InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC issues 2021 Consumer Compliance Supervisory Highlights
On March 31, the FDIC released the spring 2021 edition of the Consumer Compliance Supervisory Highlights, intended to provide information and observations related to the FDIC’s consumer compliance supervision of state non-member banks and thrifts in 2020. Topics include:
- A summary of the FDIC’s supervisory approach in response to the Covid-19 pandemic, including efforts made by banks to meet the needs of consumers and communities;
- An overview of the most frequently cited violations (approximately 74 percent of total violations involved TILA, Truth in Savings Act, Flood Disaster Protection Act, EFTA, and RESPA), as well as other consumer compliance examination observations related to RESPA, TRID, and fair lending;
- Information on regulatory developments, such as Community Reinvestment Act and flood insurance rulemaking and small-dollar loan programs;
- A summary of consumer compliance resources available to financial institutions; and
- Examples of practices that may be useful to institutions in mitigating risks.
FDIC updates Consumer Compliance Examination Manual
On March 2, the FDIC announced updates to its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations. The recent updates include, among other things, changes to the sections and questions related to (i) fair lending laws and regulations and the Fair Lending Scope and Conclusions Memorandum; (ii) TILA and the Consumer Leasing Act; and (iii) the asset-based definitions for small, intermediate, and large institutions for the Community Reinvestment Act.
CFPB issues debt collection small entity compliance guide
On January 15, the CFPB issued a small entity compliance guide summarizing the Bureau’s debt collection rule. As previously covered by InfoBytes, the Bureau issued a final rule last October amending Regulation F, which implements the Fair Debt Collection Practices Act (FDCPA), to address debt collection communications and prohibitions on harassment or abuse, false or misleading representations, and unfair practices. The guide provides a detailed summary of the October final rule’s substantive prohibitions and requirements, as well as a summary of key interpretations and clarifications of the FDCPA. The Bureau noted, however, that the current small entity compliance guide does not discuss (unless specifically noted otherwise) the CFPB’s final rule issued in December (covered by InfoBytes here), which clarified consumer disclosure requirements, provided a model validation notice, and addressed required actions prior to furnishing and prohibitions concerning the collection of time-barred debt. Updates will be made to the small entity compliance guide at a later date to include provisions related to the December final rule.
Fed targets Swiss bank for BSA/AML compliance deficiencies
On December 22, the Federal Reserve Board announced an enforcement action against a Swiss bank for alleged Bank Secrecy Act/anti-money laundering (BSA/AML) compliance risk management deficiencies found during a 2019 examination of the bank’s New York branch. The consent order outlines a number of corporate compliance and governance measures that the bank is required to undertake, such as: (i) submitting a joint written plan by the board of directors, risk committee, and senior management within 90 days that outlines measures for strengthening their respective oversight of the bank’s U.S. operations’ compliance, including “provid[ing] for a sustainable governance framework that, at a minimum, addresses, considers, and includes actions to improve policies, procedures, and controls for BSA/AML compliance across the U.S. operations”; (ii) providing a written revised customer due diligence program for the New York branch within 90 days, which must outline measures such as risk-based policies and procedures to ensure complete and accurate customer information is collected, retained, and analyzed for all account holders; (iii) submitting a revised suspicious activity monitoring and reporting program demonstrating that the New York branch is engaging in timely suspicious activity monitoring and reporting; and (iv) implementing independent testing within the New York branch to ensure compliance with all applicable BSA/AML requirements.
OCC warns of key banking risks
On November 9, the OCC released its Semiannual Risk Perspective for Fall 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC noted the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that while economic activity rebounded in the third quarter, there is significant ongoing risk. The report discusses, as a special topic in emerging risks, growing trends in payment products and services. The report also highlights several key risk areas for banks: credit, strategic, operational, and compliance. Specifically, the report notes that credit risk is increasing as government assistance programs expire and the economic downturn has led to elevated unemployment levels. The report further notes that strategic risks affecting profitability is an emerging issue due to low interest rates, which historically have negatively affected profitability when low for a long period of time. Moreover, the report notes elevated operational risks due to complex operating environments with cybersecurity being a key concern. The increase in large-scale telework has created unique security and internal control challenges. Lastly, the report discusses elevated compliance risks due to the expedited implementation of a number of Covid-19-related assistance programs.
Federal bank regulatory agencies release two final rules supporting large banks
On October 20, the Federal Reserve Board, OCC, and FDIC (collectively, “federal bank regulatory agencies”) finalized two rules for large banks.
The federal bank regulatory agencies first announced a final rule intended to reduce interconnectedness within the financial system between the largest banking organizations and to minimize systemic risks stemming from failure of these organizations. As the federal bank regulatory agencies noted in their announcement, the final rule, Regulatory Capital Treatment for Investments in Certain Unsecured Debt Instruments of Global Systemically Important U.S. Bank Holding Companies, Certain Intermediate Holding Companies, and Global Systemically Important Foreign Banking Organizations; Total Loss-Absorbing Capacity Requirements, “prescribes a more stringent regulatory capital treatment for holdings of [total loss-absorbing capacity] (TLAC) debt.” U.S. global systemically important banking organizations (GSIBs) will be required, among other things, to deduct from their regulatory capital certain investments in unsecured debt instruments issued by foreign or U.S. GSIBs in order to meet minimum TLAC requirements and long-term debt requirements, as applicable. The final rule recognizes the systemic risks posed by banking organizations’ investments in covered debt instruments and “create[s] an incentive for advanced approaches [for] banking organizations to limit their exposure to GSIBs.” The final rule takes effect April 1, 2021.
