InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: OCC Updates Third-Party Risk Management Guidance
On October 30, the OCC issued Bulletin 2013-29 to update guidance relating to third-party risk management. The Bulletin, which rescinds OCC Bulletin 2001-47 and OCC Advisory Letter 2000-9, requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, including joint ventures, affiliates or subsidiaries, and payment processors. It is substantially more prescriptive than CFPB Bulletin 2012-3, and incorporates third-party relationship management principles underlying recent OCC enforcement actions.
The Bulletin warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” It outlines a “life cycle” approach and provides detailed descriptions of steps that a bank should consider taking at five important stages:
Planning: A third party relationship should begin with an internal assessment of risks relating to third parties in general, and to the intended third party in particular. Such planning should focus on both the potential impact to the bank and the bank’s customers, as well as potential security, regulatory, and legal ramifications.
Due Diligence and Third Party Selection: The Bulletin requires that the bank conduct an adequate due diligence review of the third party prior to entering a contract. Proper due diligence includes a thorough evaluation of all potential third parties, and the degree of diligence should be commensurate with the level of risk and complexity. In particular, banks should look to external organizations such as trade associations, the Better Business Bureau, the FTC, and state regulators when performing diligence on consumer-facing third parties. While prior Bulletin 2001-47 contained a list of potential items for due diligence review, Bulletin 2013-29 describes them in more detail and adds to the specific areas that due diligence should focus on, including:
- Legal and regulatory compliance: The bank should “evaluate the third party’s legal and regulatory compliance program to determine whether the third party has the necessary licenses to operate and the expertise, processes and controls to enable the bank to remain compliant with domestic and international laws and regulations;”
- Fee structure and incentives: The bank should determine if the fee structure and incentives would create burdensome upfront fees or result in inappropriate risk taking by the third party or the bank;
- Risk management systems: The bank should have adequate policies, procedures, and internal controls, as well as processes to escalate, remediate, and hold management accountable for audit and independent testing reviews;
- Human resource management: The bank should review the third party’s training program and processes to hold employees accountable for compliance with policies and procedures; and
- Conflicting contractual arrangements: The bank should check a third-party vendor’s contractual arrangements with other third parties, which may indemnify the vendor and may therefore expose the bank to additional risk.
Contract Negotiation: All relationships should be documented by a written contract that clearly defines the responsibilities of both the bank and the third party. Among other things, the contract should provide for performance benchmarks, information retention, the right to perform an audit, and OCC supervision. Bulletin 2013-29 expands upon Bulletin 2001-47 with respect to the following areas:
- Legal and regulatory compliance: Contracts should require compliance with applicable laws and regulations, including GLBA, BSA/AML, OFAC, and fair lending, as well as other consumer protection laws and regulations;
- Audits and remediation: Contracts should provide for the bank’s right to conduct audits and periodic regulatory compliance reviews, and to require remediation of issues identified;
- Indemnification: Contracts should include indemnification as appropriate for noncompliance with applicable law, and for failure to obtain any necessary intellectual property licenses;
- Consumer complaints: The bank should specifically require the third party to submit “sufficient, timely, and usable information on consumer complaints to enable the bank to analyze customer complaint activity and trends for risk management purposes;” and
- Subcontractor management: The bank should incorporate provisions specific to the third party’s own use of subcontractors, including obligations to report on conformance with performance measures and compliance with laws and regulations, and should reserve the right to terminate the contract if the subcontractors do not meet the third party’s obligations to the bank.
Ongoing Monitoring: The bank should dedicate sufficient staff to monitor the third party’s activities throughout the relationship as it may change over time. Bulletin 2013-29 expands upon Bulletin 2001-47 in the following notable ways:
- Legal and regulatory compliance: The bank should monitor third-party vendors for compliance with all applicable laws and regulations;
- Early identification of issues: The bank should consider whether the third party has the ability to effectively manage risk by self-identifying and addressing issues;
- Subcontractor management: The bank should continuously monitor a third-party vendor’s reliance on or exposure to subcontractors and perform ongoing monitoring and testing of subcontractors; and
- Consumer complaints: The bank should monitor the “volume, nature, and trends” of consumer complaints relating to the actions of third-party vendors, particularly those that may indicate compliance or risk management deficiencies.
