Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On September 28, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2024. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) asset and liability management; (ii) credit; (iii) allowances for credit losses; (iv) cybersecurity; (v) operations; (vi) digital ledger technology activities; (vii) change in management; (viii) payments; (ix) Bank Secrecy Act/AML compliance; (x) consumer compliance; (xi) Community Reinvestment Act; (xii) fair lending; and (xiii) climate-related financial risks.
Two of the top areas of focus are asset and liability management and credit risk. In its operating plan the OCC says that “Examiners should determine whether banks are managing interest rate and liquidity risks through use of effective asset and liability risk management policies and practices, including stress testing across a sufficient range of scenarios, sensitivity analyses of key model assumptions and liquidity sources, and appropriate contingency planning.” With respect to credit risk, the OCC says that “Examiners should evaluate banks’ stress testing of adverse economic scenarios and potential implications to capital” and “focus on concentrations risk management, including for vulnerable commercial real estate and other higher-risk portfolios, risk rating accuracy, portfolios of highest growth, and new products.”
The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
Adrienne Harris, Superintendent of the New York State Department of Financial Services (“DFS”) issued an update on the VOLT initiative, an ongoing project to enhance DFS’s role as a virtual currency regulator. Superintendent Harris published proposed guidance adopting enhanced criteria for procedures to list and de-list virtual currencies as well as updated guidance for designating virtual currencies to the DFS “Greenlist.”
The new General Framework for Greenlisted Coins sets (i) heightened risk assessment standards for coin-listing policies and enhances requirements for consumer-facing products; and (ii) new requirements associated with coin-delisting policies. Under the new guidance, a virtual currency entity that seeks to self-certify coins must create a coin-listing policy and may not self-certify any coins until such possibly has a written approval from DFS. A coin-listing policy must contain and be based on a robust governance structure; comprehensive risk assessment; consideration of factors to identify and mitigate risks involved in each coin and its uses; and policies and procedures to conduct continued monitoring of the coin to ensure consistent safety and soundness compliance.
The new framework does not require prior approval from the DFS to list coins included on the Greenlist, but does require virtual currency entities that choose to list such coins to (i) provide advance notification to DFS and (ii) have a DFS-approved coin-delisting policy.
The National Institute of Standards and Technology (NIST) recently unveiled a proposed update to its Cybersecurity Framework, which was originally developed to provide information security guidelines for “critical infrastructure” like banking and energy industries. (Covered by InfoBytes here). The update includes a new, sixth pillar called “govern” that provides categories to facilitate executive oversight; manage enterprise risk (including supply chain risk); and effective alignment of enterprise resources, strategies, and risk, emphasizing that “cybersecurity is a major source of enterprise risk and a consideration for senior leadership.” This pillar will also guide organizations’ leadership in making internal decisions to support its cybersecurity strategy. The framework draft also updated its implementation guidance, especially for creating profiles that tailor guidance for certain situations. Additionally, NIST included implementation examples that are particularly beneficial for smaller firms. The framework’s lead developer, Cherilyn Pascoe, mentioned the framework has proven useful across many different sectors like small businesses and foreign governments, therefore it was updated to be a useful tool to sectors, regardless of type or size, outside of those designated as critical. A major goal of the updated version of the framework is to show organizations how to leverage existing technology frameworks, standards, and guidelines to implement NIST’s framework. Furthermore, the framework title changed from “Framework for Improving Critical Infrastructure Cybersecurity” to “The Cybersecurity Framework” to reflect its expanded inclusivity and wide adoption.
Public comments must be received by November 4.
On August 14, the FDIC released its 2023 Risk Review, summarizing emerging risks in the U.S. banking system observed during 2022 and early 2023 in five broad categories: (i) credit risk; (ii) market risk; (iii) operational risk; (iv) crypto-asset risk; and (v) climate-related financial risk. According to the FDIC, the current risk review adds a new section relating to the FDIC’s approach to understanding and evaluating crypto-asset-related markets and activities. Monitoring these risks is among the agency’s top priorities, the FDIC said, and the “failure of three large banking institutions in March and May highlighted certain risks to the banking sector.” The FDIC stated that weaker economic conditions and higher interest rates in 2022 continued through early 2023, and “financial market conditions tightened considerably starting in 2022 on rising interest rates, high inflations, and concerns over a potential recession.” Overall, the FDIC said that “despite these challenges and the market stress in early 2023, the banking industry demonstrated resilience, but industry performance moderated from 2022.”
On August 8, the U.S. Government Accountability Office (GAO) released letters sent to the OCC, SEC, FDIC and the Fed to provide an update on GAO’s “priority open recommendations” for each regulator. Priority open recommendations refer to suggestions from GAO to bank regulators that have the potential for cost savings, elimination of mismanagement, fraud, and abuse, or addressing high-risk or duplication issues. GAO suggested that all four agencies follow its recommendation to coordinate oversight of blockchain technology. GAO referenced recent “volatility, bankruptcies, and instances of fraud in the crypto asset markets” and underscored the dangers to consumers and investors without safeguards. GAO suggests regulators jointly establish a formal coordination method to promptly identify and address risks tied to blockchain.
