Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • New rule gives banks 36 hours to disclose cybersecurity incidents

    Agency Rule-Making & Guidance

    On November 18, the FDIC, Federal Reserve Board, and the OCC issued a final rule intended to enhance information sharing about cyber incidents that may affect the U.S. banking system. The final rule, among other things, requires a banking organization to timely notify its primary federal regulator in the event of a significant computer-security incident within 36 hours after the banking organization determines that a cyber incident has taken place. The final rule notes that notification is required for incidents that have affected, in certain circumstances: (i) the viability of a banking organization’s operations; (ii) its ability to deliver banking products and services; or (iii) the stability of the financial sector. Additionally, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially dispute or degrade, a banking organization’s customers for four or more hours. The final rule further provides that the notification requirement for bank service providers is important since “banking organizations have become increasingly reliant on third parties to provide essential services,” which may also experience computer-security incidents that could affect the support services they provide to banking organization customers, along with other significant impacts. The rule is effective April 1, 2022, and banking organizations are expected to comply with the final rule by May 1, 2022.

    Agency Rule-Making & Guidance Federal Issues FDIC OCC Federal Reserve Privacy/Cyber Risk & Data Security Bank Regulatory Third-Party

    Share page with AddThis
  • OCC calls for modernization of financial regulatory perimeter as fintechs/crypto firms increase

    Federal Issues

    On November 16, acting Comptroller of the Currency Michael J. Hsu told attendees at the Federal Reserve Bank of Philadelphia’s Fifth Annual Fintech Conference that the federal banking agencies are “approaching crypto activities very carefully and with a high degree of caution” and “expect banks to do the same.” Hsu pointed out what while changes to the financial regulatory perimeter generally occur as a response to crises and failures, regulatory agencies need to take proactive modernization measures given the astounding growth and expansion of fintechs and cryptocurrencies. Hsu highlighted several important questions that agencies must consider, including whether fintech and crypto firms will start to function like banks and whether bringing them into the bank regulatory perimeter would be the proper solution. He also stated that regulatory agencies must consider whether the risks faced by banks and fintech/crypto firms are the same and, subsequently, whether agencies need to modernize or maintain their status quo. Hsu focused on two specific areas of concern: (i) synthetic banking, or fintechs, operating outside the bank regulatory perimeter but that offer a range of services, including extending various forms of credit and offering interest on cash held in accounts (emphasizing the importance of fintech-bank partnerships); and (ii) the fragmented supervision of universal crypto firms, where Hsu asserted that gaps in supervision are driven by the fact that crypto firms are not subject to comprehensive consolidated supervision.

    Hsu announced that the agencies will soon issue a statement conveying results from a recent interagency “crypto sprint,” and that the OCC will also provide clarity on its recently concluded review of crypto-related interpretive letters. Hsu explained that “safety and soundness is paramount” when banks engage in crypto activities and that the agencies’ clarifications “should not be interpreted as a green light or a solid red light, but rather as reflective of a disciplined, deliberative, and diligent approach to a novel and risky area.”

    Federal Issues OCC Fintech Cryptocurrency Bank Regulatory Bank Supervision

    Share page with AddThis
  • UAE bank fined $100 million for Sudanese sanctions violations

    Financial Crimes

    On November 9, NYDFS announced that a United Arab Emirates bank will pay a $100 million penalty to resolve an investigation into payments it allegedly processed through financial institutions in the state, including one of the bank’s New York branches. These transactions, NYDFS stated, were in violation of Sudan-related U.S. sanctions. According to NYDFS’ investigation, the bank instructed employees to avoid including certain details in messages sent between banks that would have linked the transactions to Sudan. By concealing these details, the transactions bypassed other banks’ sanctions filters, which otherwise might have triggered alerts or transaction freezes, NYDFS said. As a result, between 2005 and 2009, the bank illegally processed more than $4 billion of payments tied to Sudan. Following an announcement in 2009 that a Swiss bank used by the bank to process these transactions was being investigated by the New York County District Attorney’s Office for violating economic sanctions rules, the bank closed all U.S. dollar accounts held by Sudanese banks, but failed to disclose the prohibited transactions to NYDFS as required until 2015. NYDFS asserted that “despite having ample notice of the prohibited nature of the Sudan-related [transactions] by 2009,” the bank’s New York branch processed an additional $2.5 million in Sudan-related payments. Under the terms of the consent order, the bank—which was previously cited by NYDFS for anti-money laundering and sanctions compliance deficiencies in a 2018 consent order that included a $40 million fine—is also required to provide a status report on its U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) compliance program, in addition to paying the $100 million penalty. NYDFS acknowledged the bank’s substantial cooperation and ongoing remedial efforts.

