InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC issues 2022 Supervisory Insights
On August 3, the FDIC released its summer 2022 issue of Supervisory Insights, which contains an article discussing financial performance and examination observations about commercial real estate (CRE) lending risk management practices and an article describing the application of capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt. The article, Commercial Real Estate: An Update on Bank Lending Amid the Evolving Pandemic Backdrop, discusses the financial performance of banks concentrated in CRE lending as well as examination observations about CRE lending risk management practices. The article also describes the FDIC’s forward-looking supervisory focus for banks with significant exposure in this sector. The FDIC noted that inflation, rising interest rates, and supply chain challenges are possible determinants of increased risk. The article, Subordinated Debt: Issuance and Investment Considerations, “is intended to help financial institutions better understand the applicable capital, investment, and financial reporting requirements for the issuance of and investment in subordinated debt.” According to the FDIC, a key takeaway of Subordinated Debt Investments is that “[i]nstitutions may generally only purchase investment grade subordinated debt securities that are permissible investments for national banks.”
FDIC, OCC announce disaster relief
On August 3, the FDIC issued FIL-38-2022 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Kentucky affected by severe storms, flooding, landslides and mudslides that began July 26 and is ongoing. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things: (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” The FDIC noted that institutions may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery. The agency will also consider relief from certain reporting and publishing requirements.
The same week the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices affected by flooding in Kentucky “for as long as deemed necessary for bank operation or public safety.” The proclamation directed institutions to OCC Bulletin 2012-28 for further guidance on actions they should take in response to natural disasters and other emergency conditions. According to the 2012 Bulletin, only bank offices directly affected by potentially unsafe conditions should close, and institutions should make every effort to reopen as quickly as possible to address customers’ banking needs.
Hsu discusses cybersecurity risks to financial sector
On August 2, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Joint Meeting of the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council focusing on cybersecurity risks to the financial services sector. Hsu called for collaboration among public and private sector stakeholders to safeguard the financial services sector. Hsu noted that the financial services sector has done “a good job of building cyber defenses and working with law enforcement and the regulatory community to guard against attacks,” but warned that “we cannot be complacent.” He noted that the OCC has recently observed increases in cyberattack frequency and severity against financial institutions and service providers, and that cyberattacks, such as ransomware, have risks beyond financial loss. Hsu added that “disruption to financial services can significantly impact banks’ abilities to deliver critical services to their customers and has the potential to affect the broader economy.” He also stressed that banks “need to assess both the potential impact cyber incidents may have on their own institution and the impact a cyber disruption may have on the broader financial system.” He also stated that cybersecurity breaches have been caused or intensified by the failure to have effective controls in three areas: (i) authentication; (ii) systems configuration and patch management; and (iii) cyber response and resilience capabilities. Hsu concluded by emphasizing the OCC’s commitment “to working with CISA, our financial sector counterparts, and other sectors to ensure that we have strong partnerships across the government.”
Agencies seek comment on CRE loan statement
On August 2, the FDIC, OCC, and NCUA (collectively, “the agencies”) issued a notice in the Federal Register soliciting public comment on an updated policy statement regarding accommodations and workouts for commercial real estate (CRE) loans whose borrowers are experiencing financial difficulty. In 2009, the Policy Statement on Prudent Commercial Real Estate Loan Workouts was issued by the FFIEC, which the agencies view “as being useful for both agency staff and financial institutions in understanding risk management and accounting practices for [] CRE loan workouts.” Among other things, the statement would include (i) a new section on short-term loan accommodations; (ii) information about changes in accounting principles since 2009; and (iii) revisions and additions to examples of CRE loan workouts. The new updated statement would also “address relevant accounting changes on estimating loan losses and provide updated examples of how to classify and account for loans modified or affected by loan accommodations or loan workout activity.” Specifically, the agencies seek input on how the document reflects sound practices in CRE loan accommodation and what additional information can be included to optimize the guidance of managing CRE loan portfolios.
FDIC, Fed issue CDO against crypto brokerage firm
On July 28, the FDIC and the Federal Reserve Board issued a joint letter demanding that a crypto brokerage firm cease and desist from making false and misleading statements regarding the company’s FDIC deposit insurance status and take immediate corrective action to address these false statements. The agencies claimed that the firm made false and misleading representations online, including on its website, stating or suggesting that: (i) it is FDIC–insured; (ii) customers who invested with the firm’s cryptocurrency platform would receive FDIC insurance coverage for all funds provided to, and held by, the firm; and (iii) the FDIC would insure customers against the failure of the firm. The FDIC noted that the false and misleading statements Violate the FDIC Act. The FDIC demanded that the firm take corrective actions by removing the misrepresentations or false statements and provide written confirmation to the FDIC and Board of Governors that it has fully complied with the removal request within two days.