For the three banking regulators in particular—the OCC, FDIC, and Fed—GAO noted that in 2011 it recommended that the three banking regulators implement noncapital triggers for early regulatory intervention tied to risky banking practices, but that such triggers had not yet been implemented. GAO also suggested that banking regulators and the “communicate the appropriate use of alternative data in the underwriting process with banks that engage in third-party relationships with fintech lenders.”
GAO’s letter to the Fed restated GAO’s 2016 recommendation that the Fed design “a process to communicate information about the uncertainty surrounding post-stress capital ratio estimates” and “articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.” GAO also recommended that the Fed revisit its “prompt corrective action framework” by “adopting noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices.”
On August 1, the Fed released its 2023 Cybersecurity and Financial System Resilience Report. Required annually by the Consolidated Appropriations Act, 2021, the report describes the measures the Fed has taken to strengthen cybersecurity within the financial services sector and its supervision and regulation of financial institutions and service providers across the past year. The report details the Fed’s activities in the space, including issuing regulations and guidance for supervised institutions, examining and monitoring supervised institutions’ risk management, and collecting data on relevant cybersecurity incidents. Recent actions highlighted in the report include the publication of an updated Cybersecurity Resource Guide for Financial Institutions, a proposal to update the operational risk management requirements in Regulation HH for systematically important financial market utilities, and final joint guidance issued in conjunction with the FDIC and OCC regarding banking organizations’ risk management of third-party relationships. The Fed also describes the steps it is taking to protect its own operations and assets from cybersecurity threats.
With respect to supervisory activities, the Fed notes that it “has observed improvement in cybersecurity practices over the past several years resulting from supervised institutions’ efforts to address supervisory findings as well as proactive steps taken by the institutions.” The report notes that the Fed is taking measures to address OIG recommendations relating to the effectiveness of its cybersecurity incident response process, including updating the cybersecurity incident response process’s mission and governance structure and enhancing guidance and training. The report describes the Fed’s close coordination with other participants in the global financial system in addressing cybersecurity risk, including domestic and international agencies, governance bodies, financial regulators, and industry.
Finally, the report describes current and emerging threats to the financial system, including (i) geopolitical tensions and accompanying cyberattacks; (ii) cyber-criminal activity involving ransomware as a service, targeting of authentication mechanism weaknesses, and collaboration among cyberthreat actors; (iii) increasing potential of a supply chain or third-party attack; (iv) cyber risks associated with third-party providers; (v) insider threats; and (vi) other emerging technology-related threats, such as risks inherent to machine learning and quantum computing capabilities.
On July 28, the OCC, FDIC, NCUA and Fed issued an addendum to the Interagency Policy Statement on Funding and Liquidity Risk Management, issued in 2010. The update on liquidity risks and contingency planning emphasizes that depository institutions should regularly evaluate and update their contingency funding plans, referencing the unprecedented deposit outflows resulting from the early 2023 bank failures. According to the addendum, depository institutions should assess the stability of their funding, keep a range of funding sources, and regularly test any contingency borrowing lines in order to prepare staff in the case of adverse circumstances. Additionally, the addendum states that if contingency funding arrangements include discount windows, the depository institutions should ensure they can borrow from the discount window by (i) establishing borrowing arrangements; (ii) confirming that collateral is available to borrow in an appropriate amount; (iii) conduct small value transactions regularly to create familiarity with discount window operations; (iv) establish familiarity with the pledging process for collateral types; and (v) be aware that pre-pledging collateral can be useful in case liquidity needs arise quickly. The agencies also state that federal and state-chartered credit unions can access the Central Liquidity Facility, which provides a contingent federally sourced backup liquidity where a credit union’s liquidity and market funding sources prove inadequate.
On July 26, a divided SEC adopted a final rule outlining disclosure requirements for publicly traded companies in the event of a material cybersecurity incident. The final rule (proposed last year and covered by InfoBytes here) also requires companies to periodically disclose their cybersecurity risk management processes and establishes requirements for how cybersecurity disclosures must be presented. The final rule requires that material cybersecurity incidents be disclosed within four days from the time a company determines the incident was material (a disclosure may be delayed should the U.S. attorney general notify the SEC in writing that immediate disclosure poses a substantial risk to national security or public safety). Companies must also identify material aspects of the incident’s nature, scope, and timing, as well as its impact or reasonably likely impact on the company, and are required to describe their board’s and management’s oversight of risks from cybersecurity threats and previous cybersecurity incidents. These disclosures will be required in a company’s annual report. The final rule will also mandate foreign private issuers to provide comparable disclosures on forms related to material cybersecurity incidents and risk management, strategy, and governance.