    NYDFS coordinated its investigation with the Federal Reserve Board and OFAC, both of which announced separate settlements with the UAE bank the same day. The Fed’s announcement of its order to cease and desist cites the bank for having insufficient policies and procedures in place to ensure that activities involving branches outside the U.S. were in compliance with U.S. sanctions laws. Under the terms of the order, the bank is required, among other things, to implement an enhanced compliance program to ensure global compliance with U.S. sanctions, and must also conduct annual reviews, including a “risk-focused sampling” of its U.S. dollar payments, led by an independent external party. The order did not include any additional monetary penalties for the bank.

    OFAC also issued a finding of violation (FOV) for violations of the now-repealed Sudanese Sanctions Regulations related to the bank’s actions. These violations included 1,760 transactions that involved USD transfers from Sudanese banks that were processed by the bank’s London branch and routed through U.S. banks. In determining that the appropriate administrative action was an FOV rather than a civil monetary penalty, OFAC stated the bank “voluntarily entered into a retroactive statute of limitations waiver agreement, without which OFAC would have been time-barred from charging the violations.” Because the payment messages did not include the originating Sudanese bank, U.S. correspondent banking partners “could not interdict the payments, and the payments were successfully processed through the U.S. financial system,” OFAC stated. However, OFAC credited the bank with providing substantial cooperation during the investigation, and noted that the bank had taken “extensive remediation” efforts before the investigation began in 2015, and has spent more than $122 million on compliance enhancements.

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury NYDFS OFAC Sanctions Sudan Enforcement Bank Regulatory Federal Reserve State Issues

    Share page with AddThis
  • Agencies adopt standardized approach for counterparty credit risk Call Report

    Agency Rule-Making & Guidance

    On November 9, the FDIC, Federal Reserve Board, and the OCC announced the publication of final regulatory reporting changes in the Federal Register applicable to three versions of the Call Report (FFIEC 031, FFIEC 041, and FFIEC 051). In July, the agencies proposed to revise and extend the Call Report for three years, and requested public comments on proposed changes to clarify instructions for reporting of deferred tax assets (DTAs) and to add a new item related to the standardized approach for counterparty credit risk (SA–CCR). (See FIL-53-2021.) Following the comment period, the agencies are proceeding with the proposed SA-CCR-related reporting change to the Call Report, which will take effect with the December 31, 2021 report date, subject to approval by the Office of Management and Budget. However, proposed instruction revisions related to DTAs are not final as the agencies continue to consider comments received on the proposed rule on tax allocation agreements. (See FIL-29-2021.) Supervised financial institutions are encouraged to review the proposed regulatory change. Redline copies of the Call Report and related draft reporting instructions are available on the FFIEC’s webpage here.

    Agency Rule-Making & Guidance FDIC Federal Reserve OCC Call Report OMB FFIEC Bank Regulatory

    Share page with AddThis
  • Fed cites need to increase oversight of nonbank mortgage companies

