InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Treasury announces strategy to address financial institution de-risking
The U.S. Treasury Department recently released its “first of its kind” strategy to address financial institution de-risking. Mandated by the Anti-Money Laundering Act of 2020, the 2023 De-Risking Strategy examines customer categories most often impacted by de-risking and provides findings and policy recommendations to address ongoing problems. Treasury defines de-risking as financial institutions restricting or terminating business relationships indiscriminately with broad classes of customers rather than analyzing and managing specific risks in a targeted manner. The report found that customers most frequently subject to de-risking are small-to-medium-sized money service businesses (MSB) that are often used by immigrant communities to send remittances abroad. Other commonly impacted customer categories include non-profit organizations operating overseas in high-risk jurisdictions and foreign financial institutions with low correspondent banking transaction volumes. De-risking is particularly acute for entities operating in financial environments characterized by significant money laundering/terrorism financing risks, the report notes. Identifying “profitability as the primary factor in financial institutions’ de-risking decisions,” the report found that profitability is influenced by several factors, including the cost to implement anti-money laundering/countering the finance of terrorism (AML/CFT) compliance measures and systems commensurate with customer risk.
The report presents several recommendations for policymakers, such as promoting consistent supervisory expectations and training federal examiners to consider the effects of de-risking, as well as suggesting that financial institutions analyze account termination notices and notice periods for non-profits and MSBs to identify ways to support longer notice periods where possible. Treasury also encourages heightened international cooperation to strengthen foreign jurisdictions’ AML/CFT regimes, and encourages policymakers to continue assessing the risks and opportunities of innovative and emerging technologies for AML/CFT compliance solutions. Treasury may also consider requiring financial institutions to have “reasonably designed and risk-based AML/CFT programs supervised on a risk basis, possibly taking into consideration the effects of financial inclusion.”
Hsu discusses open banking
Acting Comptroller of the Currency Michael J. Hsu recently discussed the evolution and impact of open banking during remarks at the Spring FDX Global Summit. Defining open banking as “enabling consumer-permissioned sharing of financial data with third parties to empower consumers, foster competition, and expand financial inclusion,” Hsu explained that, under the concept, consumers may eventually be able to access a wide range of financial service providers and move checking and savings accounts between providers more readily. Hsu cautioned, however, that new risks may arise due to increases in the “volume and complexity of consumer-permissioned sharing.” Hsu highlighted the interconnectedness of open banking, safety and soundness, and the changing culture of banking due to the digitalization of banking and the associated promises of innovation. “The potential for open banking to provide consumers with greater control over their financial data, to increase the portability of banking accounts, and to foster greater competition and fairness in the provision of financial services is significant and may impact banking in a variety of ways,” he said.
Hsu commented that, while the OCC supports opening banking, it is also cautious about potential increases to liquidity, operational, and compliance risks. While account portability “will be empowering for consumers, in isolation this would likely increase the liquidity risk of retail deposits for banks,” Hsu said. Additionally, increasing the volume and complexity of consumer-permissioned sharing has the potential to introduce new risks and necessitate new controls, Hsu said, adding that banks operating as data providers will need to “interact with aggregators, fintechs, technology firms, and competitor banks,” and “expand from reliably handling their customers’ money, to also reliably handling their financial data.” Underscoring the blurred lines between banking and commerce in the digital arena, Hsu emphasized that “[o]pen banking cannot be accomplished by banks alone. Data aggregators and fintechs already play a significant role, which will expand as open banking is more fully adopted.”
NYDFS, crypto payment company reach AML/cybersecurity settlement
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
Agencies warn banks of crypto-asset liquidity risks
On February 23, the FDIC, Federal Reserve Board, and OCC released a joint statement addressing bank liquidity risks tied to crypto-assets. The agencies warned that using sources of funding from crypto-asset-related entities may expose banks to elevated liquidity risks “due to the unpredictability of the scale and timing of deposit inflows and outflows.” The agencies addressed concerns related to deposits placed by crypto-asset-related entities for the benefit of end customers where the deposits may be influenced by the customer’s behavior or crypto-asset sector vulnerabilities, rather than the crypto-asset-related entity itself, which is the bank’s direct counterparty. The agencies warned that the “uncertainty and resulting deposit volatility can be exacerbated by end customer confusion related to inaccurate or misleading representations of deposit insurance by a crypto-asset-related entity.” The agencies also addressed issues concerning deposits that constitute stablecoin-related reserves, explaining that the stability of these types of deposits may be dependent on several factors, including the “demand for stablecoins, the confidence of stablecoin holders in the stablecoin arrangement, and the stablecoin issuer’s reserve management practices,” and as such, may “be susceptible to large and rapid outflows stemming from, for example, unanticipated stablecoin redemptions or dislocations in crypto-asset markets.”
