Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On August 18, the Financial Crimes Enforcement Network, which has overall responsibility for administering the Bank Secrecy Act, issued a short statement that, for the first time, publicly outlined its approach to BSA enforcement. Of note, FinCEN indicated that it will not base enforcement actions on an institution’s failure to comply with standards announced solely in a guidance document. Additionally, for the first time, FinCEN listed a nonexhaustive set of factors it will use to determine what enforcement steps should be taken. The statement leaves FinCEN with considerable flexibility in enforcing the BSA, and raises a number of questions for legal and compliance professionals.
The statement will be of most interest to “financial institutions,” which under the BSA include a wide swath of financial services companies, that are not subject to supervision by a federal prudential regulator authorized to enforce compliance with the BSA; most prudential regulators have their own enforcement guidelines, and the federal banking agencies recently issued a joint statement on BSA enforcement. Companies subject to FinCEN’s BSA enforcement authority, particularly those such as money services businesses without federal prudential regulators, may wish to familiarize themselves with FinCEN’s enforcement factors and tailor their compliance efforts accordingly. The statement also provides implicit guidance on what actions institutions should take upon identification of a potential violation.
On April 6, federal regulators issued two interim final regulatory capital rules that will modify the framework of the Community Bank Leverage Ratio (CBLR) in order to enable qualifying community banking organizations (banks) to support lending during the Covid-19 pandemic. The first rule implements Section 4012 of the CARES Act, making temporary changes to the framework of the CBLR so that banks with a leverage ratio of at least eight percent starting in the second quarter of 2020 “may elect to use the community bank leverage ratio framework.” The rule also provides a two-quarter grace period for community banks whose leverage ratios fall below the eight percent requirement, provided that the bank’s leverage ratio does not fall below seven percent. The second interim final rule allows for the temporary CBLR gradually to transition to eight and one-half percent in 2021, and then back to nine percent at the beginning of 2022.
On March 26, the FDIC released a letter detailing temporary alternative procedures for sending supervision-related mail and email to the FDIC. The letter applies to all FDIC-supervised institutions with total assets under $1 billion. The letter provides that the FDIC will use its Secure Email portal to send outgoing official supervisory correspondence, and encourages third parties (including for official business purposes related to supervisory matters) to send mail through the FDIC's Secure Email portal or Enterprise File Exchange within FDICconnect.
On March 6, the FDIC and the Federal Reserve Board issued a joint notice and request for comment on their proposal for updates to resolution plan guidance for certain large foreign banking organizations (FBOs). Pursuant to the Dodd-Frank Act, FBOs must submit resolution plans—also known as “living wills”—which detail the strategic plans for their U.S. operations and subsidiaries for rapid and orderly resolution in bankruptcy in the event that the banks fail or fall under material financial distress. Updates in the proposal focus on the FBO’s derivatives and trading activities and payment, clearing, and settlement activities and are informed by responses from FBOs to the prior 2018 FBO guidance and 2019 domestic guidance. In addition, the proposal contains an appendix of frequently asked questions with answers provided by agency staff. The agencies also seek comments “on objective, quantitative criteria to determine its applicability.” Comments must be received by May 5.
On February 6, the Federal Reserve Board (Fed) announced an enforcement action against a Virginia-based bank for alleged violations of the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $9,500 penalty against the bank for an alleged pattern or practice of violations of Regulation H, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
On February 5, the House Financial Services Committee held a hearing titled “Rent-A-Bank Schemes and New Debt Traps: Assessing Efforts to Evade State Consumer Protections and Interest Rate Caps” to discuss policies relating to state interest rate caps and permissible interest rates on small dollar loans such as payday and car-title loans. As previously covered by a Buckley Special Alert, in November, the OCC and the FDIC proposed rules meant to override the 2015 Madden v. Midland funding decision from the U.S. Court of Appeals for the Second Circuit, and reinforce that when a national bank or savings association, or state chartered bank, transfers a loan, the permissible interest rate after the transfer is the same as it was prior to the transfer. In January, however, a group of attorneys general from 21 states and the District of Columbia submitted a comment letter to the OCC claiming the proposed rule would encourage predatory lending through “rent-a-bank schemes.” (Covered by InfoBytes here.) During the hearing, Committee Chairwoman Maxine Waters (D-CA), expressed concern that the two agency proposals would harm consumers by allowing non-banks to partner with banks and enable non-bank lenders to “peddle harmful short-term, triple-digit interest rate loans.” Representative Rashida Tlaib (D-MI) echoed that concern when she suggested that “rent-a-bank” schemes allow non-banks to dodge state interest rate laws. Many Republicans had views differing from those expressed by Tlaib and Waters. North Carolina Representative Patrick McHenry remarked that the proposals from the OCC and the FDIC merely formalized the “valid when made” rule that had been in use for over a century. At the hearing, HR 5050, which would cap federal interest rates on certain small loans at 36 percent, was also discussed, with several Democrats stressing that the cap may negatively affect credit availability to some consumers.
