InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed governor says transparency is key for promoting innovation in the banking system
On March 14, Federal Reserve Governor Michelle W. Bowman presented thoughts on innovation trends within the U.S. financial system during a conference held by the Independent Community Bankers of America. Bowman commented that innovation has always been a priority for banks of all sizes and business models, and that regulators—often accused of “being hostile to innovation” within the regulated financial system—are continually trying to learn and adapt to new technologies, which often introduce new risks and vulnerabilities. In order to address these challenges, which are often amplified for community banks, Bowman said banks must be prepared to make improvements to risk management, cybersecurity, and consumer compliance measures, and regulators—playing a complementary role—must ensure rules are clear and transparent. She further stressed that “[i]t is absolutely critical that innovation not distract banks and regulators from the traditional risks that are omnipresent in the business of banking, particularly credit, liquidity, concentration, and interest rate risk.” Noting that these types of risks are present in all bank business models, Bowman said they “can be especially acute for banks engaging in novel activities or exposed to new markets, including crypto-assets.”
Explaining that transparency is important for promoting a safe, sound, and fair banking system, particularly when it comes to innovation, Bowman stated that insufficient clarity or transparency or disproportionately burdensome regulations may “cause new products and services to migrate to the shadow banking system.” Bowman went on to discuss ways bank regulation and supervision can support responsible innovation, and highlighted unique challenges facing smaller banks, as well as key actions taken by regulators to date relating to crypto assets, third-party risk management, cybersecurity, Community Reinvestment Act reform, bank mergers, and overdraft fees, among others.
Fed issues Bank Term Funding Program FAQs
On March 13, the Federal Reserve Board issued FAQs on its Bank Term Funding Program, which launched March 12, to provide additional funding to eligible depository institutions in order to meet depositors’ needs. The program will serve as an additional source of liquidity against high-quality securities, and will eliminate the need for an institution to quickly sell those securities in times of stress. Loans of up to one year in length will be made available to “banks, savings associations, credit unions, and other eligible depository institutions pledging U.S. Treasuries, agency debt and mortgage-backed securities, and other qualifying assets as collateral.” The Fed said in its announcement that it “is closely monitoring conditions across the financial system and is prepared to use its full range of tools to support households and businesses, and will take additional steps as appropriate.”
Hsu presses for global supervision of crypto
On March 6, acting Comptroller of the Currency Michael J. Hsu commented that the collapse of a major cryptocurrency exchange has underscored a need for consolidated supervision of global cryptocurrency firms. Speaking before the Institute for International Banker’s Annual Washington Conference, Hsu offered thoughts on how to build and maintain trust in global banking. “To be trustworthy, global crypto firms need a lead regulator who has authority and responsibility over the enterprise as a whole,” Hsu said. “Until that is done, crypto firms with subsidiaries and operations in multiple jurisdictions will be able to arbitrage local regulations and potentially play shell games using inter-affiliate transactions to obfuscate and mask their true risk profile.” Hsu pointed out that in order to conduct business in the U.S. foreign banks must be supervised by a home country via “a lead regulator with visibility and authority over the entirety of the bank’s global activities.” In contrast, not a single crypto firm is currently subject to consolidated supervision, Hsu said.
Hsu drew comparisons between a now-defunct international bank that led to significant changes in how global banks are supervised and the collapsed crypto exchange, arguing that there are “striking similarities” between the two, including that both (i) “faced fragmented supervision by a combination of state, federal, and foreign authorities”; (ii) “lacked a lead or ‘home’ regulator with authority and responsibility for developing a consolidated and holistic view of the firms”; (iii) “operated across jurisdictions where there was no established framework for regulators to share information on the firms’ operations and risk controls”; and (iv) “used multiple auditors to ensure that no one could have a holistic view of their firms.” To close the gap in the crypto sector, Hsu said action “will have to take place outside of bank regulatory channels,” but noted that the Financial Stability Board and other international bodies have already “recognized the need for a comprehensive global supervisory and regulatory framework for crypto participants.”
FDIC issues January enforcement actions
On February 24, the FDIC released a list of administrative enforcement actions taken against banks and individuals in January. The FDIC made public 11 orders, including “four combined orders of prohibition and orders to pay civil money penalties, one 8(b) consent order, one order to pay civil money penalty, three orders of prohibition, one order terminating a Section 19 order, and one order terminating consent order.”
