InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Biden nominates Powell and Brainard
On November 22, President Biden selected Jerome Powell to serve a second term as Chair of the Federal Reserve Board and nominated Fed Governor Lael Brainard to serve as Vice Chair of the Board of Governors, replacing current Vice Chair Richard Clarida. The White House highlighted Powell’s “steady leadership during an unprecedently challenging period, including the biggest economic downturn in modern history and attacks on the independence of the Federal Reserve,” and applauded Powell and Brainard’s shared “focus on ensuring that economic growth broadly benefits all workers.” The White House noted that both nominees are advancing key Biden administration priorities, including addressing climate-related financial risks and staying ahead of emerging risks to the country’s financial system. Powell issued a statement on his nomination, thanking President Biden for the opportunity to continue to serve as Chair and highlighting several key priorities, including “vigilantly guarding the resilience and stability of the financial system, addressing evolving risks from climate change and cyber attacks, and facilitating the modernization of the payments system while protecting consumers.” Brainard also released a statement affirming her commitment to serving all Americans and ensuring the Fed reflects the diversity of the communities it serves. President Biden still needs to fill three open seats on the Board, including the position of Vice Chair for Supervision. The White House stated that President Biden intends to announce the additional nominations in early December.
NYDFS issues final guidance for insurers on climate change financial risks
On November 15, NYDFS issued final guidance to New York regulated-domestic insurers on managing climate change-related financial risks. The final guidance reflects the agency’s consideration of stakeholder comments from proposed guidance issued in March, and was informed by NYDFS’s collaboration with the insurance industry and international regulators. Building on a 2020 insurance circular letter addressing climate change and financial risks, the final guidance outlines expectations that insurers begin “integrating the consideration of the financial risks from climate change into their governance frameworks, business strategies, risk management processes and scenario analysis, and developing their approach to climate-related financial disclosure.” Specifically, an insurer should (i) incorporate into its governance structure, at either “the group or insurer entity level,” climate-risk considerations; (ii) consider current and forward-looking climate-related implications on its operations through “time horizons” appropriately tailored to the insurer’s activities and decisions; (iii) incorporate in its current financial risk management framework analyses of the effect of climate risks on existing risk factors; (iv) employ scenario analysis to inform business strategy decisions, risk assessments, and identification; and (v) disclose its climate risks and engage with NYDFS’s Task Force on Climate-related Financial Disclosures when developing climate disclosure approaches. NYDFS will monitor insurers’ progress in implementing these expectations with respect to organizational structures, which insurers must have in place by August 15, 2022. The NYDFS noted it will provide further guidance on timing for implementing “the more complex expectations outlined in the guidance.”
New rule gives banks 36 hours to disclose cybersecurity incidents
On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.
OCC calls for modernization of financial regulatory perimeter as fintechs/crypto firms increase
On November 16, acting Comptroller of the Currency Michael J. Hsu told attendees at the Federal Reserve Bank of Philadelphia’s Fifth Annual Fintech Conference that the federal banking agencies are “approaching crypto activities very carefully and with a high degree of caution” and “expect banks to do the same.” Hsu pointed out what while changes to the financial regulatory perimeter generally occur as a response to crises and failures, regulatory agencies need to take proactive modernization measures given the astounding growth and expansion of fintechs and cryptocurrencies. Hsu highlighted several important questions that agencies must consider, including whether fintech and crypto firms will start to function like banks and whether bringing them into the bank regulatory perimeter would be the proper solution. He also stated that regulatory agencies must consider whether the risks faced by banks and fintech/crypto firms are the same and, subsequently, whether agencies need to modernize or maintain their status quo. Hsu focused on two specific areas of concern: (i) synthetic banking, or fintechs, operating outside the bank regulatory perimeter but that offer a range of services, including extending various forms of credit and offering interest on cash held in accounts (emphasizing the importance of fintech-bank partnerships); and (ii) the fragmented supervision of universal crypto firms, where Hsu asserted that gaps in supervision are driven by the fact that crypto firms are not subject to comprehensive consolidated supervision.
Hsu announced that the agencies will soon issue a statement conveying results from a recent interagency “crypto sprint,” and that the OCC will also provide clarity on its recently concluded review of crypto-related interpretive letters. Hsu explained that “safety and soundness is paramount” when banks engage in crypto activities and that the agencies’ clarifications “should not be interpreted as a green light or a solid red light, but rather as reflective of a disciplined, deliberative, and diligent approach to a novel and risky area.”
UAE bank fined $100 million for Sudanese sanctions violations
On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.
NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.
OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.
