Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
On July 7, the Financial Stability Board (FSB) released several reports addressing climate-related financial risks. The FSB Roadmap for Addressing Climate-Related Financial Risks noted that a growing number of international initiatives are underway that address financial risks resulting from climate change. “Effective risk management at the level of individual companies and financial market participants is a precondition for a resilient financial system,” the report stated, adding that the “interconnections between climate-related financial risks faced by different participants in the financial system reinforce the case for coordinated action.” Among other things, the FSB set out a roadmap that focuses on four interrelated areas: (i) firm-level disclosures that should be used as the basis for pricing and managing climate-related financial risks at the level of individual entities and market participants; (ii) consistent metrics and disclosure data that can “provide the raw material for the diagnosis of climate-related vulnerabilities”; (iii) an analysis of vulnerabilities to provide the groundwork for designing and applying regulatory and supervisory framework and tools; and (iv) the establishment of regulatory and supervisory practices and tools to allow authorities to effectively identify climate-related risks to financial stability. FSB also released the Report on Promoting Climate-Related Disclosures, following a survey of members which explored national and regional current or planned climate-related disclosures. FSB presented several high-level recommendations, including, among other things, that financial authorities use a framework based on recommendations from the Task Force on Climate-Related Financial Disclosures (TCFD) across both non-financial corporates and financial institutions to propose a more consistent global approach. FSB issued another report entitled, The Availability of Data with Which to Monitor and Assess Climate-Related Risks to Financial Stability, that suggested various priorities to address climate-related data gaps “to improve the monitoring and assessment of climate-related risks to financial stability.”
Additionally, Federal Reserve Board Vice Chair for Supervision, Randal K. Quarles, spoke before the Venice International Conference on Climate Change on July 11, in which he discussed the work of the TCFD and stressed the importance of improving data quality and addressing data gaps, as well as ultimately establishing "a basis of comprehensive, consistent, and comparable data for global monitoring and assessing climate-related financial risks."
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
On June 10, the Texas Department of Banking issued Industry Notice 2021-03, which notifies supervised Texas state-charted banks that they “may provide customers with virtual currency custody services, as long as the bank has adequate protocols in place to effectively manage the risks and comply with applicable law.” The Department noted that Texas state-chartered banks have long provided customers with safekeeping and custody resources through secure storage of assets, which is a critical role in the banking business. “While custody and safekeeping of virtual currencies will necessarily differ from that associated with more traditional assets the [Department] believes that the authority to provide these services with respect to virtual currencies already exists pursuant to Texas Finance Code §32.001,” the notice provided. In addition, the type of virtual currency a bank chooses to utilize will depend on that bank’s expertise, risk appetite, and business model. The notice also pointed out that the Department determined that custody services may be offered by a Texas state-chartered bank in a capacity that is fiduciary or non-fiduciary. A non-fiduciary capacity will allow the bank to act “as a bailee, taking possession of the customer’s asset for safekeeping while legal title to that asset remains with the customer.” Alternatively, in its fiduciary capacity, the bank will have oversight to control virtual currency assets as it would any other type of asset held in such capacity. The notice warned, however, that if a bank is offering virtual currency services, bank management must conduct due diligence and carefully examine the risks involved in offering a new product or service through a methodical risk assessment process.
On May 26, the OCC announced a series of examiner-led virtual workshops for the boards of directors of community national banks and federal savings associations. The workshops will focus on emerging issues regarding compliance risk, and will provide training and guidance on implementing effective compliance risk management programs, as well as guidance on regulations such as the Bank Secrecy Act and ECOA. A schedule of the upcoming workshops is available here.
On May 18, the OCC released its Semiannual Risk Perspective for Spring 2021, which reports on key risk areas posing a threat to the safety and soundness of national banks and federal savings associations. While, overall, banks maintained sound capital and liquidity levels throughout 2020, the OCC noted that bank profitability remains stressed as a result of low interest rates and low loan demand.
Key risk themes identified in the report include:
- Credit risk. The OCC reported that credit risk is evolving a year into the Covid-19 pandemic, specifically as the economic downturn continues to affect some borrowers’ ability to service debts and government assistance programs start to expire.
- Strategic risk. Strategic risk associated with how bank manage net interest margin compressions and earnings is elevated. The OCC suggested that banks attempting to improve earnings could implement various measures, including cost cutting and increasing credit risk.
- Operational risk. Elevated operational risk can be attributed to complex operating environments and increased cybersecurity threats. A flexible, risk-based approach, including surveillance, reporting, and managing third-party risk, is important for banks to be operationally resilient, the OCC stated.