    Federal Issues

    On November 8, Federal Reserve Board Governor, Michelle W. Bowman, spoke at the “Women in Housing and Finance Public Policy Luncheon” regarding U.S. housing and the mortgage market. Bowman observed that home prices have increased in the past year and a half, stating that “[i]n September, about 90 percent of American cities had experienced rising home prices over the past three months, and the home price increases were substantial in most of these cities,” which “raise[s] the concern that housing is overvalued and that home prices may decline.” She discussed several factors leading to the demand for housing as including (i) low interest rates; (ii) accumulated savings; and (iii) increased income growth. Additionally, she pointed out that mortgage refinancing has surged due to the decrease in long-term interest rates, and that nonbank servicers utilized the proceeds from the “refinacings to fund the advances associated with forbearance.” However, Bowman added that higher home prices and rising rents contributed to inflationary pressures in the economy. Bowman stated that the “multifamily rental market is at historic levels of tightness, with over 95 percent occupancy in major markets,” and she anticipates that these housing supply issues are unlikely to reverse materially in the short term, suggesting that there will be higher levels of inflation caused by housing. With respect to forbearance, Bowman said, “1.2 million borrowers were still in forbearance, down from a peak of 4.7 million in June 2020” on mortgage payments. Bowman stated that, “[f]orbearance, foreclosure moratorium, and fiscal support have kept distressed borrowers in their homes.” Bowman warned that transitioning borrowers from mortgage forbearance to modification may be a “heavy lift” for some servicers. Bowman disclosed that the Fed will be monitoring what happens as borrowers reach the end of the forbearance on mortgage payments and estimates that 850,000 of those in forbearance will reach the end of their forbearance period in January 2022, and “the temporary limitations on foreclosures put in place by the Consumer Financial Protection Bureau will expire at the end of the year.” Bowman recommended that state and federal regulators collaborate to collect data, identify risks, and strengthen oversight of nonbank mortgage companies.

    Federal Issues Federal Reserve Mortgages Bank Regulatory Nonbank Mortgage Servicing Forbearance CFPB Consumer Finance

    Share page with AddThis
  • OCC urges bank boards to promote climate risk management

    Federal Issues

    On November 8, acting Comptroller of the Currency Michael J. Hsu discussed climate change risk at the OCC headquarters, highlighting areas for large bank boards of directors to consider when promoting and accelerating improvements in climate risk management practices. According to Hsu, bank boards play a “pivotal role” in actions against climate change, which poses significant risks to the financial system. Hsu compared credit risk management and climate risk management, stating that “strong credit risk management capabilities can provide the assurance and confidence needed for a bank to make risky credit decisions prudently, strong climate risk management capabilities can enable the same prudent risk taking with regards to climate-related business opportunities.” Additionally, Hsu noted that, by the end of this year, the OCC will issue a high-level framework guidance for large banks regarding climate risk management. Hsu also outlined several areas for board members to consider, including evaluating an institution’s overall exposure to climate change, estimating the exposure to a carbon tax, and assessing an institution’s most acute vulnerabilities to climate change events. Hsu stated that “now is the time” to identify and understand vulnerabilities impacting continuity and disaster recovery planning.

    Federal Issues OCC Climate-Related Financial Risks Bank Regulatory Bank Supervision

    Share page with AddThis
  • NYDFS proposes expanding CRA to support minority- and women-owned businesses

    State Issues

    On November 3, NYDFS issued proposed changes to the state’s Community Reinvestment Act (New York CRA) to guarantee the department “has the necessary data to ensure banks are evolving to best serve their communities and protect against redlining and fair lending violations.” The proposed regulation further specifies the type of communities the New York CRA plans to support and will enable NYDFS to evaluate the extent to which minority- and women-owned businesses are offered and provided credit. In June 2020, NYDFS issued an industry letter (covered by InfoBytes here) to alert regulated entities that it planned to make changes to its CRA examination process in response to an amendment to the New York CRA, which required NYDFS to consider “several aspects of banking institutions’ activities with respect to minority- and women-owned businesses.” Among other things, the proposed regulation outlines data collection and submission requirements, including (i) asking whether a business applying for a loan or credit is minority- or women-owned or both; (ii) reporting application details such as the date, type of credit applied for and amount, and whether the application was approved or denied; and (iii) reporting a business’s size and location. Comments will be accepted for 60 days following publication in the State Register.

    The New York CRA has undergone several expansions recently. As previously covered by InfoBytes, the New York governor signed legislation on November 1 expanding the New York CRA to cover non-depository lenders. Under the amendments, nonbank mortgage providers’ lending and investment in low- and moderate-income communities will be subject to NYDFS review. 

