Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On November 18, at an American Bar Association/American Bankers Association conference on the Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Deputy Attorney General (Deputy AG) James Cole challenged financial institutions’ compliance efforts and outlined the DOJ’s financial crimes enforcement approach. Noting that compliance within financial institutions is of particular concern to the DOJ, based in part on recent cases of “serious criminal conduct by bank employees,” the nation’s second highest ranking law enforcement official detailed DOJ’s approach to investigating and deciding in what manner to pursue potential violations. The Deputy AG included among his examples of serious misconduct recent BSA/AML, RMBS, mortgage False Claims Act, and LIBOR cases. He explained that the DOJ is particularly concerned about incentives that encourage excessive risk taking, and stated that “too many bank employees and supervisors value coming as close to the line as possible, or even crossing the line, as being ‘competitive’ or ‘aggressive.’”
Deputy AG Cole stated that the DOJ’s decisions about bringing criminal prosecutions are informed by the Principles of Federal Prosecution of Business Organizations, which include, among other factors: (i) the nature and seriousness of the offense; (ii) the pervasiveness of the wrongdoing within the corporation, including the complicity of corporate management; (iii) the corporation’s history of similar misconduct, including prior criminal, civil, and regulatory actions against it; and (iv) the adequacy of a corporation’s pre-existing compliance program. He added that the DOJ “look[s] hard at the messages that bank management and supervisors are actually giving to employees in the context of their day-to-day work.” Specifically, the DOJ (i) reviews chats, emails, and recorded phone calls; (ii) talks to witnesses to assess management’s compliance message; and (iii) examines the “incentives that banks provide their employees to either cross the line, or to exhibit compliant behavior.”
The Deputy AG stressed that “[i]f a financial institution wants to encourage compliance – if its values are not skewed towards making money at all costs – then that message must be conveyed to employees in a meaningful and effective way if they’d like [the] Department to view it as credible.” He echoed past calls by federal authorities for institutions to create “cultures of compliance” that include “real, effective, and proactive” compliance programs. Any institution that fails to do so, he cautioned, could be subject to prosecution.
On November 17, the Comptroller of the Currency, Thomas Curry, delivered remarks at the American Bar Association/American Bankers Association BSA/AML conference in which he identified common BSA/AML compliance risks and failures, and identified steps industry participants and regulators should take to improve compliance. The Comptroller explained that successful BSA/AML compliance is dependent not only on “the strength of the institution’s technology and monitoring processes, and the effectiveness of its risk management,” but also on strong corporate governance processes and management’s willingness to commit adequate resources. Comptroller Curry called on banks to commit sufficient resources and take a “holistic approach” toward BSA/AML compliance, for example, by dispersing accountability throughout the organization instead of concentrating compliance in a single unit. Noting that this is particularly important in the M&A context, the Comptroller stated that it is vital that due diligence go beyond a target’s credit portfolio to include a review of the target’s BSA/AML program. In addition to lack of compliance resources, the Comptroller identified as risk trends: (i) poor management of international activities—foreign correspondent banking, cross-border funds transfers, bulk cash repatriation, and embassy banking; (ii) third-party relationships and payment processors; and (iii) emerging payment technologies, including virtual currencies. He stressed the importance of information sharing among institutions and between institutions and their regulators, and called for (i) legislation that would encourage the filing of SARs by strengthening the statutory safe harbor from civil liability for filing financial institutions, (ii) broadening the Patriot Act safe harbor for institutions that share information with each other about potential crimes and suspicious transactions, and (iii) exploring ways government can provide more robust and granular information about money laundering schemes and typologies to institutions in a more timely way.
On November 20, the OCC announced in Bulletin 2013-34 that as part of its ongoing implementation of the Dodd-Frank Act’s mandate that the OCC integrate Office of Thrift Supervision (OTS) policies with existing OCC policies, the OCC is rescinding the OTS compliance documents listed in an appendix provided with the announcement. A second appendix lists OCC policy guidance that the OCC is applying to federal savings associations in cases where policy guidance did not already exist. The announcement does not cover OTS policies and guidance related to the FCRA, the CRA, UDAP, or mortgage regulations, which the OCC plans to address at a later date.
On November 12, the FDIC released the economic scenarios that will be used by certain financial institutions with total consolidated assets of more than $10 billion for stress tests required under the Dodd-Frank Act. Each scenario includes key variables that reflect economic activity, including unemployment, exchange rates, prices, income, interest rates, and other salient aspects of the economy and financial markets. The baseline scenario represents expectations of private sector economic forecasters; the adverse and severely adverse are hypothetical scenarios designed to assess the strength and resilience of financial institutions and their ability to continue to meet the credit needs of households and businesses under stressed economic conditions. The FDIC release follows the recent release of stress test scenarios by the Federal Reserve Board and the OCC. The Federal Reserve Board also recently issued a final policy statement that describes the process by which it will develop future stress test scenarios.
