Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 20, the Federal Reserve Board, OCC, and FDIC (collectively, “federal bank regulatory agencies”) finalized two rules for large banks.
The federal bank regulatory agencies first announced a final rule intended to reduce interconnectedness within the financial system between the largest banking organizations and to minimize systemic risks stemming from failure of these organizations. As the federal bank regulatory agencies noted in their announcement, the final rule, Regulatory Capital Treatment for Investments in Certain Unsecured Debt Instruments of Global Systemically Important U.S. Bank Holding Companies, Certain Intermediate Holding Companies, and Global Systemically Important Foreign Banking Organizations; Total Loss-Absorbing Capacity Requirements, “prescribes a more stringent regulatory capital treatment for holdings of [total loss-absorbing capacity] (TLAC) debt.” U.S. global systemically important banking organizations (GSIBs) will be required, among other things, to deduct from their regulatory capital certain investments in unsecured debt instruments issued by foreign or U.S. GSIBs in order to meet minimum TLAC requirements and long-term debt requirements, as applicable. The final rule recognizes the systemic risks posed by banking organizations’ investments in covered debt instruments and “create[s] an incentive for advanced approaches [for] banking organizations to limit their exposure to GSIBs.” The final rule takes effect April 1, 2021.
The federal bank regulatory agencies also announced a second final rule, Net Stable Funding Ratio: Liquidity Risk Measurement Standards and Disclosure Requirements, which will implement a stable funding requirement for certain large banking organizations established by a quantitative metric known as the net stable funding ratio (NSFR). The NSFR will measure banking organizations’ level of stability, and will require that a minimum level of stable funding be maintained over a one-year period. According to the federal bank regulatory agencies, the NSFR is intended “to reduce the likelihood that disruptions to a banking organization’s regular sources of funding will compromise its liquidity position,” and is designed to “promote effective liquidity risk management, and support the ability of banking organizations to provide financial intermediation to businesses and households across a range of market conditions.” The final rule “applies to certain large U.S. depository institution holding companies, depository institutions, and U.S. intermediate holding companies of foreign banking organizations, each with total consolidated assets of $100 billion or more, together with certain depository institution subsidiaries” with “increases in stringency based on risk-based measures of the top-tiered covered company.” The final rule takes effect July 1, 2021.
On October 7, the OCC and Federal Reserve Board announced enforcement actions against a financial services firm and its national bank subsidiary (bank) to resolve alleged enterprise-wide risk management, data governance, and internal controls deficiencies. According to the OCC’s announcement, the bank allegedly engaged in unsafe or unsound banking practices by failing to “establish effective risk management and data governance programs and internal controls.” While neither admitting nor denying the allegations, the bank has agreed to pay a $400 million civil money penalty. Additionally, under the terms of the OCC’s cease and desist order, the bank must implement corrective measures to improve its risk management, data governance, and internal controls. The agency’s announcement states that the order further requires the bank “to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order.”
In conjunction with the OCC’s action, the Fed also announced a cease and desist order against the financial services firm, which identified ongoing deficiencies with respect to areas of compliance risk management, data quality management, and internal controls. Among other things, the Fed claims the firm also failed to adequately remediate “longstanding” deficiencies identified in previously issued consent orders, including in areas such as anti-money laundering compliance. The order requires the firm to enhance firm-wide risk management and internal controls, and imposes a series of deadlines for the firm to take measures to ensure compliance with the OCC’s order, enhance its compliance risk management programs, devise a plan to hold senior management accountable, and improve data quality management.
On October 1, the OCC released three items in support of the implementation of the new Community Reinvestment Act (CRA) final rule. The three newly released items include: (i) a compliance guide for small banks; (ii) an initial illustrative list of qualifying activities; and (iii) a form to request consideration of items to be added to the list of qualifying activities. As previously covered by a Buckley Special Alert, the OCC’s rule, while technically effective October 1, provides for at least a 27-month transition period for compliance based on a bank’s size and business model. Large banks and wholesale and limited purpose banks will have until January 1, 2023 to comply, and small and intermediate banks that opt-in to the final rule’s performance standards will have until January 1, 2024.
