InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Banking regulators extend comment period on bank-fintech relationships
On September 13, the Fed, OCC and the FDIC (the agencies) released a notice extending the comment period of their request for information regarding bank-fintech arrangements by one month. The notice extends the original deadline to October 30. As previously covered by InfoBytes, the agencies sought feedback on bank-fintech arrangements, effective risk management practices for these arrangements, and whether enhancements to existing supervision are needed.
OCC releases final rule on the Bank Merger Act
On September 17, the OCC approved a final rule amending its procedures for reviewing applications under the Bank Merger Act. The rule will aim to provide clearer guidelines for institutions regarding the OCC’s review process for bank mergers and ensure institutions remain relevant in the current financial landscape. Some commenters argued this change could increase the cost of applications — particularly for smaller banks. However, the OCC believes these changes will align the regulatory framework with current practices and promote transparency.
The final rule will also introduce a policy statement, included as Appendix A to 12 CFR Part 5, which will delineate the principles and statutory factors the OCC would consider when reviewing bank merger applications. The OCC will evaluate factors such as financial stability, financial and managerial resources, and the convenience and needs of a community. Applications with positive indicators, such as well-capitalized acquirers and no significant adverse effects on competition, will increase the likelihood of expeditious approval. Conversely, applications with indicators of supervisory or regulatory concerns, such as poor CRA ratings or ongoing enforcement actions, may be less likely to be approved unless these issues are adequately addressed.
In its consideration of financial stability, the OCC will assess factors such as the size of the combined institutions, the availability of substitute providers, and the complexity of the financial system. The OCC will apply a balancing test to weigh the financial stability risks posed by the pending transaction against the risk posed by denying it. The OCC may impose conditions on approval to address financial stability concerns, such as requiring asset divestitures or higher capital requirements. The policy statement will also outline the OCC’s approach to evaluating financial and managerial resources, such as considering the institutions’ capital levels, risk profiles, and managerial capabilities. The OCC plans to assess the needs of the community, considering factors such as branch closures, job losses and community investment initiatives. The final rule will go into effect on January 1, 2025.
DOJ announces its withdrawal from the 1995 Bank Merger Guidelines
On September 17, the DOJ announced its withdrawal from the 1995 Bank Merger Guidelines, stating the 2023 Merger Guidelines will be the only authoritative statement across all industries. This decision followed collaboration with the Fed, FDIC and OCC and was informed by public feedback, departmental experience and market developments. The 2023 Merger Guidelines include predefined market definitions and thresholds for Herfindahl-Hirschman Index (HHI) calculations to identify mergers with significant adverse effects on competition. The DOJ also announced the release of new commentary for the 2023 Merger Guidelines, which identify competition issues related to bank mergers and provide transparency on the DOJ’s merger review process.
The announcement also clarified that neither the 2023 Merger Guidelines nor the 2024 Banking Addendum to these Guidelines predetermine DOJ enforcement actions, and that enforcement decisions will be made on a case-by-case basis. The 2024 Banking Addendum to the 2023 Merger Guidelines highlights the DOJ’s approach to evaluating competition in bank mergers under the Clayton Act. The Addendum identifies relevant sections of the 2023 Merger Guidelines for analyzing competitive consequences in banking, such as geographic overlaps and product-specific competition.
Fed issues enforcement action after inspections, examinations
On September 11, the Fed announced a written agreement entered by a bank holding company and its Connecticut state-chartered bank, with the Federal Reserve Bank of New York, and the State of Connecticut Department of Banking (collectively, the supervisors) to address deficiencies identified during inspections and examinations conducted in 2023.
Among other things, the agreement required: (i) the holding company’s board of directors to fully utilize the company’s financial and managerial resources to serve as a source of strength for the bank and ensure compliance with the agreement and any other supervisory actions; (ii) the bank to submit an enhanced liquidity risk management program and a revised written contingency funding plan that included steps to diversify funding sources, enhance liquidity stress test scenarios, and address contingency and adverse scenario planning; (iii) the bank to prepare and submit a revised strategic plan and budget; and (iv) the holding company and the bank to submit a plan to maintain sufficient capital, taking into account current and future capital requirements, the adequacy of the bank’s capital, and the source and timing of additional funds. Further, effective immediately, the holding company and the bank are prohibited from declaring or paying dividends, engaging in share repurchases, or making any other capital distribution regarding common shares, preferred shares or other capital instruments without the prior written approval of the supervisors.
FDIC issues NPRM requiring banks to provide accurate record-keeping in connection with third-party arrangements
On September 17, the FDIC released an NPRM aimed at strengthening record-keeping requirements for banks’ holding deposits from third-party non-bank companies (i.e., fintechs). The proposed rule seeks to mitigate risks among third-party arrangements, protect depositors and bolster public confidence in insured deposits. FDIC Chairman Martin J. Gruenberg emphasized that the rule would ensure banks are aware of the actual owners of deposits placed by third parties and can provide depositors with their funds even if a third party fails.
The FDIC’s proposed rule targets custodial deposit accounts with transactional features, where deposits from multiple beneficial owners are commingled. The proposed rule would require banks to maintain records identifying the beneficial owners, their balances and the ownership category of the deposited funds. While these records must be reconciled daily, banks will have the option to maintain these records themselves or request a third party to handle them. The proposed rule also included several exemptions such as accounts holding only trust deposits, government deposit accounts, and accounts established by brokers or dealers. The proposed rule would mandate that banks establish written policies and procedures to ensure compliance and conduct annual testing and validation of records.
