Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On October 7, the OCC and Federal Reserve Board announced enforcement actions against a financial services firm and its national bank subsidiary (bank) to resolve alleged enterprise-wide risk management, data governance, and internal controls deficiencies. According to the OCC’s announcement, the bank allegedly engaged in unsafe or unsound banking practices by failing to “establish effective risk management and data governance programs and internal controls.” While neither admitting nor denying the allegations, the bank has agreed to pay a $400 million civil money penalty. Additionally, under the terms of the OCC’s cease and desist order, the bank must implement corrective measures to improve its risk management, data governance, and internal controls. The agency’s announcement states that the order further requires the bank “to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order.”
In conjunction with the OCC’s action, the Fed also announced a cease and desist order against the financial services firm, which identified ongoing deficiencies with respect to areas of compliance risk management, data quality management, and internal controls. Among other things, the Fed claims the firm also failed to adequately remediate “longstanding” deficiencies identified in previously issued consent orders, including in areas such as anti-money laundering compliance. The order requires the firm to enhance firm-wide risk management and internal controls, and imposes a series of deadlines for the firm to take measures to ensure compliance with the OCC’s order, enhance its compliance risk management programs, devise a plan to hold senior management accountable, and improve data quality management.
On October 1, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (plan) for fiscal year 2021. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) credit risk management; (ii) commercial and residential real estate concentration risk management, with a focus in areas heavily impacted by the Covid-19 pandemic; (iii) allowances for loan and lease losses; (iv) cybersecurity and operational resiliency; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) compliance risk management related to Covid-19-related bank activities; (vii) Community Reinvestment Act performance; (viii) fair lending examinations and risk assessments; (ix) LIBOR phase-out preparations; (x) oversight of significant third-party relationships; (xi) change management to address significant operational changes; and (xii) payment systems products and services. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes previously has covered.
On September 10, the OCC issued Bulletin 2020-81 to address sound risk management principles concerning loan purchase activities. The OCC reminded banks that loan purchase activities “are subject to certain regulatory standards and long-standing risk management guidelines,” and that banks are expected to engage in these activities “in a safe and sound manner and in compliance with applicable accounting standards, laws, and regulations.” Banks should also ensure loan purchase activities align with strategic plans and are supported by sound risk management systems, the OCC added. The Bulletin includes examples of sound risk management of loan purchase activities, such as (i) developing well-defined strategic plans; (ii) conducting underwriting analysis and due diligence of loans prior to purchase; (iii) evaluating ways loan purchase activities may affect “credit, strategic, reputation, interest rate, liquidity, compliance, and operational risks”; and (iv) ensuring policies and procedures “support effective processes for engaging in loan purchase activities.” Other topics addressed include credit administration, such as due diligence and independent credit analysis, loan portfolio and pool purchases, and recourse arrangements. The OCC also emphasized that because entering into new, modified, or expanded products or services may alter a bank’s risk profile, “bank management should engage in sound risk management to identify, measure, monitor, and control the risks associated with new loan purchase activities.”
On July 30, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver and Consent (AWC), fining a global securities firm $650,000 for allegedly failing to “establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial risks of its market access business activity.” As a result, because the firm’s controls allegedly failed to monitor and prevent (i) orders exceeding pre-set customer credit thresholds, or (ii) erroneous orders, the firm executed erroneous orders on “at least two trade dates.” Additionally, FINRA claimed that even though the firm knew internally of the potential issues in its financial risk management controls, in several instances it took years for the identified gaps to be fixed. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine and complete a review of its financial risk management controls and supervisory procedures to ensure compliance with SEC regulations.
On August 3, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement on managing loan accommodations granted to borrowers pursuant to federal, state, and local law to address Covid-19 related hardships. Specifically, the statement provides risk management and consumer protection principles to financial institutions working with borrowers that are near the end of their initial loan accommodation period. Among other things, the statement outlines:
- Risk Management Practices. The statement encourages financial institutions to institute sound credit risk management practices following an accommodation period, such as “reassess[ing] risk ratings for each loan based on a borrower’s current debt level, current financial condition, repayment ability, and collateral.” Additionally, the statement encourages institutions to provide “clear, accurate, and timely information to borrowers and guarantors regarding the accommodation” being granted.
- Sustainable Accommodations. The statement notes that the Covid-19 pandemic may have “long-term adverse impact[s] on borrower’s future earnings” and financial institutions should consider additional accommodation options to mitigate losses for the borrower and institutions by assessing “each loan based upon the fundamental risk characteristics affecting the collectability of that particular credit.”