On November 5, the Federal Reserve Board announced the annual indexing of the amounts used in determining reserve requirements of depository institutions and deposit reporting panels effective in 2014. The Board amended Regulation D to (i) set the amount of total reservable liabilities of each depository institution that is subject to a zero percent reserve requirement in 2014 at $13.3 million (from $12.4 million in 2013) and (ii) set the amount of net transaction accounts at each depository institution (over the reserve requirement exemption amount) that is subject to a three percent reserve requirement in 2014 at $89.0 million (from $79.5 million in 2013). These are known as the reserve requirement exemption amount and the low reserve tranche, respectively. The new exemption amount and low reserve tranche will apply to the 14-day reserve maintenance period that begins January 23, 2014. For depository institutions that report deposit data weekly, this maintenance period corresponds to the 14-day computation period that begins Tuesday, December 24, 2013. For depository institutions that report deposit data quarterly, this maintenance period corresponds to the seven-day computation period that begins Tuesday, December 17, 2013. The Board also announced changes in the nonexempt deposit cutoff level and the reduced reporting limit, which are used to determine the frequency with which depository institutions must submit deposit reports.
On November 6, the OCC issued two bulletins to announce an addition and revisions to the Comptroller’s Handbook. The OCC also rescinded certain Handbook provisions. Bulletin OCC 2013-30 adds to the Handbook the “Qualified Thrift Lender” (QTL) booklet, which includes the “Qualified Thrift Lending Test,” issued June 2002 as part of the Office of Thrift Supervision’s Examination Handbook. The revisions are statutory in nature and include, among other things, new language pursuant to the Dodd–Frank Act regarding QTL failure and the violation of HOLA section 5 and additional limitations in the payment of dividends. Bulletin OCC 2013-31 updates the “Insider Activities” booklet and provides guidance for examiners and bankers on how national banks and federal savings associations may legally and prudently engage in transactions with insiders. The booklet explains how to implement risk management processes that provide for the appropriate control and monitoring of insider activities and how examiners review and assess insider activities during the supervisory process.
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:
Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.
Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:
- Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
- Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
- Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
- Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
- Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.
Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:
- Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
- Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
- Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
- Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
- Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.
Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:
- Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
- Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
- Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
- Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.
Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.
The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.
These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.
Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Jonice Gray Tucker, (202) 349-8005
- Valerie L. Hletko, (202) 349-8054
- Michelle L. Rogers, (202) 349-8013
- Jon David Langlois, (202) 349-8045
Prudential Regulators Issue Joint Agreement On Classification And Appraisal Of Securities Held By Financial Institutions
On October 29, the FDIC, the Federal Reserve Board, and the OCC issued a joint agreement to update and revise the 2004 Uniform Agreement on the Classification of Assets and Appraisal of Securities Held by Banks and Thrifts. The updated agreement reiterates the importance of a robust investment analysis process and the agencies' longstanding asset classification definitions. It also replaces references to credit ratings with alternative standards of creditworthiness consistent with sections 939 and 939A of the Dodd-Frank Act, which directed the agencies to remove any reference to or requirement of reliance on credit ratings in the regulations and replace them with appropriate standards of creditworthiness. The agencies adopted those new standards in 2012 (see, e.g., the OCC’s final rule). The joint agreement provides examples to demonstrate the appropriate application of the new standards to the classification of securities.
On October 24, the Federal Reserve Board issued a proposed rule it developed with the OCC and the FDIC to establish a minimum liquidity coverage ratio (LCR) consistent with the Basel III LCR, with some modifications to reflect characteristics and risks of specific aspects of the U.S. market and U.S. regulatory framework. The proposal would create for the first time a minimum liquidity requirement for certain large or systemically important financial institutions. The covered institutions would be required to hold (i) minimum amounts of high-quality, liquid assets such as central bank reserves and government and corporate debt that can be converted easily and quickly into cash, and (ii) liquidity in an amount equal to or greater than its projected cash outflows minus its projected cash inflows during a short-term stress period. The requirements would apply to all internationally active banking organizations—i.e., those with $250 billion or more in total consolidated assets or $10 billion or more in on-balance sheet foreign exposure—and to systemically important, non-bank financial institutions designated by the FSOC. The proposal also would apply a less stringent, modified LCR to bank holding companies and savings and loan holding companies that are not internationally active, but have more than $50 billion in total assets. The regulators propose various categories of high quality, liquid assets and also specify how a firm's projected net cash outflows over the stress period would be calculated using common, standardized assumptions about the outflows and inflows associated with specific liabilities, assets, and off-balance-sheet obligations. Comments on the proposed rule must be submitted by January 31, 2013.
On August 8, the CFPB released an updated small business guide for the remittance transfer rule it finalized last year and revised in May 2013. The updated guide summarizes the remittance rule and discusses the new requirements, which take effect on October 28, 2013. The CFPB also issued technical corrections to the May 2013 amendments, and released a video that provides an overview of the rule and the recent changes, as well as implementation guidance.