Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On February 2, OCC and the FDIC released their Community Reinvestment Act (CRA) evaluations. The OCC disclosed a list of evaluations of national banks, federal savings associations, and insured federal branches of foreign banks that became public in January 2024. Out of the 18 evaluations, six were rated “outstanding,” nine were rated “satisfactory,” and three were rated as “needs to improve.” The evaluations can be accessed on the OCC’s website, including a searchable list of all public CRA evaluations. Simultaneously, the FDIC released its list of state nonmember banks that were evaluated for CRA compliance in November 2023. Out of 57 evaluations, 56 were rated as “satisfactory” and one bank was rated as “outstanding.”
On January 26, California State Attorney General Rob Bonta announced an investigative initiative by issuing letters to businesses operating streaming apps and devices, accusing them of non-compliance with the California Consumer Privacy Act (CCPA). The focus of the investigation is the evaluation of streaming services’ adherence to the CCPA's opt-out requirements, in particular those businesses that sell or share consumer personal information. The investigation targets businesses failing to provide a direct mechanism for consumers wishing to prevent the sale of their data.
On January 19, the Federal Reserve Board and NYDFS each issued separate enforcement actions against one of the largest banks in the world for alleged compliance deficiencies and violations under BSA/AML. The Fed issued its cease and desist order and ordered the bank to pay a civil money penalty of $2.4 million. The NYDFS also issued a similar consent order with a monetary penalty of $30 million.
According to the Fed’s order, an investigation into the bank’s practices determined that the New York branch lacked any formal policies or training on confidential supervisory information (CSI). Additionally, the order required the bank to submit a written plan to enhance internal compliance controls to the Fed, including designation of a CSI officer, among other requirements. According to NYDFS’s order, the bank previously entered into a 2018 cease and desist order with the Fed to address “significant deficiencies” in its compliance with BSA/AML requirements and OFAC regulations. NYDFS conducted an examination in 2022 and found that deficiencies cited in the 2018 order persisted for several more years. A subsequent examination in 2023 found that the bank had made significant efforts toward enhancing its compliance programs and successfully remediated prior deficiencies. Per this most recent order, NYDFS found that the bank’s BSA/AML program was not in compliance for several years; the bank failed to maintain appropriate accounting records; and the bank failed to submit a report after discovering the occurrence of “embezzlement, misapplication, larceny, forgery, fraud, [or] dishonesty[.]” The consent order stipulated several remediation requirements, including a status report to NYDFS on the bank’s BSA/AML compliance.
On January 22, NYDFS issued an industry letter titled “Guidance on Assessment of the Character and Fitness of Directors, Senior Officers, and Managers” for banks and other financial institutions (Covered Institutions) to notify them of NYDFS’s expectations. The final guidance came after a review process conducted over the past year where twenty comments indicated the need for Covered Institutions to build “robust character and fitness” policies. NYDFS asked that these Covered Institutions develop and maintain a framework to vet senior officials’ character and fitness during onboarding and on a regular basis.
According to the guidance, each Covered Institution is expected to “define sensitive issues, warning signs, and other indicators” that would be cause for concern. The depth and nature of each Covered Institution’s assessment is tailored to each institution, and the guidance does not demand a defined period for the review, but NYDFS supplied a list of suggested questions for Covered Institutions to use as best practices for vetting key individuals. (These questions are not mandated, however.) NYDFS noted that Covered Institutions are expected to review materials related to the character and fitness assessment of key persons. The guidance’s appendix lists suggested questions, including whether the key person has reviewed and understood pertinent policies and whether the interviewee has ever been charged or convicted of a crime or has previously been sanctioned or censured by a securities regulator.
On December 7, the OCC reported key issues facing the federal banking system in its Semiannual Risk Perspective for Fall 2023. In evaluating the overall soundness of the federal banking system, the OCC emphasized the need for banks to maintain prudent risk management practices. The key themes that the OCC underscored in the report included (i) credit risk due to high interest rates, commercial real estate lending, and inflation; (ii) market risks from rising deposit rates, liquidity contraction, and reliance on wholesale funding; (iii) operational risks from cyber threats, increased digitization, and fraud; and (iv) compliance risks from equal access to credit, fair treatment of consumers, fintech partnerships, and BSA/AML risk. The OCC noted that deposit and liquid asset trends stabilized in the latter half of 2023, and the stability was sustained through a greater dependence on wholesale funding.
The report included a special discussion of emerging risks linked to artificial intelligence (AI) in banking. The OCC noted the potential benefits of widespread AI adoption, which could reduce costs, improve products, strengthen risk management, and expand access to credit. At the same time, the OCC cautioned that AI use can create risk and banks must manage its use carefully.
The Chairman of the Financial Services Committee, Patrick McHenry (R-NC), and Representative Andy Barr (R-KY), Chairman of the Subcommittee on Financial Institutions and Monetary Policy, sent a letter to the U.S. Government Accountability Office (GAO) requesting the GAO to “examine the role U.S. federal banking agencies played in work at the Basel Committee on Banking Supervision to develop the recent Basel III Endgame proposal, which calls for massive increases in capital requirements for already well-capitalized U.S. financial institutions.”
