InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC announces Kentucky and Alabama disaster relief
On April 30, the FDIC issued FIL-31-2021 and FIL-32-2021 to provide regulatory relief to financial institutions and help facilitate recovery in areas of Kentucky and Alabama affected by severe storms. The FDIC acknowledged the unusual circumstances faced by institutions affected by the storms and suggested that institutions work with impacted borrowers to, among other things, (i) extend repayment terms; (ii) restructure existing loans; or (iii) ease terms for new loans to those affected by the severe weather, provided the measures are done “in a manner consistent with sound banking practices.” Additionally, the FDIC noted that institutions “may receive favorable Community Reinvestment Act consideration for community development loans, investments, and services in support of disaster recovery.” The FDIC will also consider regulatory relief from certain filing and publishing requirements.
FDIC announces FDItech virtual ‘Office Hours’
On April 29, the FDIC’s technology lab, FDiTech, announced that it will host a series of virtual “office hours” to hear from a variety of stakeholders in the business of banking concerning current and evolving technological innovations. The office hours will be hour-long, one-on-one sessions that will provide insight into the contributions that innovation has made in reshaping banks and enabling regulators to manage their oversight efficiently. According to the FDIC, “FDiTech seeks to evaluate and promote the adoption of innovative and transformative technologies in the financial services sector and to improve the efficiency, effectiveness, and stability of U.S. banking operations, services, and products; to support access to financial institutions, products, and services; and to better serve consumers.” FDiTech’s goal is to contribute to the transformation of banking by supporting “the adoption of technological innovations through increased collaboration with market participants.” In the first series of office hour sessions, the FDIC and FDiTech are seeking participants’ outlook on artificial intelligence and machine learning related to: (i) automation of back office processes; (ii) Bank Secrecy Act/Anti-Money Laundering compliance; (iii) credit underwriting decisions; and (iv) cybersecurity.
FDiTech anticipates hosting approximately 15 one-hour sessions each quarter. Interested parties seeking to participate in these sessions must contact the FDIC by May 24.
NYDFS tells industry to tighten third-party risk management
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
Fed reports on banks’ resiliency during Covid-19
On April 30, the Federal Reserve Board released a Supervision and Regulation Report noting that banks’ “strong capital and liquidity positions” have aided in the Covid-19 pandemic recovery. The report observed that, during the Covid-19 pandemic, banks were able to raise supplementary capital, liquidity strengthened from an influx of deposits, and capital ratios at most firms remained above regulatory minimums at the end of the year. The report also highlighted that large firms showed operational resilience through the pandemic by “[d]igitization of banking activities allow[ing] firms to continue these operations in the remote work environment.”
FDIC proposal would prohibit misuse of its name or logo
On April 22, the FDIC proposed a rule implementing its authority to prohibit “making misrepresentations about deposit insurance or misusing the FDIC’s name or logo.” The proposed rule is intended to promote transparency on the FDIC’s processes for inspecting and enforcing potential breaches of prohibitions under the FDIC Act by “further clarify[ing] [] procedures for identifying, investigating, and where necessary taking formal and informal action to address potential violations of Section 18(a)(4).” Additionally, the proposed rule would establish a primary point of contact for the public to report or inquire about potential violations. The FDIC specified that the proposed rule is in response to the “increasing number of instances where financial services providers or other entities or individuals have misused the FDIC’s name or logo.”
Comments on the proposed rule will be accepted for 60 days after publication in the Federal Register.
State AGs urge Congress to rescind OCC’s “true lender” rule
On April 21, a coalition of 26 state attorneys general sent a letter urging Congress to exercise its authority under the Congressional Review Act (CRA) and rescind the OCC’s “True Lender Rule” in order to “safeguard states’ fundamental sovereign rights to protect their citizens from financial abuse.” As previously covered by InfoBytes, the OCC’s final rule amended 12 CFR Part 7 to state that a bank makes a loan when, as of the date of origination, it either (i) is named as the lender in the loan agreement or (ii) funds the loan. The final rule also clarified that if “one bank is named as the lender in the loan agreement and another bank funds the loan, the bank that is named as the lender in the loan agreement makes the loan.” In their letter, the AGs expressed concern that the final rule “establishes a simplistic standard to redefine the meaning of ‘true lender,’” enabling predatory lenders to “circumvent” state interest-rate caps through “rent-a-bank” schemes, which would in turn allow banks to act as lenders in name only while passing state law exemptions for banks to non-bank entities. The letter references a complaint filed by eight state AGs against the OCC in January challenging the final rule (covered by InfoBytes here) and argues that in finalizing the rule the OCC “acted in a manner contrary to centuries of case law [and] the OCC’s own prior interpretation of the law,” and seeks to preempt state usury law and “infringe on the States’ historical police powers and facilitate predatory lending.”