- Consumer Protection. The statement encourages financial institutions to provide consumers with options to support repayment at the end of accommodations to avoid delinquencies and to consider offering credit product term changes to “support sustainable and affordable payments for the long term.”
- Accounting and Regulatory Reporting. The statement emphasizes that financial institutions should consider the effects of the Covid-19 pandemic in its allowance for loan and lease losses, or credit losses, estimation processes, consistent with generally accepted accounting principles.
- Internal Control Systems. The statement notes that internal control functions for the end of initial accommodation periods and for additional accommodations typically “include appropriate targeted testing of the process for managing each stage of the accommodation.” Additionally, the statement reminds financial institutions of their responsibility for ensuring service providers in charge of these functions act consistently with the institution’s policies and all applicable laws and regulations.
On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.
On July 1, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement highlighting several risks that will result from the anticipated cessation of LIBOR at the end of 2021. Institutions with LIBOR exposures should put in place appropriate risk management processes “commensurate with the size and complexity of their exposures” to identify and mitigate financial, legal, operational, and consumer protection risks related to the transition, the FFIEC warned. Among other things, the FFIEC noted that as part of the agencies’ examination activities, “supervisory staff will ask institutions about their planning for the LIBOR transition including the identification of exposures, efforts to include fallback language or use alternative reference rates in new contracts, operational preparedness, and consumer protection considerations.” Additionally, agencies will increase their supervisory focus on evaluating institutions’ preparedness for LIBOR’s discontinuation during 2020 and 2021, “particularly for institutions with significant LIBOR exposure or less-developed transition processes.” Key recommendations include (i) identifying and quantifying LIBOR exposure across all products; (ii) discontinuing the origination or purchase of LIBOR-indexed instruments to limit exposure; (iii) creating transition plans for consumer financial products in order to develop clear, timely consumer disclosures regarding any changes in terms; and (iv) developing strategic transition plans with milestones and key completion dates addressing areas such as third-party risk management.
The OCC also issued a bulletin expanding on the joint statement and providing guidance for regulated banks.
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and sound use of cloud computing services, along with safeguards for protecting customers’ sensitive information from risks that may cause potential consumer harm. Among other things, the statement stresses that management should understand the division of responsibilities between a financial institution and a cloud service provider in order to assess and implement appropriate controls over operations to prevent the increased risk of operational failures or security breaches. The FFIEC also addresses the importance of protecting customer-sensitive information from unsafe or unsound practices by implementing “an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment.” The statement provides a list of government and industry resources and references to assist financial institutions when using cloud computing services.
Georgia Department of Banking and Finance issues bulletin regarding lending, liquidity, business continuity, and regulatory reporting
The Georgia Department of Banking and Finance has issued its monthly bulletin for financial institutions in which it provides guidance on lending, liquidity, business continuity planning, and regulatory reporting. Among other things, the department reiterates the importance of liquidity risk management during Covid-19 and urges financial institutions to consider the impact of certain scenarios on their liquidity. The department also provides questions that financial institutions should consider as part of their pandemic planning. The bulletin also notes that, for banks and credit unions, the department is implementing electronic document and payment submission for correspondence, applications, and requests, including any applicable fees.
- H Joshua Kotin to discuss "Being fair, responsible, & profitable" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Kathryn L. Ryan to discuss "NMLS mortgage call report – Where’s NMLS 2.0?" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- Thomas A. Sporkin to discuss "Managing internal investigations and advanced government defense" at the Securities Enforcement Forum
- Jeffrey P. Naimon to discuss "2021 - A new beginning/what's to come" at the QuestSoft Lending Compliance & Risk Management Virtual Conference
- H Joshua Kotin to discuss "Mortgage servicing in a recession: Early intervention, loss mitigation and more" at the NAFCU Virtual Regulatory Compliance Seminar
- Daniel R. Alonso to discuss "Independent monitoring in the United States" at the World Compliance Association Peru Chapter IV International Conference on Compliance and the Fight Against Corruption
- Jonice Gray Tucker to discuss "Cyber security, incident response, crisis management" at the Legal & Diversity Summit
- Jonice Gray Tucker to discuss "The future of fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss "Major litigation" at the Mortgage Bankers Association Regulatory Compliance Conference
- Kathryn L. Ryan to discuss "Pandemic fallout – Navigating practical operational challenges" at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute
- Daniel P. Stipano to discuss "BSA/AML - Covid impact and regulatory/guidance roundup" at an NAFCU webinar