FDIC issues advisory on crypto companies’ deposit insurance claims
On July 29, the FDIC announced an advisory addressing certain misrepresentations about FDIC deposit insurance made by some crypto companies. The advisory, among other things, reminded insured banks that they must be aware of how FDIC insurance operates as well as the need to assess, manage, and control risks arising from third-party relationships, including those with crypto companies. The advisory noted that recently “some crypto companies have suspended withdrawals or halted operations," and that in certain cases, "these companies have represented to their customers that their products are eligible for FDIC deposit insurance coverage, which may lead customers to believe, mistakenly, that their money or investments are safe.” In dealing with crypto companies, the agency cautioned that “FDIC-insured banks should confirm and monitor that these companies do not misrepresent the availability of deposit insurance.” The FDIC also issued a Fact Sheet reminding the public that the FDIC only insures deposits held in insured banks and savings associations and only in the event of an insured bank’s failure. The FDIC does not insure assets issued by non-bank entities, such as crypto companies.
FDIC releases June enforcement actions
On July 29, the FDIC released a list of administrative enforcement actions taken against banks and individuals in June. During the month, the FDIC made public twelve orders consisting of “three consent orders, one order to pay civil money penalty, four orders of prohibition, one section 19 order, one order terminating consent order, two orders of termination of insurance, one Notice of Intention to Prohibit from Further Participation, Notice of Assessment of Civil Money Penalties, Findings of Fact and Conclusions of Law, Order to Pay, Notice of Hearing, and Prayer for Relief.” The FDIC imposed a civil money penalty against a Missouri-based bank for alleged violations of the Flood Disaster Protection Act. Among other things, the FDIC claimed that the bank “made, increased, extended or renewed a loan secured by a building or mobile home located or to be located in a special flood hazard area without providing timely notice to the borrower and/or the servicer as to whether flood insurance was available for the collateral.” The bank must pay a $7,000 civil money penalty.
The actions also include a consent order with a Georgia-based bank, which alleged that the bank violated “law or regulation related to weaknesses in the Bank’s compliance with the Bank Secrecy Act.” According to the consent order, the bank must, among other things: (i) “enhance its oversight of the Bank’s BSA/AML Compliance Program and assume full responsibility for the approval of sound BSA/AML policies, procedures, and processes”; (ii) “revise, adopt, and implement a written BSA/AML Compliance Program, including policies and procedures”; and (iii) “review and revise as appropriate its written policies, procedures, and processes for assessing the money laundering, terrorist financing, and other illicit financial activities risk profile of the Bank.”
OCC updates statement on MDIs
On July 27, the OCC announced the revision of its 2013 policy statement for minority depository institutions (MDI) to update and streamline descriptions of its policies, procedures, and programs. According to the announcement, the OCC observed an increase in interest from banks and other stakeholders in working with MDIs and the MDI designation process after Project REACh was formed in 2020, and after the Emergency Capital Investment Program was established by Congress for Covid-19 relief. These events prompted the OCC to review its 2013 policy statement on MDIs, and the revised policy statement is a result of that review. The OCC also released a Fact Sheet regarding the agency’s support for MDIs.
U.S.-UK financial regulators discuss bilateral issues
On July 26, the U.S. Treasury Department issued a joint statement covering the recently held sixth meeting of the U.S.-UK Financial Regulatory Working Group. Participants included officials and senior staff from both countries’ treasury departments, as well as regulatory agencies including the Federal Reserve Board, CFTC, FDIC, OCC, SEC, the Bank of England, and the UK’s Financial Conduct Authority. The Working Group discussed, among other things, (i) market developments since the Russian invasion of Ukraine; (ii) continuing international and bilateral cooperation; (iii) the international financial sector priorities at the G7, the G20, the Financial Stability Board (FSB), and the International Organisation of Securities Commissions (IOSCO); (iv) the risks associated with the Non-Bank Financial Intermediation (NBFI) sector and interconnectedness with other financial and non-financial actors; and (v) “the mutual desire to promote multilateral cooperation around risk management in global derivatives and banking markets.” The Working Group participants will continue to engage bilaterally on these issues and others ahead of the next meeting, planned for later this year.
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
Pages
Upcoming Events
- Kathryn L. Ryan to host the affiliate members meeting at AARMR’s 2022 Annual Regulatory Conference & Training
- Kathryn L. Ryan and Jedd R. Bellman to discuss “Risk and compliance management: Are you covered?” at a Mortgage Bankers Association webinar
- Melissa Klimkiewicz and Daniel A. Bellovin to discuss “Things to know about flood insurance” at a NAFCU webinar
- Hank Asbill to discuss “Ethical issues at sentencing” at the 31st Annual National Seminar on Federal Sentencing
- Max Bonici will moderate a panel on “Enforcement risk and other regulatory and compliance issues related to crypto and digital assets” at the American Bar Association’s 2022 Annual Meeting
- John R. Coleman to provide a “CFPB Update” at MBA’s 2022 Regulatory Compliance Conference
- Amanda R. Lawrence to discuss “The shifting data privacy and data protection landscape” at MBA’s 2022 Regulatory Compliance Conference
- Benjamin W. Hutten to discuss “Fundamentals of financial crime compliance” at the Practicing Law Institute
- Benjamin W. Hutten to discuss “Ongoing CDD: Operational considerations” at NAFCU’s Regulatory Compliance & BSA Seminar