InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Toomey pressures FDIC to respond to alleged anti-crypto actions
On August 16, Senator Pat Toomey (R-PA) informed FDIC acting Chairman Martin Gruenberg that information provided by whistleblower communications suggest that the agency may be asking banks to “refrain from expanding relationships with crypto-related companies, without providing any legal basis.” Toomey’s letter expressed concerns about the ramifications of banks restricting services to legal crypto-related companies, stressing that “[g]iven the FDIC’s involvement under [Gruenberg’s] leadership in the Obama administration’s notorious Operation Choke Point, which sought to coerce banks into denying services to legal yet politically disfavored businesses, it is important to better understand the actions the FDIC is now taking and the legal basis for them.” He commented that regional offices allegedly received draft letters to send to banks requesting that they refrain from expanding relationships with crypto-related companies, and cited an example of a bank that planned to provide customers access to a crypto-related trading platform through the bank’s mobile app. “This arrangement appears similar to the common practice of banks partnering with third-parties so customers can access services like stock-trading platforms,” Toomey said, adding that the bank was going to send customers clear disclosures warning them that neither the trading platform nor their digital assets were insured by the FDIC. He cited another alleged incident where FDIC-headquartered employees purportedly urged regional examination staff to downgrade their classification of a specific loan that a bank made to a crypto-related company. “It is my understanding that it is highly atypical for FDIC headquarters personnel to be involved in reviewing an individual loan,” Toomey said. “FDIC regional office staff reportedly interpreted the involvement of FDIC headquarters in this matter as an effort to change how loans to crypto-related companies are generally classified and to deter banks from extending such loans in the future.” Claiming that the agency “may be abusing its supervisory powers to deter banks from extending credit to crypto-related companies,” Toomey asked the FDIC to respond to several questions pertaining to its alleged behavior by August 30.
Fed discusses technology, innovation, and financial services
On August 17, Federal Reserve Governor Michelle W. Bowman spoke before the VenCent Fintech Conference in Arkansas regarding technology, innovation, and financial services. In her remarks, Bowman discussed the importance of technology and how it is leading to new bank business models, including application programming interfaces and other technologies that allow nonbank technology firms to provide financial services. Bowman also discussed why customers engage more in crypto assets, such as that there has been “significant consumer demand for engagement in these types of services,” and that “banks have observed their deposits flowing to nonbank crypto-asset firms and, understandably, would like to stem that outflow by offering the services themselves.” Bowman also noted that the Fed is “working to articulate supervisory expectations for banks on a variety of digital asset-related activities,” such as custody of crypto-assets and loans collateralized by crypto-assets, among other things. She addressed supervisory guidance recently released by the Fed (covered by InfoBytes here), which “provide[s] banks with additional information about the risks of crypto activities and remind[s] them to ensure that the activities are legal and [that] they should have adequate systems, risk management, and controls in place to conduct the activities in a safe and sound manner consistent with applicable law.” Bowman also discussed the Fed’s involvement in artificial intelligence (AI), noting that last year, the Fed joined with other financial agencies to issue a Request for Information (RFI) on input on financial institutions’ use of AI (covered by InfoBytes here) and has received over 100 responses. As noted in the RFI, banks are using AI in a variety of ways, including fraud monitoring, personalization of customer services, credit decisions, risk management, and textual analysis. As covered by a Buckley Special Alert, in May, the Fed issued a final rule for its FedNow instant-payments platform that offers more clarity on how the new service will work while essentially adopting the proposed rule. Bowman contended that FedNow “will enable financial institutions of every size, and in every community across America, to provide safe and efficient instant payment services,” and that it is “a flexible, neutral platform that will support a broad variety of instant payments.” In regard to novel charters and access to federal reserve account services, Bowman closed by highlighting the Fed’s final guidelines governing how Reserve Banks will evaluate requests for account access. Bowman explained that “[t]he guidelines take into account the Board's goals to (1) ensure the safety and soundness of the banking system; (2) effectively implement monetary policy; (3) promote financial stability; (4) protect consumers; and (5) promote a safe, efficient, inclusive, and innovative payment system.”
Fed urges banks to assess legality of crypto activities
On August 16, the Federal Reserve Board issued supervisory letter SR 22-6 recommending steps that Fed-supervised banking organizations engaging or seeking to engage in crypto-asset-related activities should take. The Fed stressed that organizations must assess whether such activities are legally permissible and determine whether any regulatory filings are required under the federal banking laws. Organizations should also notify the regulator and “have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner” prior to commencing such activities. Risk management controls should cover, among other things, “operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations,” the supervisory letter explained, adding that state member banks are also encouraged to contact their state regulator before engaging in any crypto-asset-related activity. Organizations already engaged in crypto activities should contact the Fed “promptly” if they have not already done so, the agency said, noting that supervisory staff will provide any relevant supervisory feedback in a timely manner.
The supervisory letter follows an interagency statement released last November by the Fed, OCC, and FDIC (covered by InfoBytes here), which announced the regulators’ intention to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible.
OCC updates bank accounting guidance
On August 15, the OCC released an annual update to its Bank Accounting Advisory Series (BAAS). (See also OCC Bulletin 2022-20.) Intended to address a variety of accounting topics relevant to national banks and federal savings associations and to promote consistent application of accounting standards and regulatory reporting among OCC-supervised banks, the BAAS reflects updates that clarify accounting standards issued by the Financial Accounting Standards Board related to, among other things, (i) “the amortization of premiums on debt securities with a call option over a preset period”; and (ii) “lessors’ classification of certain leases with variable lease payments.” The 2022 edition also includes answers to frequently asked questions from industry and bank examiners. The OCC notes that the BAAS does not represent OCC rules or regulations but rather “represents the Office of the Chief Accountant’s interpretations of generally accepted accounting principles and regulatory guidance based on the facts and circumstances presented.”
