InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Reserve Plans Regular Reporting On Bank Applications, Outlines Common Issues Resulting In Application Withdrawals
On February 24, the Federal Reserve Board announced in SR 14-2 that it will start publishing a semi-annual report to provide certain information on bank applications and notices filed with the Federal Reserve. The Board stated that the report will include statistics on the length of time taken to process various applications and notices and the overall volume of approvals, denials, and withdrawals. The report also will provide the primary reasons for withdrawals. The first report will be released in the second half of 2014 and will include filings acted on from January through June 2014. The letter also describes common issues identified by the Federal Reserve that have led to recent withdrawal of applications, including (i) less-than-satisfactory supervisory rating(s) for safety and soundness, consumer compliance, or CRA; (ii) inadequate compliance with the Bank Secrecy Act; and (iii) concerns regarding the financial condition or management of the proposed organization.
FinCEN Director Reinforces Enforcement And Compliance Themes, Highlights Risks For Securities Firms
On January 30, in remarks to SIFMA’s AML and Financial Crimes Conference, FinCEN Director Jennifer Shasky Calvery stressed the importance of establishing a “culture of compliance” at financial institutions to support effective AML safeguards. The Director’s comments reinforce similar remarks made in recent months by both the Deputy U.S. Attorney General and Comptroller Curry. And like Comptroller Curry, Ms. Shasky Calvery highlighted the need for better information sharing not only within institutions but between institutions. FinCEN agrees with industry feedback that the agency needs to improve its own ability to share information. Also part of a broader theme among enforcement authorities, the Director explained that financial institutions should take responsibility when their actions violate the BSA, not only by admitting to the facts alleged by FinCEN but also by acknowledging a violation of the law. She highlighted specific risks in the securities sector including those related to the use of cash, and explained that securities firms that provide bank-like services need to consider the vulnerabilities associated with engaging in such services and must ensure that their compliance programs are commensurate with those risks.
Special Alert: Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance
On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (FRB Guidance). The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.
The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.
While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents. Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities. It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.
The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following:
- Risk assessments: Institutions should evaluate the implications of performing an activity in-house versus having the activity performed by a service provider and also consider whether outsourcing an activity is consistent with the strategic direction and overall business strategy of the organization. This section of the FRB Guidance closely aligns with the section titled “Planning” in OCC Bulletin 2013-29.
- Due diligence and selection of service providers: Institutions should address the depth and formality of due diligence of prospective service providers consistent with the scope, complexity, and importance of the planned outsourcing arrangement. The Fed emphasizes processes designed to diligence a potential service provider’s (i) business background, reputation, and strategy; (ii) financial performance and condition; and (iii) operations and internal controls. This section is less detailed, but nonetheless consistent with the section titled “Due Diligence and Third-Party Selection” in OCC Bulletin 2013-29.
- Contract provisions and considerations: Service provider contracts should cover certain topics, including, but not limited to: (i) the scope of services covered; (ii) cost and compensation; (iii) right to audit; (iv) performance standards; (v) confidentiality and security of information; (vi) indemnification; (vii) default and termination; (viii) limits on liability; (ix) customer complaints; (x) business resumption and contingency plan of the service provider; and (xi) use of subcontractors. The key provisions noted generally mirror the “Contract Negotiation” section of OCC Bulletin 2013-29.
- Incentive compensation review: Institutions should establish an effective process to review and approve any incentive compensation arrangements that may be embedded in service provider contracts to avoid encouraging “imprudent” risk-taking. While OCC Bulletin 2013-29 does not break out incentive compensation as a separate program feature (it is included among factors to be considered in due diligence and selection), it does identify the need for banks to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the bank.
- Oversight and monitoring of service providers: Institutions should set forth the processes for measuring performance against contractually-required service levels and key the frequency of performance reviews to the risk profile of the service provider. This section of the FRB Guidance, consistent with the “Ongoing Monitoring” section of OCC Bulletin 2013-29, also recommends the creation of escalation protocols for underperforming service providers and monitoring of service provider financial condition and internal controls, which may also trigger escalation if the service provider’s financial viability or adequacy of its control environment are compromised during the course of the relationship.
- Business continuity and contingency plans: Institutions should develop plans that focus on critical services and consider alternative arrangements in the event of an interruption. The Fed specifically notes that financial institutions should: (i) ensure that a disaster recovery and business continuity plan exists with regard to the contracted services and products; (ii) assess the adequacy and effectiveness of a service provider’s disaster recovery and business continuity plan and its alignment to their own plan; (iii) document the roles and responsibilities for maintaining and testing the service provider’s business continuity and contingency plans; (iv) test the service provider’s business continuity and contingency plans on a periodic basis to ensure adequacy and effectiveness; and (v) maintain an exit strategy, including a pool of comparable service providers. Notably, OCC Bulletin 2013-29 addresses business continuity and contingency plans under third-party risk management, rather than as separate program features.