The agencies’ statement reminded banking organizations to apply effective risk management controls when handling crypto-related deposits, commensurate with the associated liquidity risk of those deposits. The statement suggested certain effective risk management practices, which include: (i) understanding the direct and indirect drivers of potential deposit behavior to ascertain which deposits are susceptible to volatility; (ii) assessing concentrations or interconnectedness across crypto deposits, as well as the associated liquidity risks; (iii) incorporating liquidity risks or funding volatility into contingency funding planning; and (iv) performing robust due diligence and ongoing monitoring of crypto-asset-related entities that establish deposit accounts to ensure representations about these types of deposit accounts are accurate. The agencies further emphasized that banks are required to comply with applicable laws and regulations, including brokered deposit rules, as applicable, and Call Report filing requirements. The joint statement also reminded banks that they “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.”
As previously covered by InfoBytes, the agencies issued a statement in January highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services.
Treasury reports on risks to financial firms adopting cloud services
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-its-kind report discussing potential benefits and challenges associated with the adoption of cloud services technology by financial services firms. While recognizing that cloud-based technologies can improves access and reliability for local communities and help community banks compete with financial technology firms, Treasury found that financial services firms that rely on these technologies need more visibility, staff support, and cybersecurity incident response engagement from cloud service providers (CSPs).
The report identified several significant challenges resulting from the use of cloud-based technologies in the financial sector. These include: (i) insufficient transparency to support due diligence and monitoring by financial institutions (financial institutions must fully understand the risks associated with cloud services in order to implement appropriate protections for consumers); (ii) gaps in human capital and tools to securely deploy cloud services (CSPs should engage experts and improve tools and frameworks to ensure financial institutions are able to implement resilient, secure platforms for customers); (iii) exposure to potential operational incidents (financial institutions have expressed concerns that cyber vulnerabilities originating at a CSP could have a cascading impact); (iv) potential impact of market concentration in cloud service offerings on the financial sector’s resilience (the current market relies on a small number of CSPs that likely exists across banking, securities, and insurance markets); (v) dynamics in contract negotiations given market concentration (the small number of CSPs could affect financial institutions’ bargaining power); and (vi) international landscape and regulatory fragmentation (regulatory conflicts could result from the patchwork of global regulatory and supervisory approaches to cloud technology).
The report, which received extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks, does not impose any requirements, nor does it endorse or discourage firms from using a specific provider or cloud service. It does, however, recommend that Treasury and the broader financial regulatory community further evaluate the financial risks associated with having a limited number of CSPs offer cloud services.
Senators exploring bank’s dealings with collapsed crypto exchange
On January 30, Senators Elizabeth Warren (D-MA), John Kennedy (R-LA), and Roger Marshall (R-KS) sent a follow-up letter to a California-based bank asking for additional responses to questions related to the bank’s relationship with several cryptocurrency firms founded by the CEO of a now-collapsed crypto exchange. As previously covered by InfoBytes, the senators pressed the CEO for an explanation for why the bank failed to monitor for and report suspicious transactions to the Financial Crimes Enforcement Network, and asked for information about how deposits it was holding on behalf of the collapsed exchange and related firm were being handled. The senators stressed that the bank has a legal responsibility under the Bank Secrecy Act to maintain an effective anti-money laundering program that may have flagged suspicious activity.
In the letter, the senators accused the bank of evading their previous questions in its December response, writing that while the bank’s answers confirm the extent of its failure to monitor and report suspicious financial activity, it failed “to provide key information needed by Congress to understand why and how these failures occurred.” The bank’s “repeated reference to ‘confidential supervisory information’” as a justification for its refusal to provide the requested information “is simply not an acceptable rationale,” the senators said. They also noted that the bank’s recent advance from the Federal Home Loan Bank of San Francisco—intended “to ‘stave off a further run on deposits’”—has introduced additional crypto market risks into the traditional banking system, especially should the bank fail. The bank was asked to explain how it plans to use the $4.3 billion it received.
The senators further commented that additional findings have revealed that neither the Federal Reserve nor the bank’s independent auditors were able to identify the “extraordinary gaps” in the bank’s due diligence process. The senators asked the bank to provide responses to questions related to its risk management policies, as well as how many safety and soundness exams were conducted, and whether any of the bank’s executives were “held accountable” for the failures related to the collapsed exchange, among other things.
Biden administration presents roadmap for mitigating crypto risks
On January 27, the Biden administration presented a roadmap for mitigating cryptocurrency risks to ensure that cryptocurrencies do not undermine financial stability, investors are protected, and bad actors are held accountable. At President Biden’s direction, the administration previously laid out a comprehensive framework for developing digital assets in a safe, responsible way that also identifies clear risks. (Covered by InfoBytes here.) The administration identified clear risks taken by some crypto entities, such as ignoring applicable financial regulations and basic risk controls, misleading consumers, having conflicts of interest, failing to provide adequate disclosures, or committing fraud. The roadmap also outlined actions taken by the federal banking agencies, including a recently issued joint interagency statement that highlighted key risks banks should consider when choosing to engage in crypto-related services and a notice of proposed rulemaking issued by the FDIC warning companies against making false or misleading claims about digital assets being insured by the agency (covered by InfoBytes here and here). The administration also noted that agencies across the government are developing public-awareness programs to help consumers understand the risks associated with digital assets.