The actions include a civil money order against a Pennsylvania-based bank related to alleged violations of the Flood Disaster Protection Act (FDPA). The FDIC determined that the bank had engaged in a pattern or practice of violating the FDPA by failing to provide required notices of lender-placed flood insurance to borrowers in 16 instances.
Additionally, the FDIC issued a consent order against an Iowa-based bank alleging the bank engaged in “unsafe or unsound banking practices and violations of law or regulations” relating to, among other things, its process for testing a proposed debit/prepaid card program. The FDIC stipulated that before starting the testing phase of any new debit card program or similar program, the bank “must develop, adopt, and implement an effective program addressing anti-money laundering (AML) / combating the financing of terrorism (CFT) controls” for the new program and conduct an independent assessment. The bank is also ordered to revise its AML/CFT policy and conduct a review of its information security program to ensure it reflects current risks.
Agencies warn banks of crypto-asset liquidity risks
On February 23, the FDIC, Federal Reserve Board, and OCC released a joint statement addressing bank liquidity risks tied to crypto-assets. The agencies warned that using sources of funding from crypto-asset-related entities may expose banks to elevated liquidity risks “due to the unpredictability of the scale and timing of deposit inflows and outflows.” The agencies addressed concerns related to deposits placed by crypto-asset-related entities for the benefit of end customers where the deposits may be influenced by the customer’s behavior or crypto-asset sector vulnerabilities, rather than the crypto-asset-related entity itself, which is the bank’s direct counterparty. The agencies warned that the “uncertainty and resulting deposit volatility can be exacerbated by end customer confusion related to inaccurate or misleading representations of deposit insurance by a crypto-asset-related entity.” The agencies also addressed issues concerning deposits that constitute stablecoin-related reserves, explaining that the stability of these types of deposits may be dependent on several factors, including the “demand for stablecoins, the confidence of stablecoin holders in the stablecoin arrangement, and the stablecoin issuer’s reserve management practices,” and as such, may “be susceptible to large and rapid outflows stemming from, for example, unanticipated stablecoin redemptions or dislocations in crypto-asset markets.”
The agencies’ statement reminded banking organizations to apply effective risk management controls when handling crypto-related deposits, commensurate with the associated liquidity risk of those deposits. The statement suggested certain effective risk management practices, which include: (i) understanding the direct and indirect drivers of potential deposit behavior to ascertain which deposits are susceptible to volatility; (ii) assessing concentrations or interconnectedness across crypto deposits, as well as the associated liquidity risks; (iii) incorporating liquidity risks or funding volatility into contingency funding planning; and (iv) performing robust due diligence and ongoing monitoring of crypto-asset-related entities that establish deposit accounts to ensure representations about these types of deposit accounts are accurate. The agencies further emphasized that banks are required to comply with applicable laws and regulations, including brokered deposit rules, as applicable, and Call Report filing requirements. The joint statement also reminded banks that they “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.”
As previously covered by InfoBytes, the agencies issued a statement in January highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services.
Fed revises Bank Holding Company Supervision Manual
The Federal Reserve Board recently updated sections of the Bank Holding Company Supervision Manual. (Changes to the manual were last made in November 2021.) The manual provides guidance for conducting inspections of bank holding companies and their nonbank subsidiaries, as well as savings and loan holding companies. “The supervisory objectives of the inspection program are to ascertain whether the financial strength of the bank holding company is being maintained on an ongoing basis and to determine the effects or consequences of transactions between a holding company or its nonbanking subsidiaries and its subsidiary banks,” the Fed explained. Included among the changes are updates to sections on the supervision of savings and loan holdings companies; supervision of holding companies with less than $10 billion in total consolidated assets; liquidity planning and positions applicable to large financial institutions; holding company ratings applicability and inspection frequency; supervision of subsidiaries related to nondeposit investment products; control and ownership of bank holding company formations; asset securitization risk management and internal controls; retail-credit classification; supervision of savings and loan holding companies; and Bank Holding Company Act exemptions. A new section—“Formal Corrective Actions”—revises previous guidance to include entities against which the Fed has statutory authority to take formal enforcement actions. The section also provides additional information on enforcement actions for Bank Secrecy Act and anti-money laundering compliance failures, as well as details on interagency enforcement coordination. The section further clarifies that the Fed “does not issue an enforcement action on the basis of a ‘violation’ of or ‘non-compliance’ with supervisory guidance.” Minor technical changes were made throughout the manual as well. A detailed summary of changes is available here.