Termination: The Bulletin specifies for the first time a termination “stage” in the third-party relationship management life cycle. Banks should develop a contingency plan for the end of the relationship, either through the normal course or in response to default. The contingency plan may transfer functions to a different third party or in-house.
The Bulletin defines as “critical” any activities involving significant bank functions (payments, clearing, settlements, and contingency planning); significant shared services (information technology); or other activities that (i) could cause a bank to face significant risk as a result of third-party failures, (ii) could have significant customer impacts, (iii) involve relationships that require significant investments in resources to implement and manage, and (iv) could have a major impact on bank operations if an alternate third party is required or if the outsourced activity must be brought in-house.
These “critical” activities should be the focus of special, enhanced risk management processes. Specifically, the bank should conduct more extensive due diligence on the front end, provide summaries of due diligence to the board of directors, ensure that the board of directors reviews and approves third-party contracts, engage in more comprehensive ongoing monitoring of the third party’s performance and financial condition (including, potentially, a look comparable to the analysis the bank would perform when extending credit), ensure that the board of directors reviews the results of ongoing monitoring, and periodically arrange for independent testing of the bank’s risk controls.
Finally, the Bulletin sets forth obligations and responsibilities relating to third-party relationships from the bank employees who manage them to the board of directors, including retention of due diligence results, findings, and recommendations, as well as regular reports to the board and senior management relating to the bank’s overall risk management process.
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeffrey P. Naimon, (202) 349-8030
- Christopher M. Witeck, (202) 349-8051
- Jon David Langlois, (202) 349-8045
Prudential Regulators Issue Joint Agreement On Classification And Appraisal Of Securities Held By Financial Institutions
On October 29, the FDIC, the Federal Reserve Board, and the OCC issued a joint agreement to update and revise the 2004 Uniform Agreement on the Classification of Assets and Appraisal of Securities Held by Banks and Thrifts. The updated agreement reiterates the importance of a robust investment analysis process and the agencies' longstanding asset classification definitions. It also replaces references to credit ratings with alternative standards of creditworthiness consistent with sections 939 and 939A of the Dodd-Frank Act, which directed the agencies to remove any reference to or requirement of reliance on credit ratings in the regulations and replace them with appropriate standards of creditworthiness. The agencies adopted those new standards in 2012 (see, e.g., the OCC’s final rule). The joint agreement provides examples to demonstrate the appropriate application of the new standards to the classification of securities.
Prudential Regulators Propose Large Institution Liquidity Rule
On October 24, the Federal Reserve Board issued a proposed rule it developed with the OCC and the FDIC to establish a minimum liquidity coverage ratio (LCR) consistent with the Basel III LCR, with some modifications to reflect characteristics and risks of specific aspects of the U.S. market and U.S. regulatory framework. The proposal would create for the first time a minimum liquidity requirement for certain large or systemically important financial institutions. The covered institutions would be required to hold (i) minimum amounts of high-quality, liquid assets such as central bank reserves and government and corporate debt that can be converted easily and quickly into cash, and (ii) liquidity in an amount equal to or greater than its projected cash outflows minus its projected cash inflows during a short-term stress period. The requirements would apply to all internationally active banking organizations—i.e., those with $250 billion or more in total consolidated assets or $10 billion or more in on-balance sheet foreign exposure—and to systemically important, non-bank financial institutions designated by the FSOC. The proposal also would apply a less stringent, modified LCR to bank holding companies and savings and loan holding companies that are not internationally active, but have more than $50 billion in total assets. The regulators propose various categories of high quality, liquid assets and also specify how a firm's projected net cash outflows over the stress period would be calculated using common, standardized assumptions about the outflows and inflows associated with specific liabilities, assets, and off-balance-sheet obligations. Comments on the proposed rule must be submitted by January 31, 2013.
CFPB Updates Remittance Rule Resources
On August 8, the CFPB released an updated small business guide for the remittance transfer rule it finalized last year and revised in May 2013. The updated guide summarizes the remittance rule and discusses the new requirements, which take effect on October 28, 2013. The CFPB also issued technical corrections to the May 2013 amendments, and released a video that provides an overview of the rule and the recent changes, as well as implementation guidance.
California Supreme Court Holds Borrowers Can Bring State Law Claims Based on TISA Violations
On August 1, the California Supreme Court held that the federal Truth in Savings Act (TISA), which does not provide a private right of action, does not similarly bar state law claims derived from alleged TISA violations. Rose v. Bank of Am., N.A., No. S199074, 2013 WL 3942612 (Cal. Aug. 1, 2013). In this case, a putative class filed suit claiming a bank violated the state’s Unfair Competition Law (UCL) when it failed to provide certain disclosures required by TISA. The trial and appellate courts held that because Congress amended TISA in 2001 to remove its private right of action, before the borrowers filed their TISA-based class claims, those claims were barred. The appellate court explained that Congress’s repeal of the private right of action reflected its intent to bar any private action to enforce TISA. The Supreme Court disagreed and held that Congress’s decision to leave TISA’s savings clause in place explicitly allowed for the enforcement of state laws relating to the disclosures at issue here, except to the extent that those laws are inconsistent with the relevant TISA provision. The court rejected the bank’s argument that the UCL may not be employed to borrow directly from a federal statute where Congress has not provided a private right of action, holding instead that “when Congress permits state law to borrow the requirements of a federal statute, it matters not whether the borrowing is accomplished by specific legislative enactment or by a more general operation of law.” The court reversed the appeals court’s judgment.
Prudential Regulators Propose Stress Test Guidance for Mid-Size Institutions
On July 30, the OCC, the FDIC, and the Federal Reserve Board proposed guidance for stress tests conducted by institutions with more than $10 billion but less than $50 billion in total consolidated assets. Under Dodd-Frank Act mandated regulations adopted by the regulators last October, such firms are required to conduct annual company-run stress tests starting in October 2013. The guidance discusses supervisory expectations for stress test practices, provides examples of practices that would be consistent with those expectations, and offers additional details about stress test methodologies. It also underscores the importance of stress testing as an ongoing risk management practice that supports a company’s forward-looking assessment of its risks and better equips the company to address a range of macroeconomic and financial outcomes. Comments on the proposed guidance are due by September 25, 2013.
FinCEN Creates CTR Exemption for Armored Car Transactions
On July 12, FinCEN issued a ruling to exempt financial institutions from collecting data about certain armored car transactions required for Currency Transaction Reports (CTR). Under a 2009 ruling, FinCEN clarified that when a financial institution customer hires an armored car service (ACS) to conduct business on its behalf, the customer’s financial institution is subject to the same CTR requirements as it would be with any other third-party facilitating a transaction for a customer. FinCEN now recognizes that the 2009 ruling created practical issues in application – financial institutions have had difficulty differentiating transactions conducted by a given ACS on behalf of the institution from those the ACS conducted on behalf of a customer, and have had trouble obtaining drivers’ personal information required for the CTR. With its current ruling, FinCEN authorized an exception to the CTR data collection and aggregation requirements that applies only to deposits or withdrawals conducted by an ACS employee pursuant to instructions from the financial institution’s customer or from a third party.