The administration stressed, however, that further action is needed. Priorities for digital asset research and development will be unveiled in the coming months, the administration said, adding that Congress should also step up efforts in this space. This includes expanding regulators’ powers to prevent misuses of customers’ assets, “strengthen[ing] transparency and disclosure requirements for cryptocurrency companies so that investors can make more informed decisions about financial and environmental risks,” “strengthen[ing] penalties for violating illicit-finance rules and subject cryptocurrency intermediaries to bans against tipping off criminals,” and limiting crypto risks to the financial system by following steps outlined in a recent Financial Stability Oversight Council report (covered by InfoBytes here), the administration said.
NIST releases new AI framework to help organizations mitigate risk
On January 26, the National Institute of Standards and Technology (NIST) released voluntary guidance to help organizations that design, deploy, or use artificial intelligence (AI) systems mitigate risk. The Artificial Intelligence Risk Management Framework (developed in close collaboration with the private and public sectors pursuant to a Congressional directive under the National Defense Authorization for Fiscal Year 2021), “provides a flexible, structured and measurable process that will enable organizations to address AI risks,” NIST explained. The framework breaks down the process into four high-level functions: govern, map, measure, and manage. These categories, among other things, (i) provide guidance on how to evaluate AI for legal and regulatory compliance and ensure policies, processes, procedures and practices are transparent, robust, and effective; (ii) outline processes for addressing AI risks and benefits arising from third-party software and data; (iii) describe the mapping process for collecting information to establish the context to frame AI-related risks; (iv) provide guidance for employing and measuring “quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor AI risk and related impacts”; and (v) set forth a proposed process for managing and allocating risk management resources. Examples are also provided within the framework to help organizations implement the guidance.
“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” Deputy Commerce Secretary Don Graves said in the announcement. “It should accelerate AI innovation and growth while advancing—rather than restricting or damaging—civil rights, civil liberties and equity for all.”
Fed announces climate scenario exercises
On January 17, the Federal Reserve Board provided additional details regarding its upcoming pilot climate scenario analysis exercise and the information on risk management practices that will be gathered from the program. As previously covered by InfoBytes, the Fed announced in September 2022, that six of the nation’s largest banks will participate in a pilot climate scenario analysis exercise intended to enhance the ability of supervisors and firms to measure and manage climate-related financial risks. According to the Fed, the banks will analyze the impact of scenarios for both physical and transition risks related to climate change on specific assets in their portfolios. The Fed noted that it will collect qualitative and quantitative information during the pilot, including details on governance and risk management practices, among other things. Additionally, the banks will be asked to consider the effect on corporate loans and commercial real estate portfolios using a scenario based on current climate policies and one based on reaching net-zero greenhouse gas emissions by 2050. The Fed noted that though no firm-specific information will be released, it anticipates publishing insights at an aggregate level, reflecting what has been learned about climate risk management practices and how insights can identify possible risks and promote risk management practices.
FHFA outlines MSR guidance for managing counterparty credit risk
On January 12, FHFA released an advisory bulletin communicating supervisory expectations for Fannie Mae and Freddie Mac (the Enterprises) related to the valuation of mortgage servicing rights (MSRs) for managing counterparty credit risk. FHFA emphasized that Fannie and Freddie’s “risk management policies and procedures should be commensurate with an Enterprise’s risk appetite[] and based on an assessment of seller/servicer financial strength and MSR risk exposure levels.” FHFA relayed that while sellers and servicers assign values to their MSRs, the Enterprises should implement their own processes to evaluate the reasonableness of seller/servicer MSR values. FHFA explained that Fannie and Freddie are “exposed to counterparty credit risk when seller/servicers provide representations and warranties that mortgage loans conform with its selling guide requirements,” and reiterated that “[f]ailure to meet such obligations and commitments may cause the Enterprise to incur credit losses and operational costs.”
The advisory bulletin lays out risk management expectations to ensure MSR values are reasonable, objective, and transparent, and provides guidance covering several areas, including (i) objective evaluation of MSR values; (ii) MSR valuations for mortgage loans owned or guaranteed by Fannie and Freddie as well as stress testing; (iii) MSR valuations for mortgage loans not owned or guaranteed by Fannie or Freddie; (iv) market data input; (v) use of third-party providers; (vi) frequency of evaluations; and (vii) discount to MSR values when servicing rights are terminated. The advisory bulletin is applicable only to MSRs for single-family mortgage loans and is effective April 1.