On October 1, the Federal Reserve announced an enforcement action against a Pennsylvania state-chartered bank for deficiencies in the bank’s Bank Secrecy Act (BSA), anti-money laundering (AML), and U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) regulations. The order requires the bank to submit, among other things, (i) a board-approved, written plan to improve oversight of BSA/AML requirements and OFAC regulations; (ii) a written BSA/AML compliance program; (iii) a revised customer due diligence program; (iv) a written suspicious activity monitoring and reporting program; and (iv) a written plan for independent testing of compliance with BSA/AML requirements. The bank was not assessed any monetary penalties.
On September 21, the OCC released Interpretive Letter 1172, stating that national banks may hold stablecoin in reserve accounts as a service to bank customers and may engage in activity incidental to receiving the deposits. According to the OCC, issuers of stablecoins—a type of cryptocurrency backed by an asset such as a fiat currency—have a desire to place assets in reserve accounts with national banks to “provide assurance that the issuer has sufficient assets backing the stablecoin in situations where there is a hosted wallet.” Hosted wallet, as defined by the OCC, is “an account-based software program for storing cryptographic keys controlled by an identifiable third party.” Because national banks are authorized to receive deposits and provide “permissible banking services to any lawful business they choose,” they may provide these services to issuers of stablecoins, as long as they comply with applicable laws and regulations. (In Interpretive Letter 1170, the OCC approved the holding of cryptocurrency on behalf of customers, covered by InfoBytes here.) Specifically, the OCC noted that national banks should ensure that deposit activities comply with the Bank Secrecy Act and anti-money laundering regulations. Moreover, a national bank must also “identify and verify the beneficial owners of legal entity customers opening accounts.” Lastly, the OCC emphasized that stablecoin reserves “could entail significant liquidity risks,” and national banks may consider entering into contractual agreements with stablecoin issuers to “verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer.” This guidance does not apply to stablecoin transactions involving un-hosted wallets.
Fed: Lenders must consider pre-pandemic condition when underwriting Main Street Lending Program loans
On September 18, the Federal Reserve Board, in conjunction with the FDIC and the OCC, revised the Main Street Lending Program (MSLP) FAQs (for-profit here, nonprofit here) to clarify underwriting expectations, supervisory expectations, and details regarding co-borrower loans. Specifically, the FAQs note that a lender is expected to “conduct an assessment of each potential borrower’s pre-pandemic financial condition and post-pandemic prospects” when reviewing an application to determine approval. Additionally, the FAQs state that Fed supervisors will “not criticize” lenders for originating loans in accordance with MSLP requirements, even when “such loans are considered non-pass at the time of origination,” provided the weaknesses are due to the Covid-19 pandemic and expected to be temporary. Finally, the FAQs include new details covering co-borrower loans, as the Federal Reserve Bank of Boston anticipates the MSLP will accept loans made to multiple co-borrowers starting next week.
On September 14, the Financial Crimes Enforcement Network (FinCEN) issued a final rule, under its sole authority, to remove the anti-money laundering (AML) program exemption for non-federally regulated banks. According to FinCEN, the rulemaking was prompted by the “gap in AML coverage” between banks that have a federal functional regulator and those that do not, which has created “a vulnerability to the U.S. financial system that could be exploited by bad actors.” The final rule would bring non-federally regulated banks that are currently required to comply with certain Bank Secrecy Act (BSA) obligations, such as filing currency transaction reports and suspicious activity reports to detect unusual activity, into compliance with the same standards applicable to all other banks. Specifically, the final rule outlines minimum standards for non-federally regulated banks to ensure the establishment and implementation of required AML programs, and extends customer identification program (CIP) requirements, as well as beneficial ownership requirements outlined in FinCEN’s 2016 customer due diligence (CDD) rule (covered by InfoBytes here), to banks not already subject to these requirements. FinCEN believes that non-federally regulated banks will be able to take a risk-based approach when tailoring their AML and CIP programs to fit their size, needs, and operational risks, and that those banks should be able to build on “existing compliance policies and procedures and prudential business practices to ensure compliance. . .with relatively minimal cost and effort.” The final rule takes effect November 16.
