Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Recently, the FDIC, Federal Reserve Board, NCUA, OCC, and the Conference of State Bank Supervisors issued joint statements covering supervisory practices for financial institutions affected by Hurricane Ida and the California wildfires (see here and here). Among other things, the agencies informed institutions facing operational challenges that the regulators will expedite requests for temporary facilities, noting that in most cases, “a telephone notice to the primary federal and/or state regulator will suffice initially to start the approval process, with necessary written notification being submitted shortly thereafter.” The agencies also called on financial institutions to “work constructively” with affected borrowers, noting that “prudent efforts” to adjust or alter loan terms in affected areas “should not be subject to examiner criticism.” Institutions facing difficulties in complying with any publishing and reporting requirements should contact their primary federal and/or state regulator. Additionally, the agencies noted that institutions may receive Community Reinvestment Act consideration for community development loans, investments, and services that revitalize or stabilize federally designated disaster areas. Institutions are also encouraged to monitor municipal securities and loans impacted by Hurricane Ida and the California wildfires.
On March 31, the FDIC released the spring 2021 edition of the Consumer Compliance Supervisory Highlights, intended to provide information and observations related to the FDIC’s consumer compliance supervision of state non-member banks and thrifts in 2020. Topics include:
- A summary of the FDIC’s supervisory approach in response to the Covid-19 pandemic, including efforts made by banks to meet the needs of consumers and communities;
- An overview of the most frequently cited violations (approximately 74 percent of total violations involved TILA, Truth in Savings Act, Flood Disaster Protection Act, EFTA, and RESPA), as well as other consumer compliance examination observations related to RESPA, TRID, and fair lending;
- Information on regulatory developments, such as Community Reinvestment Act and flood insurance rulemaking and small-dollar loan programs;
- A summary of consumer compliance resources available to financial institutions; and
- Examples of practices that may be useful to institutions in mitigating risks.
On August 18, the Financial Crimes Enforcement Network, which has overall responsibility for administering the Bank Secrecy Act, issued a short statement that, for the first time, publicly outlined its approach to BSA enforcement. Of note, FinCEN indicated that it will not base enforcement actions on an institution’s failure to comply with standards announced solely in a guidance document. Additionally, for the first time, FinCEN listed a nonexhaustive set of factors it will use to determine what enforcement steps should be taken. The statement leaves FinCEN with considerable flexibility in enforcing the BSA, and raises a number of questions for legal and compliance professionals.
The statement will be of most interest to “financial institutions,” which under the BSA include a wide swath of financial services companies, that are not subject to supervision by a federal prudential regulator authorized to enforce compliance with the BSA; most prudential regulators have their own enforcement guidelines, and the federal banking agencies recently issued a joint statement on BSA enforcement. Companies subject to FinCEN’s BSA enforcement authority, particularly those such as money services businesses without federal prudential regulators, may wish to familiarize themselves with FinCEN’s enforcement factors and tailor their compliance efforts accordingly. The statement also provides implicit guidance on what actions institutions should take upon identification of a potential violation.
On April 6, federal regulators issued two interim final regulatory capital rules that will modify the framework of the Community Bank Leverage Ratio (CBLR) in order to enable qualifying community banking organizations (banks) to support lending during the Covid-19 pandemic. The first rule implements Section 4012 of the CARES Act, making temporary changes to the framework of the CBLR so that banks with a leverage ratio of at least eight percent starting in the second quarter of 2020 “may elect to use the community bank leverage ratio framework.” The rule also provides a two-quarter grace period for community banks whose leverage ratios fall below the eight percent requirement, provided that the bank’s leverage ratio does not fall below seven percent. The second interim final rule allows for the temporary CBLR gradually to transition to eight and one-half percent in 2021, and then back to nine percent at the beginning of 2022.
On March 26, the FDIC released a letter detailing temporary alternative procedures for sending supervision-related mail and email to the FDIC. The letter applies to all FDIC-supervised institutions with total assets under $1 billion. The letter provides that the FDIC will use its Secure Email portal to send outgoing official supervisory correspondence, and encourages third parties (including for official business purposes related to supervisory matters) to send mail through the FDIC's Secure Email portal or Enterprise File Exchange within FDICconnect.
On March 6, the FDIC and the Federal Reserve Board issued a joint notice and request for comment on their proposal for updates to resolution plan guidance for certain large foreign banking organizations (FBOs). Pursuant to the Dodd-Frank Act, FBOs must submit resolution plans—also known as “living wills”—which detail the strategic plans for their U.S. operations and subsidiaries for rapid and orderly resolution in bankruptcy in the event that the banks fail or fall under material financial distress. Updates in the proposal focus on the FBO’s derivatives and trading activities and payment, clearing, and settlement activities and are informed by responses from FBOs to the prior 2018 FBO guidance and 2019 domestic guidance. In addition, the proposal contains an appendix of frequently asked questions with answers provided by agency staff. The agencies also seek comments “on objective, quantitative criteria to determine its applicability.” Comments must be received by May 5.