Finally, the FRB Guidance notes a number of “additional risk considerations” not singled out by OCC Bulletin 2013-29, which cover: (i) confidentiality of Suspicious Activity Report (SAR) reporting functions; (ii) compliance by foreign-based service providers with U.S. laws, regulations, and regulatory guidance; (iii) prohibitions against outsourcing internal audit functions in violation of Sarbanes-Oxley; and (iv) alignment of outsourced model risk management with existing Fed Guidance on Model Risk Management (SR 11-7).
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Elizabeth E. McGinn, (212) 600-2370
- Jon David Langlois, (202) 349-8045
CFPB Reports On Impacts Of Regulations For Banks
On November 22, the CFPB released findings of a study the Bureau conducted on the impact of certain deposit regulations on the day-to-day operations of banking institutions, focusing on compliance costs related to checking accounts, traditional savings accounts, debit cards, and overdraft programs. The study collected information from seven banks about activities related to compliance with regulations implementing the Truth in Savings Act, the Electronic Fund Transfer Act, the financial privacy requirements of the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act (Regulations DD, E, P, and V, respectively), as well as FCRA’s adverse action requirements, which are not implemented by regulation. According to the Bureau, compliance costs were concentrated in the Operations, Information Technology, Human Resources, Compliance, and Retail functions, and banks incurred the most substantial costs complying with rules related to authorization rights, error resolution requirements, disclosure mandates, and advertising standards.
The report identifies the compliance-related activities that entailed the highest costs across business functions and suggests that “authorization rights” (i.e., opt-ins and opt-outs) and error-resolution requirements are the most costly to administer. The report also discusses the potential for the study—which the Bureau characterizes as representing “some of the most rigorous information currently available” on compliance costs—to advance research on the cost of compliance, influence the ultimate understanding of regulatory impacts on consumers and markets, and inform the CFPB’s ongoing efforts to avoid unnecessary compliance costs. The Bureau states that estimating the operational effects of consumer financial services regulation alone has “limited value to policymaking” and is mainly helpful in determining the impact of a specific regulation on product pricing and availability or market structure and competition. The Bureau concluded that research on the effects of regulations will remain an ongoing priority, but it will nevertheless continue to address problems observed in the marketplace — “mindful that, whatever the costs of regulation, the costs of not regulating adequately can be even larger.”
The full report, Understanding the Effects of Certain Deposit Regulations on Financial Institutions' Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions, is available here.
Deputy AG Outlines Financial Crimes Enforcement Approach, Compliance Expectations
On November 18, at an American Bar Association/American Bankers Association conference on the Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Deputy Attorney General (Deputy AG) James Cole challenged financial institutions’ compliance efforts and outlined the DOJ’s financial crimes enforcement approach. Noting that compliance within financial institutions is of particular concern to the DOJ, based in part on recent cases of “serious criminal conduct by bank employees,” the nation’s second highest ranking law enforcement official detailed DOJ’s approach to investigating and deciding in what manner to pursue potential violations. The Deputy AG included among his examples of serious misconduct recent BSA/AML, RMBS, mortgage False Claims Act, and LIBOR cases. He explained that the DOJ is particularly concerned about incentives that encourage excessive risk taking, and stated that “too many bank employees and supervisors value coming as close to the line as possible, or even crossing the line, as being ‘competitive’ or ‘aggressive.’”
Deputy AG Cole stated that the DOJ’s decisions about bringing criminal prosecutions are informed by the Principles of Federal Prosecution of Business Organizations, which include, among other factors: (i) the nature and seriousness of the offense; (ii) the pervasiveness of the wrongdoing within the corporation, including the complicity of corporate management; (iii) the corporation’s history of similar misconduct, including prior criminal, civil, and regulatory actions against it; and (iv) the adequacy of a corporation’s pre-existing compliance program. He added that the DOJ “look[s] hard at the messages that bank management and supervisors are actually giving to employees in the context of their day-to-day work.” Specifically, the DOJ (i) reviews chats, emails, and recorded phone calls; (ii) talks to witnesses to assess management’s compliance message; and (iii) examines the “incentives that banks provide their employees to either cross the line, or to exhibit compliant behavior.”
The Deputy AG stressed that “[i]f a financial institution wants to encourage compliance – if its values are not skewed towards making money at all costs – then that message must be conveyed to employees in a meaningful and effective way if they’d like [the] Department to view it as credible.” He echoed past calls by federal authorities for institutions to create “cultures of compliance” that include “real, effective, and proactive” compliance programs. Any institution that fails to do so, he cautioned, could be subject to prosecution.