As previously covered by InfoBytes, the federal banking agencies issued a notice of proposed rulemaking that would substantially revise the capital requirements of large U.S. banking organizations. According to the letter, Congress has very little insight into the basis of such policy changes that “would fundamentally change the policy of the U.S. banking system.”
The letter requests the GAO to evaluate each federal banking agency’s participation in the development of Basel III Endgame. GAO’s evaluation should include: (i) a summary of each material proposal submitted by a federal banking agency to the Basel Committee; and (ii) a summary of concerns raised by a federal banking agency with respect to a consultative document or other proposal considered by the Basel Committee.
Further, the letter requests the GAO prioritize each proposal or concern from the federal banking agencies related to:
- Any proposals or concerns from the federal banking agencies that did not receive a fulsome response by the Basel Committee.
- Any evidence or rationale supporting the requirement that a “corporate entity (or parent) must have securities outstanding on a recognized securities exchange for an exposure to that entity (or parent) to be eligible for the reduced risk weight for investment-grade corporate exposures;”
- The absence of a tailored approach to “high-fee revenue banks under the Basel III Endgame business-indicator approach to operational risk capital”;
- The calibration of the “scaling factor, multiplier, dampener, and other coefficients for that business-indicator approach”; and
- The calibration of the “correlation factors and the profit-and-loss attribution test thresholds for the models-based measure of market risk capital.”
On October 20, the Fed issued a joint press release with the FDIC and the OCC announcing the extension of the comment period on proposed rules to expand large bank capital requirements. Earlier this year, the agencies announced the proposed rule which would implement the final components of the Basel III Agreement. The components would revise capital requirements for large banking organizations, among other things. (Covered by InfoBytes here.) Adding an additional six weeks (from the original 120-day comment period set to expire on November 30), the new comment period deadline is by January 16, 2024.
On October 16, the SEC’s Division of Examinations announced that its 2024 examination priorities will focus on key risk factors related to information security and operational resiliency, crypto assets and emerging financial technology, regulation systems compliance and integrity, and anti-money laundering. SEC registrants, including investment advisers, investment companies, broker dealers, self-regulatory organizations, clearing agencies, and other market participants are reminded of their obligations to address, manage, and mitigate these key risks. Notably, ESG was a “significant focus area” in 2022 (covered by InfoBytes here) and 2023, but it is not directly mentioned in the 2024 examination priorities.
According to the report, examiners plan to increase their engagement to support the evolving market and new regulatory requirements. Regarding information security and operational resiliency, examiners will focus on registrants’ procedures surrounding “internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents, including those related to ransomware attacks.” Additionally, regarding crypto assets and emerging fintech, examiners will focus on registrants’ business practices involving compliance practices, risk disclosures, and operational resiliency practices. The SEC also mentioned in the “Crypto Assets and Emerging Financial Technology” section of the report that it will assess registrant preparations for the recently adopted rule for broker dealer transactions that shortens the standard settlement cycle to one business day (previously two days) after the trade, which has a compliance date of May 28, 2024. Among other things, the SEC will also focus on whether registrants’ regulation systems compliance and integrity are “reasonably designed” to ensure the security of its systems, including physical security of the systems housed in data centers.
SEC chair Gary Gensler said that the Division of Examinations plays an important role in “protecting investors and facilitating capital formation,” adding that the commission will focus on “enhancing trust” in the changing markets.
Draft risk assessment regulations and cybersecurity audit regulations were released in advance of the September 8 open meeting held by the board. Draft regulations on automated decision-making remain to be published. More comprehensive comment and feedback is expected on these draft regulations, unlike regulations finalized in March that were presented in a more robust state. As previously covered by InfoBytes, the California Privacy Protection Agency cannot enforce any regulations until a year after their finalization, adding a ticking reminder to the finalization process for these draft regulations.
The draft cybersecurity regulations include thoroughness requirements for the annual cybersecurity audit, which must also be completed “using a qualified, objective, independent professional” and “procedures and standards generally accepted in the profession of auditing.” A management certification must also be signed certifying the business has not influenced the audit, and has reviewed the audit and understands its findings.
The draft risk assessment regulations require conducting a risk assessment prior to initiating processing of consumers’ personal information that “presents significant risk to consumers’ privacy,” as set forth in an enumerated list include the selling or sharing of personal information; processing personal information of consumers under age 16; and using certain automated decision-making technology, including AI.
On September 5, the FDIC released the list of nonmember banks examined for compliance with the Community Reinvestment Act (CRA), which is intended to “encourage insured banks and thrifts to meet local credit needs.” Included in the list was a fintech bank that the FDIC rated as “Needs to Improve” for reasons involving its overall record of helping meet the credit needs of underserved communities. According to the FDIC’s CRA performance evaluation of the Utah-based bank, the FDIC adjusted the CRA rating from “Satisfactory” to “Needs to Improve” due to illegal credit practices that resulted in violations of Section 5 of the FTC Act, Unfair or Deceptive Acts or Practices that were present during the time of the evaluation period. The FDIC found that the bank’s actions impacted a significant number of customers across the bank’s fuel card programs, and that the practices were sustained for multiple years. The FDIC also noted that, after the bank was notified of the violations, it implemented corrective measures, including customer restitution.