InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC: Banks may hold stablecoins in reserve accounts
On September 21, the OCC released Interpretive Letter 1172, stating that national banks may hold stablecoin in reserve accounts as a service to bank customers and may engage in activity incidental to receiving the deposits. According to the OCC, issuers of stablecoins—a type of cryptocurrency backed by an asset such as a fiat currency—have a desire to place assets in reserve accounts with national banks to “provide assurance that the issuer has sufficient assets backing the stablecoin in situations where there is a hosted wallet.” Hosted wallet, as defined by the OCC, is “an account-based software program for storing cryptographic keys controlled by an identifiable third party.” Because national banks are authorized to receive deposits and provide “permissible banking services to any lawful business they choose,” they may provide these services to issuers of stablecoins, as long as they comply with applicable laws and regulations. (In Interpretive Letter 1170, the OCC approved the holding of cryptocurrency on behalf of customers, covered by InfoBytes here.) Specifically, the OCC noted that national banks should ensure that deposit activities comply with the Bank Secrecy Act and anti-money laundering regulations. Moreover, a national bank must also “identify and verify the beneficial owners of legal entity customers opening accounts.” Lastly, the OCC emphasized that stablecoin reserves “could entail significant liquidity risks,” and national banks may consider entering into contractual agreements with stablecoin issuers to “verify and ensure that the deposit balances held by the bank for the issuer are always equal to or greater than the number of outstanding stablecoins issued by the issuer.” This guidance does not apply to stablecoin transactions involving un-hosted wallets.
Fed: Lenders must consider pre-pandemic condition when underwriting Main Street Lending Program loans
On September 18, the Federal Reserve Board, in conjunction with the FDIC and the OCC, revised the Main Street Lending Program (MSLP) FAQs (for-profit here, nonprofit here) to clarify underwriting expectations, supervisory expectations, and details regarding co-borrower loans. Specifically, the FAQs note that a lender is expected to “conduct an assessment of each potential borrower’s pre-pandemic financial condition and post-pandemic prospects” when reviewing an application to determine approval. Additionally, the FAQs state that Fed supervisors will “not criticize” lenders for originating loans in accordance with MSLP requirements, even when “such loans are considered non-pass at the time of origination,” provided the weaknesses are due to the Covid-19 pandemic and expected to be temporary. Finally, the FAQs include new details covering co-borrower loans, as the Federal Reserve Bank of Boston anticipates the MSLP will accept loans made to multiple co-borrowers starting next week.
FinCEN removes AML exemption for non-federally regulated banks
On September 14, the Financial Crimes Enforcement Network (FinCEN) issued a final rule, under its sole authority, to remove the anti-money laundering (AML) program exemption for non-federally regulated banks. According to FinCEN, the rulemaking was prompted by the “gap in AML coverage” between banks that have a federal functional regulator and those that do not, which has created “a vulnerability to the U.S. financial system that could be exploited by bad actors.” The final rule would bring non-federally regulated banks that are currently required to comply with certain Bank Secrecy Act (BSA) obligations, such as filing currency transaction reports and suspicious activity reports to detect unusual activity, into compliance with the same standards applicable to all other banks. Specifically, the final rule outlines minimum standards for non-federally regulated banks to ensure the establishment and implementation of required AML programs, and extends customer identification program (CIP) requirements, as well as beneficial ownership requirements outlined in FinCEN’s 2016 customer due diligence (CDD) rule (covered by InfoBytes here), to banks not already subject to these requirements. FinCEN believes that non-federally regulated banks will be able to take a risk-based approach when tailoring their AML and CIP programs to fit their size, needs, and operational risks, and that those banks should be able to build on “existing compliance policies and procedures and prudential business practices to ensure compliance. . .with relatively minimal cost and effort.” The final rule takes effect November 16.
For more details, please see a Buckley Special Alert on the final rule.