For more details, please see a Buckley Special Alert on the final rule.
On August 12, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert to broker-dealers and investment advisers (firms) impacted by the Covid-19 pandemic addressing observations and recommendations related to several categories, including investor asset protection; personnel supervision; practices related to fees, expenses, and financial transactions; investment fraud; business continuity; and protecting sensitive information. The alert recommends firms review—and where appropriate—modify supervisory and compliance policies and procedures as they deal with market volatility and technological challenges brought by the Covid-19 pandemic. The alert notes that firms may need to update their practices to address, among other things, (i) unusual or unscheduled investor withdrawals; (ii) staffers communicating or executing transactions off-site or on personal devices, or making securities recommendations tied to market sectors experiencing high volatility or fraud; and (iii) supervisors having less oversight and interaction with staff in remote environments, leading to difficulties in maintaining effective due diligence, conducting background checks when hiring, or overseeing requisite examinations. Additionally, firms are instructed to monitor potential conflicts of interest and fee errors when informing investors about the costs of services, investment products, and related compensation, while also ensuring recommendations are made in the “best interest of investors.” The alert also recognizes that “times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings,” and advises firms to “be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors.” Firms and investors who suspect fraud are advised to contact the SEC and report the potential fraud.
On July 27, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver and Consent (AWC), fining a California-based securities firm $50,000 for allegedly failing to implement and follow its own anti-money laundering (AML) compliance procedures. As a result, the firm allegedly failed to detect red flags concerning potentially suspicious activity and failed to investigate or report the activity in a timely manner. According to FINRA, a sales practice examination detected instances between November 2012 and December 2016 in which the firm failed to detect red flags in four related accounts, including suspicious activity related to: (i) the “ownership of multiple accounts without an apparent business purpose for multiple accounts”; (ii) an account owner with a “significant disciplinary history related to securities fraud”; (iii) possible manipulative trading activity; (iv) unusual, unexpected transfer activity between related accounts without an apparent business purpose; and (v) unexplained third-party wire transfers, inconsistent with expected account activity. FINRA stated that although the “firm’s AML procedures indicated that when the firm detected any red flags of potentially suspicious activity, it would determine whether and how to investigate further,” the firm failed to implement these measures. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine and address identified deficiencies in its programs to ensure compliance with its AML obligations.
On July 22, the OCC issued an interpretive letter concluding that national banks and federal savings associations (collectively, “banks”) may hold cryptocurrency on behalf of customers so long as they effectively manage the risks and comply with applicable law. Specifically, the letter responds to a bank’s proposal to offer cryptocurrency custody services to its customers as part of its standard custody business. The OCC notes that “there is a growing demand for safe places, such as banks, to hold unique cryptographic keys associated with cryptocurrencies.” The letter emphasizes that the OCC “generally has not prohibited banks from providing custody services for any particular type of asset,” and providing cryptocurrency custody services “falls within  longstanding authorities to engage in safekeeping and custody activities.”
The OCC notes that while the custody services will not “entail any physical possession of the cryptocurrency,” OCC regulations authorize banks to provide through electronic means any activities that they are otherwise authorized to perform. Thus, because banks may perform custody services for physical assets, they are “likewise permitted to provide those same services via electronic means (i.e., custody of cryptocurrency).” Additionally, a bank with trust powers has the authority to hold cryptocurrencies in a fiduciary capacity, in the same way they manage other assets they hold as fiduciaries.
The OCC reminds banks that they should develop and implement sound risk management practices, and specifically notes that “custody activities should include dual controls, segregation of duties and accounting controls.” Moreover, banks should “conduct a legal analysis to ensure the activities are conducted consistent with all applicable law,” noting that “[d]ifferent cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.”
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar