InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
CFPB Releases Updated Supervision and Examination Materials
On March 31, the CFPB released updates to sections of its Supervision and Examination Manual as required by the updated Federal Financial Institutions Examination Council’s Uniform Interagency Consumer Compliance Rating System. The revised CFPB Supervision Examination Cycle Overview highlights the continuous exam cycle from pre-examination/scoping procedures to the monitoring and corrective actions stage, and provides additional details on its “prioritization” approach to examining, which considers the “large number, size, and complexity of entities falling under its supervisory authority.” Updates were also made to the Examination Process which offers further details on the exam cycle. The updated Scope Summary template provides examination background information on the entity as well as details regarding prudential and state regulators, communication plans, institution product lines to be reviewed, complaints, outstanding enforcement actions or other open matters, and risk summaries. Lastly, updates have also been made to the Examination Report Template—which provides the scope of review and consumer compliance rating based on the findings of the exam—and the Supervisory Letter Template—which references matters requiring attention or that need to be corrected based on the Bureau’s review.
FFIEC Releases Joint Report to Congress on Reducing Regulatory Burdens
On March 21, member agencies of the Federal Financial Institutions Examination Council (FFIEC) announced the release of their Joint Report to Congress: Economic Growth and Regulatory Paperwork Reduction Act (the Report), which details their review of rules affecting financial institutions and the effect of regulations on smaller institutions. The review—required by the Economic Growth and Regulatory Paperwork Reduction Act to be conducted at least once every ten years—included the participation of the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration, and included the consideration of more than 230 written and 130 oral comments from financial institutions, trade associations, and consumer and community groups, as well as numerous comments obtained at outreach meetings.
The members of the FFIEC described several joint initiatives, including actions taken to:
- Simplify regulatory capital rules for community banks and savings associations;
- Streamline reports of condition and income (Call Reports);
- Increase the appraisal threshold for commercial real estate loans; and
- Expand the number of institutions eligible for less frequent examination cycles.
In addition, the Report also described actions taken by each agency to “update rules, eliminate unnecessary requirements, and streamline supervisory procedures.”
FDIC Releases Presentation Materials Explaining New Streamlined “FFIEC 051 Call Report” for Eligible Small Institutions
Earlier this month, the FDIC released presentation materials used during a recent webinar hosted by the Federal Financial Institutions Examination Council (FFIEC) for the purpose of explaining the new streamlined “FFIEC 051 Call Report” for eligible small institutions. As previously covered by InfoBytes, the Federal banking agencies – including the FDIC, the Fed, and the OCC – are implementing a new Call Report for financial institutions with only domestic offices and less than $1 billion in total assets (see FIL-82-2016). The proposed changes – which go into effect on March 31 – modify the existing “FFIEC 041” and “FFIEC 031” versions of the Call Report as part of an ongoing initiative to reduce the burden associated with Call Report requirements for community banks. Among other things, the streamlined Call Report reduces the existing Call Report from 85 to 61 pages, resulting from the removal of approximately 950 (or about 40 percent) of the nearly 2,400 data items in the Call Report.
OCC to Host Credit Risk and Operational Workshops for Directors of National Community Banks and Federal Savings Associations; Banking Agencies to Conduct Webinar to Introduce New FFIEC Call Report
On March 2, the Office of the Comptroller of the Currency (OCC) announced that it will host two workshops in Phoenix on April 11-12 for directors of OCC supervised national community banks and federal associations. The Credit Risk workshop (April 11) will cover strategies to recognize trends and problems in credit risk within the loan portfolio, and the Operational Risk workshop (April 12) will discuss key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.
Also on March 2, four members of the Federal Financial Institutions Examination Council (FFIEC) (Federal Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and the Conference of State Bank Supervisors) announced the implementation of the new streamlined FFIEC 051 Call Report, effective March 31, 2017, that will introduce burden-reducing changes to the existing versions of the Call Report and will be available to eligible small institutions. “’Eligible small institutions’ are [defined as] institutions with domestic offices only and total assets of less than $1 billion, excluding those that are advanced approaches institutions for regulatory capital purposes.” The revisions to the requirements are subject to approval by the OMB. On March 8, the FFIEC will conduct a webinar from 2:00 p.m. to 3:30 p.m. ET to introduce the new Call Report and explain the revisions.
FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts
On February 15, the FDIC released its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.
Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.
As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.
Banking Agencies Approve Streamlined Call Report
The Fed, FDIC, and OCC, as members of the FFIEC, recently announced that the implementation of a streamlined Call Report Form (FFIEC 051) for eligible small institutions—financial institutions with only domestic offices and less than $1 billion in total assets—which is proposed to take effect March 31, 2017. The FFIEC’s action is the result of an ongoing initiative to reduce the burden associated with Call Report requirements for community banks. Among other things, the streamlined Call Report reduces the existing Call Report from 85 to 61 pages, resulting from the removal of approximately 950 (or about 40 percent) of the nearly 2,400 data items in the Call Report. Because the OMB must approve the revisions before they can be implemented, the above-referenced banking agencies have also issued a joint notice reflecting that they have submitted the information collection to OMB for review.
FFIEC Updates CRA Data Entry Software and HMDA Data Filing Method
On December 19, the Federal Financial Institutions Examination Council (FFIEC) posted the 2017 version of its Community Reinvestment Act (CRA) Data Entry Software. This software—which is intended to help automate the filing of CRA data—is year-specific, i.e., 2016 reporting requires the 2016 version, not the 2017 version. In November, the FFIEC clarified that it was discontinuing its HMDA Data Entry Software and instead requiring that filers submit HMDA data collected in 2017 using a web interface called the “HMDA Platform.”
FFIEC Finalizes Updated Uniform Interagency Consumer Compliance Rating System
On November 7, the Federal Financial Institutions Examination Council (FFIEC) announced the issuance of an updated Uniform Interagency Consumer Compliance Rating System, more commonly known as the “CC Rating System.” In final guidance the FFIEC explains that the new rating system has been re-designed “to better reflect current consumer compliance supervisory approaches and to more fully align the CC Rating System with the Agencies’ current risk-based, tailored examination processes.” The agency also notes that the revisions “were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden” (emphasis added).
Under the new CC Rating System, institutions will be assessed on a 1-to-5 rating scale in three distinct categories: (i) board and management oversight; (ii) compliance program and violations of law; and (iii) consumer harm. The new rating system will be used by all FFIEC member agencies – including CFPB in its evaluation of non-depository institutions. FFIEC member agencies plan to implement the updated rating system on consumer compliance examinations that begin on or after March 31, 2017.
FFIEC Releases FAQs on Cybersecurity Assessment Tool
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
FFIEC Revises Information Security Booklet
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”