SEC urges firms impacted by Covid-19 to review supervisory and compliance policies
On August 12, the SEC’s Office of Compliance Inspections and Examinations issued a risk alert to broker-dealers and investment advisers (firms) impacted by the Covid-19 pandemic addressing observations and recommendations related to several categories, including investor asset protection; personnel supervision; practices related to fees, expenses, and financial transactions; investment fraud; business continuity; and protecting sensitive information. The alert recommends firms review—and where appropriate—modify supervisory and compliance policies and procedures as they deal with market volatility and technological challenges brought by the Covid-19 pandemic. The alert notes that firms may need to update their practices to address, among other things, (i) unusual or unscheduled investor withdrawals; (ii) staffers communicating or executing transactions off-site or on personal devices, or making securities recommendations tied to market sectors experiencing high volatility or fraud; and (iii) supervisors having less oversight and interaction with staff in remote environments, leading to difficulties in maintaining effective due diligence, conducting background checks when hiring, or overseeing requisite examinations. Additionally, firms are instructed to monitor potential conflicts of interest and fee errors when informing investors about the costs of services, investment products, and related compensation, while also ensuring recommendations are made in the “best interest of investors.” The alert also recognizes that “times of crisis or uncertainty can create a heightened risk of investment fraud through fraudulent offerings,” and advises firms to “be cognizant of these risks when conducting due diligence on investments and in determining that the investments are in the best interest of investors.” Firms and investors who suspect fraud are advised to contact the SEC and report the potential fraud.
FINRA fines firm for failing to follow its own AML policies
On July 27, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver and Consent (AWC), fining a California-based securities firm $50,000 for allegedly failing to implement and follow its own anti-money laundering (AML) compliance procedures. As a result, the firm allegedly failed to detect red flags concerning potentially suspicious activity and failed to investigate or report the activity in a timely manner. According to FINRA, a sales practice examination detected instances between November 2012 and December 2016 in which the firm failed to detect red flags in four related accounts, including suspicious activity related to: (i) the “ownership of multiple accounts without an apparent business purpose for multiple accounts”; (ii) an account owner with a “significant disciplinary history related to securities fraud”; (iii) possible manipulative trading activity; (iv) unusual, unexpected transfer activity between related accounts without an apparent business purpose; and (v) unexplained third-party wire transfers, inconsistent with expected account activity. FINRA stated that although the “firm’s AML procedures indicated that when the firm detected any red flags of potentially suspicious activity, it would determine whether and how to investigate further,” the firm failed to implement these measures. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine and address identified deficiencies in its programs to ensure compliance with its AML obligations.
OCC: Banks may hold cryptocurrency for customers
On July 22, the OCC issued an interpretive letter concluding that national banks and federal savings associations (collectively, “banks”) may hold cryptocurrency on behalf of customers so long as they effectively manage the risks and comply with applicable law. Specifically, the letter responds to a bank’s proposal to offer cryptocurrency custody services to its customers as part of its standard custody business. The OCC notes that “there is a growing demand for safe places, such as banks, to hold unique cryptographic keys associated with cryptocurrencies.” The letter emphasizes that the OCC “generally has not prohibited banks from providing custody services for any particular type of asset,” and providing cryptocurrency custody services “falls within [] longstanding authorities to engage in safekeeping and custody activities.”
The OCC notes that while the custody services will not “entail any physical possession of the cryptocurrency,” OCC regulations authorize banks to provide through electronic means any activities that they are otherwise authorized to perform. Thus, because banks may perform custody services for physical assets, they are “likewise permitted to provide those same services via electronic means (i.e., custody of cryptocurrency).” Additionally, a bank with trust powers has the authority to hold cryptocurrencies in a fiduciary capacity, in the same way they manage other assets they hold as fiduciaries.
The OCC reminds banks that they should develop and implement sound risk management practices, and specifically notes that “custody activities should include dual controls, segregation of duties and accounting controls.” Moreover, banks should “conduct a legal analysis to ensure the activities are conducted consistent with all applicable law,” noting that “[d]ifferent cryptocurrencies may also be subject to different OCC regulations and guidance outside of the custody context, as well as non-OCC regulations.”