In March, both House and Senate Democrats introduced CRA resolutions (see H.J. Res. 35 and S.J. Res. 15) intended to provide for congressional disapproval and invalidation of the OCC’s final rule. The OCC responded on April 14, arguing that “disapproval of the rule would return bank lending relationships to the previous state of legal and regulatory uncertainty, which. . . adversely affects the function of secondary markets and restricts the availability of credit.” The OCC further stated that the final rule is intended to enhance the agency’s ability to supervise bank lending and “does not change bank’s authority to export interest rates” nor does it “permit national banks to charge whatever rate they like” as both federal and state-chartered banks are required to conform to applicable interest rate limits. “Disparities of interest rates from state to state result from differences in the state laws that impose these caps, not OCC rules or actions,” the OCC stressed, adding that “[s]tates retain the authority to set interest rates.” However, the Conference of State Bank Supervisors sent a letter to Congress in support of S.J. Res. 15, disagreeing with the OCC and noting that the final rule, if it stands, would “eviscerate the power of state interest rate caps and rid state regulators of the most effective tool to protect consumers from such predatory lending.”
Fed announces enforcement actions against Montana and Iowa state banks
On April 22, the Federal Reserve Board announced enforcement actions against two state banks. In a consent order with a Montana-based bank, the Fed alleged that the bank violated the National Flood Insurance Act (NFIA) and Regulation H. The order assesses a $9,500 penalty against the bank for an alleged pattern or practice of violations of Regulation H but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,252 per violation.
Separately, an Iowa-based bank entered a written agreement with the Fed and the Iowa Superintendent of Banking “to strengthen board oversight of the management and operations of the Bank, by improving the Bank’s condition and maintaining control of the Bank’s main operations and activities, including the Bank’s credit risk management, asset quality, capital, and earnings.” According to the agreement, the bank must provide an acceptable written plan designed to reinforce credit risk management practices to the Fed and the Superintendent within 60 days. In addition, the plan must include: “(i) a comprehensive budget for 2021, including income statement and balance sheet projections; and (ii) a description of the operating assumptions that form the basis for, and adequately support, major projected income, expense, and balance sheet components.”
Fed proposes extension to TILA disclosure requirements
On April 12, the Federal Reserve Board issued a notice of proposed rulemaking to extend TILA recordkeeping and disclosure requirements implemented under Regulation Z. The Board proposes to revise FR Z (OMB No. 7100-0199) to: (i) include burden connected to disclosure requirements in “rules issued by the Bureau since the Board’s last Paperwork Reduction Act (PRA) submission, as well as for one information collection for which the Bureau estimates burden” but the Board formerly did not; (ii) break out and clarify “burden estimates” that were formerly consolidated; and (iii) eliminate burden associated with some requirements due to the Bureau accounting for burden for the entire industry, or because the burden is now deemed a part of an institution’s usual and customary business practices. The notice also mentions that the “disclosures, records, policies and procedures required by Regulation Z are not required to be submitted to the Board.”
OCC releases recent enforcement actions
On April 15, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a March consent order against a Colorado-based bank, which requires the bank to waive any and all rights to the issuance of a Notice of Charges. According to the order, the Bank entered into a Formal Agreement in May 2016 for engaging in “certain unsafe and unsound practices related to the Bank’s capital, strategic planning, corporate governance, credit administration, trust administration, and Bank Secrecy Act/Anti-Money Laundering compliance program.” In addition, as a result of this order, the Bank is in “troubled condition,” as set forth in 12 C.F.R. § 5.51(c)(7)(ii), unless otherwise informed in writing by the OCC.
OCC releases new Allowances for Credit Losses booklet
On April 15, the OCC released the “Allowances for Credit Losses” (ACL) booklet to update, consolidate, and rescind various booklets in the Comptroller’s Handbook. The booklet highlights (i) the current expected credit losses methodology’s scope, risks associated with ACLs, and seven primary components used to estimate ACLs; (ii) documentation and considerations for expected credit losses, estimation processes, the maintenance of appropriate ACLs, the responsibilities of boards of directors and management, and examiner reviews of ACLs; and (iii) procedures to aid examiners when assessing appropriateness of a bank’s ACL methodologies and balances. In addition, the booklet is consistent with the “Interagency Policy Statement on Allowances for Credit Losses” included in OCC Bulletin 2020-49 and “Frequently Asked Questions on the New Accounting Standard on Financial Instruments—Credit Losses” conveyed by OCC Bulletin 2019-17.