Agencies adopt standardized approach for counterparty credit risk Call Report
On November 9, the FDIC, Federal Reserve Board, and the OCC announced the publication of final regulatory reporting changes in the Federal Register applicable to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051). In July, the agencies proposed to revise and extend the Call Report for three years, and requested public comments on proposed changes to clarify instructions for reporting of deferred tax assets (DTAs) and to add a new item related to the standardized approach for counterparty credit risk (SA–CCR). (See FIL-53-2021.) Following the comment period, the agencies are proceeding with the proposed SA-CCR-related reporting change to the Call Report, which will take effect with the December 31, 2021 report date, subject to approval by the Office of Management and Budget. However, proposed instruction revisions related to DTAs are not final as the agencies continue to consider comments received on the proposed rule on tax allocation agreements. (See FIL-29-2021.) Supervised financial institutions are encouraged to review the proposed regulatory change. Redline copies of the Call Report and related draft reporting instructions are available on the FFIEC’s webpage here.
Fed cites need to increase oversight of nonbank mortgage companies
On November 8, Federal Reserve Board Governor, Michelle W. Bowman, spoke at the “Women in Housing and Finance Public Policy Luncheon” regarding U.S. housing and the mortgage market. Bowman observed that home prices have increased in the past year and a half, stating that “[i]n September, about 90 percent of American cities had experienced rising home prices over the past three months, and the home price increases were substantial in most of these cities,” which “raise[s] the concern that housing is overvalued and that home prices may decline.” She discussed several factors leading to the demand for housing as including (i) low interest rates; (ii) accumulated savings; and (iii) increased income growth. Additionally, she pointed out that mortgage refinancing has surged due to the decrease in long-term interest rates, and that nonbank servicers utilized the proceeds from the “refinacings to fund the advances associated with forbearance.” However, Bowman added that higher home prices and rising rents contributed to inflationary pressures in the economy. Bowman stated that the “multifamily rental market is at historic levels of tightness, with over 95 percent occupancy in major markets,” and she anticipates that these housing supply issues are unlikely to reverse materially in the short term, suggesting that there will be higher levels of inflation caused by housing. With respect to forbearance, Bowman said, “1.2 million borrowers were still in forbearance, down from a peak of 4.7 million in June 2020” on mortgage payments. Bowman stated that, “[f]orbearance, foreclosure moratorium, and fiscal support have kept distressed borrowers in their homes.” Bowman warned that transitioning borrowers from mortgage forbearance to modification may be a “heavy lift” for some servicers. Bowman disclosed that the Fed will be monitoring what happens as borrowers reach the end of the forbearance on mortgage payments and estimates that 850,000 of those in forbearance will reach the end of their forbearance period in January 2022, and “the temporary limitations on foreclosures put in place by the Consumer Financial Protection Bureau will expire at the end of the year.” Bowman recommended that state and federal regulators collaborate to collect data, identify risks, and strengthen oversight of nonbank mortgage companies.
OCC urges bank boards to promote climate risk management
On November 8, acting Comptroller of the Currency Michael J. Hsu discussed climate change risk at the OCC headquarters, highlighting areas for large bank boards of directors to consider when promoting and accelerating improvements in climate risk management practices. According to Hsu, bank boards play a “pivotal role” in actions against climate change, which poses significant risks to the financial system. Hsu compared credit risk management and climate risk management, stating that “strong credit risk management capabilities can provide the assurance and confidence needed for a bank to make risky credit decisions prudently, strong climate risk management capabilities can enable the same prudent risk taking with regards to climate-related business opportunities.” Additionally, Hsu noted that, by the end of this year, the OCC will issue a high-level framework guidance for large banks regarding climate risk management. Hsu also outlined several areas for board members to consider, including evaluating an institution’s overall exposure to climate change, estimating the exposure to a carbon tax, and assessing an institution’s most acute vulnerabilities to climate change events. Hsu stated that “now is the time” to identify and understand vulnerabilities impacting continuity and disaster recovery planning.
NYDFS proposes expanding CRA to support minority- and women-owned businesses
On November 3, NYDFS issued proposed changes to the state’s Community Reinvestment Act (New York CRA) to guarantee the department “has the necessary data to ensure banks are evolving to best serve their communities and protect against redlining and fair lending violations.” The proposed regulation further specifies the type of communities the New York CRA plans to support and will enable NYDFS to evaluate the extent to which minority- and women-owned businesses are offered and provided credit. In June 2020, NYDFS issued an industry letter (covered by InfoBytes here) to alert regulated entities that it planned to make changes to its CRA examination process in response to an amendment to the New York CRA, which required NYDFS to consider “several aspects of banking institutions’ activities with respect to minority- and women-owned businesses.” Among other things, the proposed regulation outlines data collection and submission requirements, including (i) asking whether a business applying for a loan or credit is minority- or women-owned or both; (ii) reporting application details such as the date, type of credit applied for and amount, and whether the application was approved or denied; and (iii) reporting a business’s size and location. Comments will be accepted for 60 days following publication in the State Register.
The New York CRA has undergone several expansions recently. As previously covered by InfoBytes, the New York governor signed legislation on November 1 expanding the New York CRA to cover non-depository lenders. Under the amendments, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review.
NYDFS provides affiliate cybersecurity program guidance
Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.