Agencies propose Call Report revisions
On February 22, the FDIC, Federal Reserve Board, and the OCC announced the publication of a joint notice and request for comment proposing changes to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051), as well as changes to the Report of Assets and Liabilities of U.S. Branches and Agencies of Foreign Banks (FFIEC 002), as applicable. Section 604 of the Financial Services Regulatory Relief Act of 2006 mandates agency review of information collected in the Call Reports “to reduce or eliminate any requirement to file certain information or schedules if the continued collection of such information or schedules is no longer necessary or appropriate.” The proposed changes would eliminate and consolidate certain items in the Call Reports based on an evaluation of responses to a user survey addressing the Call Report schedules. The agencies are also requesting comments on certain technical clarifications made last year concerning the reporting of certain debt securities issued by Freddie Mac and proposed Call Report process revisions. The proposed changes if approved, will take effect as of the June 30, 2023, report date. Comments are due April 24.
OCC revises guidance on change in bank control
On February 16, the OCC released an updated version of the “Change in Bank Control” booklet of the Comptroller’s Licensing Manual. According to OCC Bulletin 2023-7, the revised licensing booklet—which outlines OCC policies and procedures regarding filings by persons who wish to acquire control of a national bank or federal savings association “through the purchase, assignment, transfer, pledge, exchange, succession, or other disposition of voting stock”—removes references to outdated guidance, provides current references to relevant guidance, and makes other minor modifications and corrections throughout. The booklet applies to all national banks, federal savings associations, and federal branches and agencies of foreign banking organizations.
FDIC orders entities to stop making fraudulent deposit insurance representations
On February 15, the FDIC sent letters to four entities demanding that they stop making false or misleading representations about FDIC deposit insurance. Letters were sent to a cryptocurrency exchange and to a nonbank financial services provider demanding that the entities cease and desist from making false and misleading statements about FDIC deposit insurance and take immediate corrective action to address these statements. The FDIC also sent letters to two websites ordering them to remove similar false and misleading statements claiming that the crypto exchange and the nonbank financial services provider are FDIC-insured and that FDIC insurance will protect customers’ cryptocurrency or protect customers in the event of the nonbank’s failure. Under the Federal Deposit Insurance Act, persons are prohibited “from representing or implying that an uninsured product is FDIC-insured or from knowingly misrepresenting the extent and manner of deposit insurance.”
Bowman discusses bank and third-party cyber risk management expectations
On February 15, Federal Reserve Board Governor Michelle W. Bowman delivered remarks at the Midwest Cyber Workshop, during which she discussed topics related to third-party service provider reliance and regulatory expectations concerning cyber risk management. “While we expect banks to be in touch with us when an event happens, cyber events should not be the first time a cyber-risk conversation occurs between a bank and its regulator.” Community banks frequently cite cybersecurity as one of the top risks facing the banking industry, Bowman said, adding that bankers have mentioned difficulties in attracting and retaining the staff needed to mitigate cyber risk. She also noted that ransomware disproportionately impacts smaller banks that might not “have sufficient resources to protect against these attacks.”
Pointing out that banks are becoming increasingly reliant on third-party service providers, Bowman said regulators should “consider the appropriateness of shifting the regulatory burden from community banks to more efficiently focus directly on service providers.” Regulators have authority to do so under the Bank Service Company Act, Bowman said, adding that “[i]n a world where third parties are providing far more of these services, it seems to me that these providers should bear more responsibility to ensure the outsourced activities are performed in a safe and sound manner.” She also referenced a 2021 final rule that requires banks to timely notify their primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place (covered by InfoBytes here). The reporting process, Bowman said, is also intended to streamline small banks’ efforts to monitor service providers (which are required to notify a bank-designated point of contact at each affected customer bank when a computer-security incident has occurred).
“We look forward to working with you to assist in clarifying expectations, applying regulatory guidance or seeking feedback on cyber-risk management strategies,” Bowman said. “We encourage bank management teams to engage with regulatory points of contact whenever questions arise on cybersecurity matters just as with any other regulatory matter.”