States stress importance of CRA modernization
On August 5, a coalition of 15 state attorneys general submitted a comment letter in support of the joint notice of proposed rulemaking (NPRM) issued by the FDIC, OCC, and Federal Reserve Board (collectively, “agencies”) regarding modernizing the Community Reinvestment Act (CRA). As previously covered by InfoBytes, the NPRM, among other things, would update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the letter, the NPRM is “a marked improvement over prior proposals that some of the agencies set out in the last several years.” The AGs noted that the final rule “must ensure that all members of our communities are fully served by financial institutions” and urged the agencies to continue to strengthen it. The AGs further encouraged the agencies to focus on: (i) ensuring the NPRM “vindicates CRA’s core purpose to address racial inequalities”; (ii) increasing the regulatory bar so “that banks are taking meaningful action to meet low- and moderate income (LMI) community needs; and (iii) “[l]everaging incentives to encourage affordable housing development for LMI communities without displacement.” Additionally, the AGs suggested that the NPRM “should be modified to ensure that this once-in-a-generation modernization effort gives the regulators the tools they need to carry out CRA’s imperative—that financial institutions be required to address the needs of our most vulnerable communities—in our States and across the Nation.” The AGs also noted that some states “expressed concern that the widening racial wealth gap stemming from historical redlining would be exacerbated by an uneven pandemic recovery.” Specifically, the letter stated that “two-and-a-half years into the COVID-19 crisis, the States face an affordable and accessible housing crisis, increased homelessness and housing insecurity, and historic levels of inflation that disproportionally threaten low-income communities and communities of color.” The AGs stated that CRA regulatory reform “can be a key element of addressing these problems.”
New York proposes new cybersecurity reporting requirements for financial institutions
Recently, NYDFS released proposed second amendments to New York’s Cybersecurity Regulation (23 NYCRR Part 500), which would, if adopted, require a financial institution’s senior officer or board of directors to approve the entity’s cybersecurity policy. Entities would also be required to disclose whether their directors have expertise in overseeing security risks or whether they rely on third-party cyber consultants. Among other things, the proposed amendments would require cybersecurity executives to provide directors timely alerts of significant cyber issues or events and provide annual reports to the board on cyber risks and defenses as well as on plans for remediating identified inadequacies. Additional requirements include: (i) multi-factor authentication for all privileged accounts (except for service accounts), as well as for “remote access to the network and enterprise and third-party applications from which nonpublic information is accessible”; (ii) limitations on asset and data retention management; (iii) training and monitoring of email to prevent unauthorized access; and (iv) incident response, business continuity, and disaster recovery plans.
The proposed amendments also contain provisions related to ransomware, including measures which would require entities to notify NYDFS within 72 hours of any unauthorized access to privileged accounts or deployment of ransomware within a “material” part of the entity’s information system. Entities would also be directed to alert the Department within 24 hours of making a ransom payment to a hacker—similar to a ransomware payment disclosure mandate included within the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” covering critical infrastructure (covered by InfoBytes here). Within 30 days, entities would also be required to explain the reasons that necessitated the ransomware payment, what alternatives to payment were considered, all diligence performed to find payment alternatives, and all diligence performed to ensure compliance with applicable OFAC rules and regulations including federal sanctions implications.
Comments on the proposed amendments are due August 18.
See continuing InfoBytes coverage on 23 NYCRR Part 500 here.
FDIC announces Missouri disaster relief
On August 12, the FDIC issued FIL-39-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Missouri affected by severe storms and flooding from July 25-28. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
Democrats ask OCC to rescind crypto guidance
On August 10, four U.S. Democratic Senators sent a letter to acting Comptroller of the Currency Michael Hsu urging the OCC to rescind November 2021 guidance permitting national banks to engage in certain cryptocurrency activities. According to the letter, the Senators “are concerned that the OCC’s actions on crypto may have exposed the banking system to unnecessary risk, and ask that [Hsu] withdraw existing interpretive letters that have permitted banks to engage in certain crypto-related activities.” The letter noted that the OCC unilaterally released interpretive letters related to cryptocurrencies in July 2020 (Interpretive Letter 1170), October 2020 (Interpretive Letter 1172), and January 2021 (Interpretive Letter 1174). In the letters, the Senators noted, the OCC determined that banks were permitted to engage in certain crypto-related activities, which include, among other things: (i) “providing cryptocurrency custody service for customers”; (ii) “holding deposits that serve as reserves for certain stablecoins”; and (iii) “operating independent node verification networks [] and stablecoins for payment activities.” The Senators argued that the letters “granted banks unfettered opportunity to engage in certain crypto activities and remain problematic” after the OCC issued another interpretive letter (Interpretive Letter 1179) under Hsu attempting to limit the risks posed by the policies set forth in the earlier letters. The Senators asked Hsu to provide information so that they can “better understand banks’ exposure to the crypto market” by August 24. The Senators also urged Hsu to work with the Fed and FDIC on replacing his agency’s existing crypto guidance with a more “comprehensive approach.”
Fed announces individual capital requirements for all large banks
On August 4, the Federal Reserve Board announced the individual capital requirements for all large banks, which are in part determined by the Board’s stress test results that provide a risk-sensitive and forward-looking assessment of capital needs. According to the Fed, the total common equity tier 1 (CETI) capital requirement for each bank is made up of several components, including a minimum CET1 capital requirement for all banks of 4.5 percent; a stress capital buffer that is determined from the supervisory stress test results and is at least 2.5 percent; and, if applicable, a capital surcharge for global systemically important banks (G-SIB) of at least 1 percent. The requirements are effective October 1.
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.