The federal bank regulatory agencies also announced a second final rule, Net Stable Funding Ratio: Liquidity Risk Measurement Standards and Disclosure Requirements, which will implement a stable funding requirement for certain large banking organizations established by a quantitative metric known as the net stable funding ratio (NSFR). The NSFR will measure banking organizations’ level of stability, and will require that a minimum level of stable funding be maintained over a one-year period. According to the federal bank regulatory agencies, the NSFR is intended “to reduce the likelihood that disruptions to a banking organization’s regular sources of funding will compromise its liquidity position,” and is designed to “promote effective liquidity risk management, and support the ability of banking organizations to provide financial intermediation to businesses and households across a range of market conditions.” The final rule “applies to certain large U.S. depository institution holding companies, depository institutions, and U.S. intermediate holding companies of foreign banking organizations, each with total consolidated assets of $100 billion or more, together with certain depository institution subsidiaries” with “increases in stringency based on risk-based measures of the top-tiered covered company.” The final rule takes effect July 1, 2021.
Financial services firm fined $400 million for risk-management deficiencies
On October 7, the OCC and Federal Reserve Board announced enforcement actions against a financial services firm and its national bank subsidiary (bank) to resolve alleged enterprise-wide risk management, data governance, and internal controls deficiencies. According to the OCC’s announcement, the bank allegedly engaged in unsafe or unsound banking practices by failing to “establish effective risk management and data governance programs and internal controls.” While neither admitting nor denying the allegations, the bank has agreed to pay a $400 million civil money penalty. Additionally, under the terms of the OCC’s cease and desist order, the bank must implement corrective measures to improve its risk management, data governance, and internal controls. The agency’s announcement states that the order further requires the bank “to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order.”
In conjunction with the OCC’s action, the Fed also announced a cease and desist order against the financial services firm, which identified ongoing deficiencies with respect to areas of compliance risk management, data quality management, and internal controls. Among other things, the Fed claims the firm also failed to adequately remediate “longstanding” deficiencies identified in previously issued consent orders, including in areas such as anti-money laundering compliance. The order requires the firm to enhance firm-wide risk management and internal controls, and imposes a series of deadlines for the firm to take measures to ensure compliance with the OCC’s order, enhance its compliance risk management programs, devise a plan to hold senior management accountable, and improve data quality management.
OCC issues CRA compliance resources
On October 1, the OCC released three items in support of the implementation of the new Community Reinvestment Act (CRA) final rule. The three newly released items include: (i) a compliance guide for small banks; (ii) an initial illustrative list of qualifying activities; and (iii) a form to request consideration of items to be added to the list of qualifying activities. As previously covered by a Buckley Special Alert, the OCC’s rule, while technically effective October 1, provides for at least a 27-month transition period for compliance based on a bank’s size and business model. Large banks and wholesale and limited purpose banks will have until January 1, 2023 to comply, and small and intermediate banks that opt-in to the final rule’s performance standards will have until January 1, 2024.
Fed issues enforcement order for BSA/AML and OFAC regulation compliance
On October 1, the Federal Reserve announced an enforcement action against a Pennsylvania state-chartered bank for deficiencies in the bank’s Bank Secrecy Act (BSA), anti-money laundering (AML), and U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) regulations. The order requires the bank to submit, among other things, (i) a board-approved, written plan to improve oversight of BSA/AML requirements and OFAC regulations; (ii) a written BSA/AML compliance program; (iii) a revised customer due diligence program; (iv) a written suspicious activity monitoring and reporting program; and (iv) a written plan for independent testing of compliance with BSA/AML requirements. The bank was not assessed any monetary penalties.
OCC: Banks may hold stablecoins in reserve accounts
On September 21, the OCC released Interpretive Letter 1172, stating that national banks may hold stablecoin in reserve accounts as a service to bank customers and may engage in activity incidental to receiving the deposits. According to the OCC, issuers of stablecoins—a type of cryptocurrency backed by an asset such as a fiat currency—have a desire to place assets in reserve accounts with national banks to “provide assurance that the issuer has sufficient assets backing the stablecoin in situations where there is a hosted wallet.” Hosted wallet, as defined by the OCC, is “an account-based software program for storing cryptographic keys controlled by an identifiable third party.” Because national banks are authorized to receive deposits and provide “permissible banking services to any lawful business they choose,” they may provide these services to issuers of stablecoins, as long as they comply with applicable laws and regulations. (In Interpretive Letter 1170, the OCC approved the holding of cryptocurrency on behalf of customers, covered by InfoBytes here.) Specifically, the OCC noted that national banks should ensure that deposit activities comply with the Bank Secrecy Act and anti-money laundering regulations. Moreover, a national bank must also “identify and verify the beneficial owners of legal entity customers opening accounts.” Lastly, the OCC emphasized that stablecoin reserves “could entail significant liquidity risks,” and national banks may consider entering into contractual agreements with stablecoin issuers to “verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer.” This guidance does not apply to stablecoin transactions involving un-hosted wallets.