Comptroller Identifies BSA/AML Risks, Calls For Increased Information Sharing
On November 17, the Comptroller of the Currency, Thomas Curry, delivered remarks at the American Bar Association/American Bankers Association BSA/AML conference in which he identified common BSA/AML compliance risks and failures, and identified steps industry participants and regulators should take to improve compliance. The Comptroller explained that successful BSA/AML compliance is dependent not only on “the strength of the institution’s technology and monitoring processes, and the effectiveness of its risk management,” but also on strong corporate governance processes and management’s willingness to commit adequate resources. Comptroller Curry called on banks to commit sufficient resources and take a “holistic approach” toward BSA/AML compliance, for example, by dispersing accountability throughout the organization instead of concentrating compliance in a single unit. Noting that this is particularly important in the M&A context, the Comptroller stated that it is vital that due diligence go beyond a target’s credit portfolio to include a review of the target’s BSA/AML program. In addition to lack of compliance resources, the Comptroller identified as risk trends: (i) poor management of international activities—foreign correspondent banking, cross-border funds transfers, bulk cash repatriation, and embassy banking; (ii) third-party relationships and payment processors; and (iii) emerging payment technologies, including virtual currencies. He stressed the importance of information sharing among institutions and between institutions and their regulators, and called for (i) legislation that would encourage the filing of SARs by strengthening the statutory safe harbor from civil liability for filing financial institutions, (ii) broadening the Patriot Act safe harbor for institutions that share information with each other about potential crimes and suspicious transactions, and (iii) exploring ways government can provide more robust and granular information about money laundering schemes and typologies to institutions in a more timely way.
OCC Continues OTS Integration, Rescinds OTS Compliance Documents
On November 20, the OCC announced in Bulletin 2013-34 that as part of its ongoing implementation of the Dodd-Frank Act’s mandate that the OCC integrate Office of Thrift Supervision (OTS) policies with existing OCC policies, the OCC is rescinding the OTS compliance documents listed in an appendix provided with the announcement. A second appendix lists OCC policy guidance that the OCC is applying to federal savings associations in cases where policy guidance did not already exist. The announcement does not cover OTS policies and guidance related to the FCRA, the CRA, UDAP, or mortgage regulations, which the OCC plans to address at a later date.
Prudential Regulators Release Stress Test Scenarios
On November 12, the FDIC released the economic scenarios that will be used by certain financial institutions with total consolidated assets of more than $10 billion for stress tests required under the Dodd-Frank Act. Each scenario includes key variables that reflect economic activity, including unemployment, exchange rates, prices, income, interest rates, and other salient aspects of the economy and financial markets. The baseline scenario represents expectations of private sector economic forecasters; the adverse and severely adverse are hypothetical scenarios designed to assess the strength and resilience of financial institutions and their ability to continue to meet the credit needs of households and businesses under stressed economic conditions. The FDIC release follows the recent release of stress test scenarios by the Federal Reserve Board and the OCC. The Federal Reserve Board also recently issued a final policy statement that describes the process by which it will develop future stress test scenarios.
Federal Reserve Board Announces Annual Indexing Of Reserve Requirement Exemptions
On November 5, the Federal Reserve Board announced the annual indexing of the amounts used in determining reserve requirements of depository institutions and deposit reporting panels effective in 2014. The Board amended Regulation D to (i) set the amount of total reservable liabilities of each depository institution that is subject to a zero percent reserve requirement in 2014 at $13.3 million (from $12.4 million in 2013) and (ii) set the amount of net transaction accounts at each depository institution (over the reserve requirement exemption amount) that is subject to a three percent reserve requirement in 2014 at $89.0 million (from $79.5 million in 2013). These are known as the reserve requirement exemption amount and the low reserve tranche, respectively. The new exemption amount and low reserve tranche will apply to the 14-day reserve maintenance period that begins January 23, 2014. For depository institutions that report deposit data weekly, this maintenance period corresponds to the 14-day computation period that begins Tuesday, December 24, 2013. For depository institutions that report deposit data quarterly, this maintenance period corresponds to the seven-day computation period that begins Tuesday, December 17, 2013. The Board also announced changes in the nonexempt deposit cutoff level and the reduced reporting limit, which are used to determine the frequency with which depository institutions must submit deposit reports.
OCC Releases Comptroller Handbook Addition And Revisions
On November 6, the OCC issued two bulletins to announce an addition and revisions to the Comptroller’s Handbook. The OCC also rescinded certain Handbook provisions. Bulletin OCC 2013-30 adds to the Handbook the “Qualified Thrift Lender” (QTL) booklet, which includes the “Qualified Thrift Lending Test,” issued June 2002 as part of the Office of Thrift Supervision’s Examination Handbook. The revisions are statutory in nature and include, among other things, new language pursuant to the Dodd–Frank Act regarding QTL failure and the violation of HOLA section 5 and additional limitations in the payment of dividends. Bulletin OCC 2013-31 updates the “Insider Activities” booklet and provides guidance for examiners and bankers on how national banks and federal savings associations may legally and prudently engage in transactions with insiders. The booklet explains how to implement risk management processes that provide for the appropriate control and monitoring of insider activities and how examiners review and assess insider activities during the supervisory process.