NACHA Bulletin Addresses Reinitiation of Returned Debits
On July 15, the Electronic Payments Association (NACHA), the organization that manages the ACH Network, issued a bulletin that describes the provisions of NACHA’s operating rules regarding the “reinitiation” of returned ACH debit entries and the collection of return fees. With respect to the “reinitiation” of returned ACH debit entries the bulletin outlines the limited circumstances under which the rules permits originators and originating depository financial institutions (ODFIs) to reinitiate returned entries. First, an originator or an ODFI may reinitiate a returned entry up to two times if the entry was returned for reasons of insufficient or uncollected funds. Second, an originator or an ODFI may reinitiate a returned entry for reason of stop payment, but only if the receiver of the entry reauthorized the reinitiation after the return of the original entry. Finally, unless authorization has been revoked, an originator or an ODFI may reinitiate an entry returned for any other reason, as long as the originator or ODFI has corrected or remedied the reason for the return. In instances where authorization has been revoked, an originator or ODFI may not be reinitiated. Additionally, in order for a reinitiation of a returned entry to take place within the ACH Network, it must take place within 180 days of the settlement date of the original entry. With respect to the collection of return fees, the bulletin explains that (i) a return fee entry may be initiated only to the extent permitted by applicable law, and only for an entry that was returned for reasons of insufficient or uncollected funds; (ii) originators and ODFIs must provide specific prior notice prior to charging return fees; (iii) return fees must be specifically labeled as return fees in any entry description; (iv) only one return fee may be assessed with respect to any returned entry; and (v) a return fee may not be assessed with respect to the return of a return fee entry (i.e., no “fees on fees”).
FDIC Releases Technical Assistance Videos For Bank Officers and Directors
On April 3, the FDIC released the first in a series of videos to provide technical assistance to bank directors, officers, and employees on areas of supervisory focus and proposed regulatory changes. The initial set of videos cover (i) director responsibilities, (ii) fiduciary duties, (iii) acting in the best interest of the bank, (iv) the FDIC examination process, (v) risk management examinations, and (vi) compliance and community reinvestment act examinations. The FDIC plans to release by June 30, 2013 a second set of videos that will consist of six modules covering (i) interest rate risk, (ii) third party relationships, (iii) corporate governance, (iv) the Community Reinvestment Act, (v) information technology, and (vi) the Bank Secrecy Act. A third installment will follow later in the year and will provide technical assistance regarding (i) fair lending, (ii) appraisals and evaluations, (iii) interest rate risk, (iv) troubled debt restructurings, (v) the allowance for loan and lease losses, (vi) evaluation of municipal securities, and (vii) flood insurance. The FDIC also plans to continue the model introduced as part of prior rulemaking processes and provide overviews and instructions on more complex rulemakings.
Banking Agencies Update Leveraged Lending Guidance
On March 21, the Federal Reserve Board, the OCC, and the FDIC issued final interagency guidance to ensure institutions provide leverage lending in a safe and sound manner by: (i) identifying the institution's risk appetite for leveraged finance, establishing appropriate credit limits, and ensuring prudent oversight and approval processes; (ii) establishing underwriting standards that clearly define expectations for cash flow capacity, amortization, covenant protection, collateral controls, and the underlying business premise for each transaction, and consider whether the borrower’s capital structure is sustainable; (iii) concentrating valuation standards on the importance of sound methods in the determination and periodic revalidation of enterprise value; (iv) accurately measuring exposure on a timely basis, establish policies and procedures that address failed transactions and general market disruptions, and ensure periodic stress tests of exposures to loans not yet distributed to buyers; (v) developing information systems that accurately capture key obligor characteristics and aggregate them across business lines and legal entities on a timely basis, with periodic reporting to the institution’s board of directors; (vi) considering in risk rating standards the use of realistic repayment assumptions to determine a borrower’s ability to de-lever to a sustainable level within a reasonable period of time; (vii) establishing underwriting and monitoring standards similar to loans underwritten internally; and (viii) performing stress testing on leveraged loans held in portfolio as well as those planned for distribution. The new guidance took effect on March 22, 2013, and institutions have until May 21, 2013 to comply.