- Compliance risk. Compliance risk is also elevated due to the expedited implementation of a number of Covid-19-related assistance programs, including the CARES Act Paycheck Protection Program and federal, state, and bank-initiated forbearance and deferred payment programs. These programs, the OCC noted, require “increased compliance responsibilities, high transaction volumes, and new fraud typologies, at a time when banks continue to respond to a changing operating environment.”
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
On April 9, the Federal Reserve Board, FDIC, and OCC, in consultation with FinCEN and the NCUA, issued a joint statement on the use of risk management principles outlined in the agencies’ “Supervisory Guidance on Model Risk Management” (known as the “model risk management guidance” or MRMG) as it relates to financial institutions’ compliance with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. While the joint statement is “intended to clarify how the MRMG may be a useful resource to guide a bank’s [model risk management] framework, whether formal or informal, and assist with BSA/AML compliance,” the agencies emphasized that the MRMG is nonbinding and does not alter existing BSA/AML legal or regulatory requirements or establish new supervisory expectations. In conjunction with the release of the joint statement, the agencies also issued a request for information (RFI) on the extent to which the principles discussed in the MRMG support compliance by financial institutions with BSA/AML and Office of Foreign Assets Control requirements. The agencies seek comments and information to better understand bank practices in these specific areas and to determine whether additional explanation or clarification may be helpful in increasing transparency, effectiveness, or efficiency. Comments on the RFI are due within 60 days of publication in the Federal Register.
On December 22, the Federal Reserve Board announced an enforcement action against a Swiss bank for alleged Bank Secrecy Act/anti-money laundering (BSA/AML) compliance risk management deficiencies found during a 2019 examination of the bank’s New York branch. The consent order outlines a number of corporate compliance and governance measures that the bank is required to undertake, such as: (i) submitting a joint written plan by the board of directors, risk committee, and senior management within 90 days that outlines measures for strengthening their respective oversight of the bank’s U.S. operations’ compliance, including “provid[ing] for a sustainable governance framework that, at a minimum, addresses, considers, and includes actions to improve policies, procedures, and controls for BSA/AML compliance across the U.S. operations”; (ii) providing a written revised customer due diligence program for the New York branch within 90 days, which must outline measures such as risk-based policies and procedures to ensure complete and accurate customer information is collected, retained, and analyzed for all account holders; (iii) submitting a revised suspicious activity monitoring and reporting program demonstrating that the New York branch is engaging in timely suspicious activity monitoring and reporting; and (iv) implementing independent testing within the New York branch to ensure compliance with all applicable BSA/AML requirements.
On November 9, the OCC released its Semiannual Risk Perspective for Fall 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC noted the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that while economic activity rebounded in the third quarter, there is significant ongoing risk. The report discusses, as a special topic in emerging risks, growing trends in payment products and services. The report also highlights several key risk areas for banks: credit, strategic, operational, and compliance. Specifically, the report notes that credit risk is increasing as government assistance programs expire and the economic downturn has led to elevated unemployment levels. The report further notes that strategic risks affecting profitability is an emerging issue due to low interest rates, which historically have negatively affected profitability when low for a long period of time. Moreover, the report notes elevated operational risks due to complex operating environments with cybersecurity being a key concern. The increase in large-scale telework has created unique security and internal control challenges. Lastly, the report discusses elevated compliance risks due to the expedited implementation of a number of Covid-19-related assistance programs.
- Jeffrey P. Naimon to provide “Fair lending update” at the Colorado Mortgage Lenders Association Operational and Compliance Forum
- Jonice Gray Tucker to discuss “Justice for all: Achieving racial equity through fair lending” at CBA Live
- Warren W. Traiger to discuss “On the horizon for CRA modernization” at CBA Live
- Jonice Gray Tucker to discuss "Fair lending" at the Mortgage Bankers Association Regulatory Compliance Conference
- Michelle L. Rogers to discuss “State law regulatory and enforcement trends” at the Mortgage Bankers Association Regulatory Compliance Conference
- Jonice Gray Tucker to discuss “Government investigations, and compliance 2021 trends” at the Corporate Counsel Women of Color Career Strategies Conference
- Max Bonici to discuss “BSA/AML trends: What to expect with the implementation of the AML Act of 2020” at the American Bar Association Banking Law Fall Meeting
- H Joshua Kotin to discuss “Modifications and exiting forbearance” at the National Association of Federal Credit Unions Regulatory Compliance Seminar
- Jonice Gray Tucker to discuss “Fintech trends” at the BIHC Network Elevating Black Excellence Regional Summit
- Jonice Gray Tucker to discuss "Consumer financial services" at the Practising Law Institute Banking Law Institute