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
On January 9, the Federal Reserve Board announced that it entered into a cease and desist order on December 30 with a Texas state-chartered bank due to “significant deficiencies” in the bank’s Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance program that were discovered in its latest examination of the bank. The requirements set out for the bank in the order include:
- Board oversight. The bank must submit a board-approved, written plan to improve oversight of BSA/AML requirements.
- BSA/AML compliance program. The bank must submit a written BSA/AML compliance program that includes BSA/AML training; independent testing of the compliance program; management of the program by a qualified compliance officer with adequate staffing support; BSA/AML compliance internal controls; and a BSA/AML risk assessment of the bank, its products and services, and its customers.
- Customer due diligence. The bank must submit a revised customer due diligence program that includes policies and procedures to ensure accurate client account information; a plan to bring existing accounts into compliance with due diligence requirements; a method to assign risk ratings to account holders; policies and procedures to ensure proper customer information is obtained according to the risk of the account holder; and risk-based monitoring procedures and updates to accounts.
- Suspicious activity monitoring and reporting. The bank must submit a written suspicious activity monitoring and reporting program that includes a documented process for establishing monitoring rules; policies and procedures for review of monitoring rules; customer and transaction monitoring; and policies and procedures for the review of suspicious activity.
On December 17, the Federal Reserve Board (Fed) released a new issue of the Consumer Compliance Supervision Bulletin focusing on supervisory insights into consumer compliance issues related to fintech to assist financial institutions with assessing and managing risk associated with technological innovation. Among the topics covered in the bulletin, are (i) managing risk with fintech collaborations—the Fed stresses the importance of creating strong policies and procedures, as well as board and senior management oversight, comprehensive and tailored training, and risk monitoring; (ii) managing UDAP risks with online and mobile banking platforms—the Fed recommends a focus on ensuring consistency and accuracy in disclosures on the platforms and the regular monitoring of complaints; and (iii) managing possible fair lending risks resulting from targeted online marketing—the Fed suggests careful monitoring over marketing activities and vendors, as well as close review of filters used with internet advertising to prevent excluding populations with legally protected characteristics. The bulletin will be featured on the agency’s new fintech page previously covered by InfoBytes here.
On December 17, the Federal Reserve Board (Fed) announced a new fintech website section created to engage with banks and other companies involved in fintech innovation. According to the announcement, the new section will highlight supervisory observations regarding fintech, provide a hub of information for interested stakeholders on innovation-related matters, and deliver practical tips for banks and other companies interested in engaging in fintech activity.
Additionally, on February 26, 2020 the Fed will hold the first in a series of “fintech innovation office hours” in conjunction with the Federal Reserve Bank of Atlanta. According to the Fed, they intend to host “office hours” nationwide to provide opportunities, especially “helpful to community banks and their potential fintech partners,” and to speak to well-versed Fed staff members about concepts and advancements surrounding “emerging financial technologies.” The announcement provides a link for interested parties to sign up to participate.
- Garylene D. Javier to moderate "Innovation in an evolving privacy landscape" at the American Bar Association Business Law Section Consumer Financial Services Committee Winter Meeting
- Buckley Webcast: What’s next for privacy and data security in 2021 and beyond?
- Sasha Leonhardt to discuss "The Servicemembers Civil Relief Act and the Military Lending Act: Enforcement lessons, common pitfalls and emerging issues" at an NAFCU webinar
- H Joshua Kotin to discuss "Diversity & inclusion: Litigation and enforcement" at the Tri-State Mortgage Conference
- Tim Lange to discuss "State legislative impacts of 2020" at the NMLS 2021 Annual Conference
- Daniel R. Alonso to discuss "How to become an AUSA" at the New York City Bar Association Minorities in the Courts Committee “How To” series