On February 6, the Federal Reserve Board (Fed) announced an enforcement action against a Virginia-based bank for alleged violations of the National Flood Insurance Act (NFIA) and Regulation H, which implements the NFIA. The consent order assesses a $9,500 penalty against the bank for an alleged pattern or practice of violations of Regulation H, but does not specify the number or the precise nature of the alleged violations. The maximum civil money penalty under the NFIA for a pattern or practice of violations is $2,000 per violation.
On February 5, the House Financial Services Committee held a hearing titled “Rent-A-Bank Schemes and New Debt Traps: Assessing Efforts to Evade State Consumer Protections and Interest Rate Caps” to discuss policies relating to state interest rate caps and permissible interest rates on small dollar loans such as payday and car-title loans. As previously covered by a Buckley Special Alert, in November, the OCC and the FDIC proposed rules meant to override the 2015 Madden v. Midland funding decision from the U.S. Court of Appeals for the Second Circuit, and reinforce that when a national bank or savings association, or state chartered bank, transfers a loan, the permissible interest rate after the transfer is the same as it was prior to the transfer. In January, however, a group of attorneys general from 21 states and the District of Columbia submitted a comment letter to the OCC claiming the proposed rule would encourage predatory lending through “rent-a-bank schemes.” (Covered by InfoBytes here.) During the hearing, Committee Chairwoman Maxine Waters (D-CA), expressed concern that the two agency proposals would harm consumers by allowing non-banks to partner with banks and enable non-bank lenders to “peddle harmful short-term, triple-digit interest rate loans.” Representative Rashida Tlaib (D-MI) echoed that concern when she suggested that “rent-a-bank” schemes allow non-banks to dodge state interest rate laws. Many Republicans had views differing from those expressed by Tlaib and Waters. North Carolina Representative Patrick McHenry remarked that the proposals from the OCC and the FDIC merely formalized the “valid when made” rule that had been in use for over a century. At the hearing, HR 5050, which would cap federal interest rates on certain small loans at 36 percent, was also discussed, with several Democrats stressing that the cap may negatively affect credit availability to some consumers.
On January 16, the FDIC and the OCC announced (FDIC FIL-3-2020, OCC Bulletin 2020-5) the issuance of a joint statement on risk management of current heightened cybersecurity risks. The statement reminds supervised financial institutions to maintain preventative controls and update and test incident response and business continuity plans. It also sets out best practices in these areas for supervised financial institutions.
The bulletin lists six “key controls” including:
- Response, resilience and recovery capabilities. Maintain system backups and segment data to prevent spread of malicious activity across the network and to increase recovery capabilities. Incident and business resilience plans should set out cyber attack response and business continuity procedures and a data backup program should be set up and regularly tested. Cyber insurance coverage may further mitigate cyber risk exposure.
- Identity and access management. Implement identity and access management controls to combat phishing attacks and prevent theft of login credentials. Incorporate risk-based authentication, limit user permissions, and continually monitor user accounts.
- Network configuration and system hardening. Configure networks with appropriate security settings that are regularly updated. Update anti-malware and routinely test network technology for vulnerabilities.
- Employee training. Provide continuous training to keep cybersecurity program employees abreast of new cyber threats and evolving social engineering tactics.
- Security tools and monitoring. Maintain competent cybersecurity staff or service providers to monitor for the most current “threat and vulnerability information,” regularly review audit logs, and establish and test ability to “detect and respond to attacks.”
- Data protection. Encrypt “sensitive and critical data,” which should also be accurately classified to ensure ease in identification.
On January 9, the Federal Reserve Board announced that it entered into a cease and desist order on December 30 with a Texas state-chartered bank due to “significant deficiencies” in the bank’s Bank Secrecy Act (BSA) and anti-money laundering (AML) compliance program that were discovered in its latest examination of the bank. The requirements set out for the bank in the order include:
- Board oversight. The bank must submit a board-approved, written plan to improve oversight of BSA/AML requirements.
- BSA/AML compliance program. The bank must submit a written BSA/AML compliance program that includes BSA/AML training; independent testing of the compliance program; management of the program by a qualified compliance officer with adequate staffing support; BSA/AML compliance internal controls; and a BSA/AML risk assessment of the bank, its products and services, and its customers.
- Customer due diligence. The bank must submit a revised customer due diligence program that includes policies and procedures to ensure accurate client account information; a plan to bring existing accounts into compliance with due diligence requirements; a method to assign risk ratings to account holders; policies and procedures to ensure proper customer information is obtained according to the risk of the account holder; and risk-based monitoring procedures and updates to accounts.
- Suspicious activity monitoring and reporting. The bank must submit a written suspicious activity monitoring and reporting program that includes a documented process for establishing monitoring rules; policies and procedures for review of monitoring rules; customer and transaction monitoring; and policies and procedures for the review of suspicious activity.