Fed’s Barr speaks on changes to Basel III and liquidity requirements
On September 10, the Fed released the prepared remarks given by the Vice Chair for Supervision, Michael Barr, on changes to the Basel III endgame proposal and the capital surcharge for global systemically important banks (G-SIBs). The proposed changes aim to ensure banks hold enough capital to balance risk while maintaining the financial system’s safety and soundness and contributing to a “well-functioning economy that works for everyone.”
Barr stated that the revised Basel III endgame proposal will no longer apply to banks with assets between $100 billion and $250 billion, except for the requirement to recognize unrealized gains and losses of their securities in regulatory capital. This change reflects stakeholder feedback and aims to better reflect risks. Proposed revisions to the G-SIB surcharge are intended to address issues such as “window dressing” and “cliff effects.” In the aggregate, the re-proposals will increase common equity tier 1 capital requirements for the largest and most complex G-SIBs by 9 percent, while other large banks will see a 3 to 4 percent increase in capital requirements. Barr will recommend that the Fed not adopt the proposed changes to capital requirements associated with client clearing to avoid disincentives.
For credit risk, Barr will recommend that the Fed lower the proposed risk-weighting for loans secured by residential real estate and loans to retail customers. The proposed changes also include extending the reduced risk weight for low-risk corporate exposures that are investment grade but not publicly traded. Additionally, Barr will recommend that the Fed not adopt the capital treatment associated with minimum haircut floors for securities financing transactions, allowing time for greater international consensus on this topic. In terms of operational risk, Barr will recommend that the Fed no longer adjust a firm’s operational risk charge based on its operational loss history. The proposed changes also include reducing operational risk capital requirements for investment management activities. Barr noted that the Fed will accept “public comments on any aspect of the Basel endgame and G-SIB surcharge proposals.”
FDIC sunsets its FFIEC Cybersecurity Assessment Tool
On September 5, the FFIEC announced the sunsetting of the Cybersecurity Assessment Tool (CAT) on August 31, 2025. The CAT, introduced in June 2015, was a voluntary tool designed to help financial institutions identify cybersecurity risks and assess preparedness. However, the FFIEC decided to discontinue the CAT because of the availability of new and updated resources that better address evolving cybersecurity risks — including the NIST Cybersecurity Framework 2.0 and the Cybersecurity and Infrastructure Security Agency’s Cross-Sector Cybersecurity Performance Goals. The FFIEC will remove the CAT from its website on the sunset date and will discuss the new resources during a banker webinar in the fall.
FDIC issues list of banks examined for CRA compliance
On September 4, the FDIC released its latest evaluations of state nonmember banks for compliance under the CRA. The Financial Institutions Reform, Recovery, and Enforcement Act of 1989 requires public disclosure of evaluations and ratings for banks undergoing CRA examinations. These ratings assess how well banks meet the credit needs of their communities, including low- and moderate-income neighborhoods, while maintaining safe and sound operations. The FDIC’s recent evaluations included 54 banks, which received ratings in June 2024. Two banks were rated as “Needs to Improve” while the remaining institutions received a “Satisfactory” rating.
Fed issues cease and desist against bank
On September 4, the Fed and the Texas Department of Banking published a cease and desist order alleging deficiencies identified in a Texas-based bank’s corporate governance, risk management and compliance with BSA/AML laws. Under the order, the bank’s board of directors will be required to submit a plan to strengthen oversight of compliance with BSA/AML requirements and Office of Foreign Assets Control (OFAC) regulations. The plan must include actions to maintain effective control, contain measures to track and escalate noncompliance, and ensure adequate resources and expertise.
The board must submit a corporate governance plan addressing the findings of an independent third-party report. The bank must also submit a revised BSA/AML compliance program, which should address third-party report findings, enhance internal controls, conduct comprehensive risk assessments, and ensure independent testing and effective training.
In addition, the bank must submit quarterly progress reports detailing actions taken to comply with the order. The bank’s board of directors consented to the order and waived any rights to challenge its terms.
FDIC announces updates to its examination handbook
On August 29, the FDIC announced that the Federal Financial Institutions Examination Council (FFIEC) updated its examination handbook. These updates revised specific parts and renamed it from the “Development and Acquisition” booklet to the “Development, Acquisition, and Maintenance” (DA&M) booklet. These revisions ensured the booklet remained relevant amid ongoing technology changes in the financial services sector, focusing literally on the development, acquisition, and maintenance of information technology (IT) infrastructure to integrate these components within a business.
Significant updates to the DA&M booklet included the incorporation of cybersecurity throughout as well as new sections on governance, risk management, and common risk elements applicable to hardware and software technologies. The Common Risk Topics section will now cover a wide range of issues, such as licenses, secure development, data protection, and third-party relationship and supply chain risk management. The Development section has been expanded to include discussions on strategic IT planning, development standards and controls, and methodologies like “DevOps” and “DevSecOps.” This section will aim to integrate IT development with business functions to enhance service delivery to customers. The Acquisition section now covers acquisition policies, standards, procedures, and project management, providing detailed guidance on solicitation, evaluation and contractual agreements.
The Maintenance section has been updated to address key operational principles in IT environments, including preventative maintenance, change management and end-of-life considerations.
Throughout the booklet, the FFIEC has improved consistency and alignment with authoritative standards such as NIST, replacing “financial institutions” with “entities” to encompass third-party service providers and significant service providers, and included applicable joint/interagency guidance.