcement of the MLA, companies that harmed military borrowers have been ordered to pay millions of dollars in redress and civil penalties. To fulfill its purpose and protect military borrowers we must supervise financial institutions and hold them accountable for endangering consumers.” With the issuance of the interpretative rule, the Bureau will now resume MLA-related examination activities.
FDIC provides updates on real estate lending standards and MDIs
On June 15, the FDIC Board of Directors met in open session to discuss Real Estate Lending Standards and Minority Depository Institutions (MDIs), among other things. According to FIL-41-2021, the FDIC issued a proposed rule to amend the Interagency Guidelines for Real Estate Lending Policies “to conform the method for calculating the ratio of loans in excess of the supervisory loan-to-value (LTV) limits with the capital framework established in the community bank leverage ratio (CBLR) rule.” The proposed amendments would provide a consistent approach for calculating the ratio of loans in excess of the supervisory LTV limits at all FDIC-supervised institutions by, among other things, establishing supervisory LTV criteria for certain real estate lending transaction types and allowing exceptions to the supervisory LTV limits. Comments on the proposed rule are due 30 days after publication in the Federal Register.
During the meeting, the FDIC Board of Directors also approved and released an updated Statement of Policy Regarding Minority Depository Institutions to enhance the agency’s efforts to preserve and promote MDIs. In August 2020, the FDIC approved a proposed statement of policy, which updated and clarified the agency’s policies and procedures related to MDIs (covered by InfoBytes here). The recently updated statement of policy replaces the 2002 Statement of Policy and includes, among other things:
- Clarification of the FDIC’s expectations for technical assistance and illustration of opportunities for engagement with members of FDIC staff;
- Outreach efforts by the FDIC including, among other things, the establishment of the MDI Subcommittee of the Advisory Committee on Community Banking and enhanced activities to promote collaboration with MDIs;
- Definitions of terms utilized in the MDI program, detailed reporting requirements, and specific methods used to measure the effectiveness of MDI program activities; and
- Clarification of considerations made by examination staff when evaluating performance and assigning ratings.
After considering the comment letters, the FDIC revised the proposed statement of policy to identify, specifically, “state bankers associations as collaboration partners, along with other trade associations that support MDIs in the development of education and training events and other initiatives for MDIs.”
Securities regulators’ training aims to stop financial exploitation of seniors
On June 15, the SEC, North American Securities Administrators Association (NASAA), and FINRA announced the release of a training program, “Addressing and Reporting Financial Exploitation of Senior and Vulnerable Adult Investors,” to assist securities firms in implementing the training requirements established in the Senior Safe Act. As previously covered by InfoBytes, the Senior Safe Act was included as Section 303 of the Economic Growth, Regulatory Relief, and Consumer Protection Act, which was signed into law in May 2018. The Act addresses barriers financial professionals face in reporting suspected senior financial exploitation or abuse to authorities. The training program may be utilized by firms to instruct associated persons on how to detect, prevent, and report financial exploitation of senior and vulnerable adult investors. The program also acts as a resource for firms enforcing the requirements of the Senior Safe Act and certain state training requirements relating to senior investment protection.