OCC releases recent enforcement actions
On July 16, the OCC released a list of recent enforcement actions taken against national banks, federal savings associations, and individuals currently and formerly affiliated with such entities. Included among the actions is a June 23 consent order, which resolves OCC claims that a California-based bank violated a 2016 consent order concerning Bank Secrecy Act/anti-money laundering compliance program deficiencies. According to the OCC, the bank failed to timely comply with the 2016 consent order and is required to pay a $100,000 civil money penalty. The list also includes a July 25 civil money penalty order against a New York-based bank, which requires the payment of $43,000 for an alleged pattern or practice of violations of the Flood Disaster Protection Act and its implementing regulations.
Additionally, an Iowa-based bank and the OCC reached a formal agreement on June 16 for alleged unsafe or unsound practices related to, among other things, credit underwriting, credit administration, problem loan management, and real estate valuation practices. Among other conditions, the agreement requires the bank to (i) appoint a compliance committee to ensure adherence to the agreement’s provisions; (ii) establish a three-year strategic plan outlining goals and objectives related to the bank’s risk profile and liability structure; (iii) submit a commercial and retail credit underwriting and administration program to ensure the bank “analyzes credit and collateral information sufficient to identify, monitor, and report the [b]ank’s credit risk, properly account for loans, and assign accurate risk ratings in a timely manner”; (iv) implement programs providing for an annual review of loans, loan level stress testing, and problem loan management; (v) implement an exception tracking and reporting system; and (vi) establish an appraisal and evaluation program.
California Department of Business Oversight will monitor licensees’ compliance with face covering guidance
The California Department of Business Oversight announced that it will monitor licensees’ compliance with face covering guidance issued by the California governor and the California Department of Public Health. All customers must be required to wear appropriate face coverings under circumstances outlined in the guidance, and those who refuse to comply and do not meet the outlined exemptions should be refused entry to banks, credit unions, and other places of business.
OFAC settles with global e-commerce, digital service provider over multiple sanctions violations
On July 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced a $134,523 settlement with a Washington-based company that provides retail, e-commerce, and digital services worldwide. According to OFAC, due to deficiencies in the company’s sanctions screening process, between 2011 and 2018, the company provided goods and services to OFAC sanctioned persons; to persons located in the sanctioned region or countries of Crimea, Iran, and Syria; and “for persons located in or employed by the foreign missions of Cuba, Iran, North Korea, Sudan, and Syria.” Additionally, the company allegedly accepted and processed orders that primarily consisted of low-value retail goods and services from persons listed on OFAC’s List of Specially Designated Nationals and Blocked Persons who were blocked pursuant to sanctions regulations involving the Democratic Republic of Congo, Venezuela, Zimbabwe, among others. These apparent violations occurred “primarily because [the company’s] automated sanctions screening processes failed to fully analyze all transaction and customer data relevant to compliance with OFAC’s sanctions regulations,” OFAC stated, claiming the company also “failed to timely report several hundred transactions conducted pursuant to a general license issued by OFAC that included a mandatory reporting requirement, thereby nullifying that authorization with respect to those transactions.”
In arriving at the settlement amount, OFAC considered various mitigating factors, including that the apparent violations were non-egregious and (i) the company voluntarily disclosed the violations and cooperated with the investigation; and (ii) the company has undertaken significant remedial efforts to address the deficiencies and to minimize the risk of similar violations from occurring in the future.
OFAC also considered various aggravating factors, including that the company failed to exercise due caution or care to ensure its sanctions screening process was able to properly flag transactions involving blocked persons and sanctioned jurisdictions. “This case demonstrates the importance of implementing and maintaining effective, risk-based sanctions compliance controls,” OFAC stated. “[G]lobal companies that rely heavily on automated sanctions screening processes should take reasonable, risk-based steps to ensure that their processes are appropriately configured to screen relevant customer information and to capture data quality issues.”
OCC highlights key risks for federal banking system, says compliance risk elevated due to Covid-19
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.