    State Issues State Regulators NYDFS Bank Regulatory CRA New York

    Share page with AddThis
  • NYDFS provides affiliate cybersecurity program guidance

    State Issues

    Recently, NYDFS issued an industry letter to regulated entities advising that a covered entity may adopt the cybersecurity program of an affiliate. New York’s Cybersecurity Regulation (23 NYCRR Part 500) requires regulated entities (Covered Entities) to implement risk-based cybersecurity programs to protect their information systems as well as the nonpublic information maintained on them. (See continuing InfoBytes coverage on 23 NYCRR Part 500 here.) Specifically, 23 NYCRR Part 500 allows “Covered Entities to adopt ‘the relevant and applicable provisions’ of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.” NYDFS is also permitted to fully examine the adopted portions of the affiliate’s cybersecurity program to ensure compliance, even if that affiliate is not covered or regulated by NYDFS otherwise. Covered Entities are reminded that while they may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate compliance responsibility to the affiliate, and is responsible for ensuring it cybersecurity program complies with 23 NYCRR Part 500, “regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.” Additionally, a Covered Entity’s compliance obligations are the same whether it adopts an affiliate’s cybersecurity program or implements its own cybersecurity program. Among other things, Covered Entities are required to provide, upon request, all “documentation and information” related to their cybersecurity programs, including evidence that an adopted affiliate’s cybersecurity program meets the requirements of 23 NYCRR Part 500. At a minimum, NYDFS requires access to an affiliate’s “cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” NYDFS also explained that foreign bank branches and representative offices often have head offices located outside the U.S. that are not directly regulated by NYDFS. For these entities, all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs must be provided to NYDFS examiners to evaluate the Covered Entities’ compliance with 23 NYCRR Part 500.

    State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500 State Regulators Bank Regulatory Affiliated Business Relationship Enforcement Of Interest to Non-US Persons

    Share page with AddThis
  • NYDFS creates Climate Risk Division

    State Issues

    On November 3, NYDFS announced the creation of the Climate Risk Division and the appointment of Dr. Yue (Nina) Chen as its Executive Deputy Superintendent and the inaugural NYDFS Director of Sustainability and Climate Initiatives. According to the announcement, the Climate Risk Division will, among other things: (i) include climate risks in its regulated entities supervision; (ii) support industry growth regarding climate risk management; (iii) coordinate with international, national, and state regulators; (iv) develop internal capacity regarding climate-related financial risks and support the capacity-building of peer regulators; and (v) ensure access to financial services is fair for all communities.

    State Issues NYDFS Climate-Related Financial Risks Bank Regulatory New York State Regulators

    Share page with AddThis
  • OCC, Fed, and Treasury issue statements on climate change

    Federal Issues

    On November 3, the OCC, the Federal Reserve, and the U.S. Treasury Department released statements expressing support for the Network for Greening the Financial System (NGFS) Glasgow Declaration. OCC acting Comptroller Michael J. Hsu noted in a statement that the OCC is developing “high-level climate risk management supervisory expectations for large banks” and expects to issue the framework guidance for comment “by the end of the year.” Hsu also noted that the OCC will implement recommendations of the FSOC Climate Change Report, which was released in response to President Biden’s May executive order, and directed financial regulators to take steps to mitigate climate-related risk related to the financial system (covered by InfoBytes here). In a statement by Treasury Secretary Yellen, she discussed the importance of tackling climate change, stating that it is “the greatest economic opportunity of our time,” and noted the U.S. is “calling on the multilateral development banks to increase their efforts.” The Fed noted in a statement that it is committed to understanding and addressing climate change and, furthermore, “will address climate-related risks in an analytically rigorous, transparent, and collaborative way through our domestic work with other federal agencies including the Financial Stability Oversight Council; our international engagement through the Financial Stability Board, the Basel Committee on Banking Supervision, and the NGFS; and through our broad and transparent engagement with the private sector.”

    Federal Issues OCC Federal Reserve Biden Climate-Related Financial Risks Department of Treasury Bank Regulatory

    Share page with AddThis

Pages