The final rule is effective 30 days following publication of the adopting release in the Federal Register. The SEC noted that incident-specific disclosures will be required in Forms 8-K and 6-K beginning either 90 days after the final rule’s publication in the Federal Register or on December 18, whichever is later, though smaller reporting companies are provided an extra 180 days before they must begin providing such disclosures. Annual disclosures on cyber risk management, strategy, and governance will be required in Form 10-K and Form 20-F reports starting with annual reports for fiscal years ending on or after December 15. In terms of structured data requirements, all companies must tag disclosures in the required format beginning one year after initial compliance with the related disclosure requirement.
SEC Chair Gary Gensler commented that, in response to public comments received on the proposed rule, the final rule “streamlines required disclosures for both periodic and incident reporting” and requires companies “to disclose only an incident’s material impacts, nature, scope, and timing, whereas the proposal would have required additional details, not explicitly limited by materiality.”
In voting against the final rule, Commissioner Hester M. Pierce raised concerns that the final rule’s compliance timelines are overly aggressive even for large companies and that the short incident disclosure period could potentially mislead otherwise uninformed investors and “lead to disclosures that are ‘tentative and unclear, resulting in false positives and mispricing in the market.’” The final rule allows a company to update its incident disclosure with new information in subsequent reports that was unavailable at first and could impact investors who may suffer a loss due to the mispricing of the company’s securities following the initial reporting, Pierce said. She also criticized the risk to national security or public safety exemption as being overly narrow. Commissioner Mark Uyeda also opposed the adoption, writing that “[n]o other Form 8-K event requires such broad forward-looking disclosure that needs to be constantly assessed for a potential amendment.” Uyeda also questioned whether “[p]remature public disclosure of a cybersecurity incident at one company could result in uncertainty of vulnerabilities at other companies, especially if it involves a commonly used technology provider, [thus] resulting in widespread panic in the market and financial contagion.”
On July 17, SEC Chair Gary Gensler spoke before the National Press Club, where he discussed opportunities and challenges stemming from the use of artificial intelligence (AI)-based models. While Gensler acknowledged that AI has the potential to promote greater financial inclusion and enhance user experience, he warned that there are also challenges associated with AI advancements that need to be considered at both the individual and broader economic levels. At the individual (micro) level, Gensler explained that AI’s predictive capabilities allow for personalized communication, product offerings, and pricing. However, this individualized approach (also known as “narrowcasting”) also raises questions about how individuals will respond to tailored messages and offers, he said, pointing out that when AI models are used to make important decisions such as job selection, loan approvals, credit decisions, and healthcare allocation, issues related to explainability, bias, and robustness become a concern. Gensler elaborated that AI models often produce unexplainable decisions and outcomes due to their nonlinear and hyper-dimensional nature. Furthermore, AI may also make it more difficult to ensure fairness and can inadvertently perpetuate biases present in historical data or use latent features that act as proxies for protected characteristics, Gensler said, adding that “the challenges of explainability may mask underlying systemic racism and bias in AI predictive models.”
Gensler explained that these data analytics challenges are not new and that in the late 1960s and early 1970s, the Fair Housing Act, FCRA, and ECOA were, in part, driven by similar issues. He warned advisers and brokers that as they incorporate these technologies into their services, they must ensure that when offering advice and recommendations (whether or not based on AI) they consider the best interests of their clients and retail customers and not place their interests ahead of investors’ interests.
On July 10, Federal Reserve Board Vice Chair for Supervision Michael S. Barr delivered remarks at the Bipartisan Policy Center outlining proposed updates to capital standards. As part of his holistic review of capital standards for large banks, Barr concluded that the existing approach to capital requirements—including risk-based requirements, stress testing, risk-based capital buffers, and leverage requirements and buffers—was sound. He stated that the changes he proposes are intended to build on the existing foundation. Barr’s proposed updates include: (i) updating risk-based requirement standards to better reflect credit, trading, and operational risk, consistent with international standards adopted by the Basel Committee; (ii) evolving the stress test to capture a wider range of risks; and (iii) improving the measurement of systemic indicators under the global systemically important bank surcharge. Barr stated that at this time he was not recommending changes to the enhanced supplementary leverage ratio.
Barr also proposed implementing changes to the risk-based capital requirements, referred to as the “Basel III endgame,” which are intended to ensure that the U.S. minimum capital requirements require banks to hold adequate capital against their risk-taking. These proposed changes include: (i) with respect to a firm’s lending activities, the proposed rules would terminate the practice of relying on banks’ own individual estimates of their own risk and would instead adopt a more transparent and consistent approach; (ii) regarding a firm’s trading activities, the proposed rules would adjust the way that the firm measures market risk, better aligning market risk capital requirements with market risk exposure and providing supervisors with improved tools; and (iii) for operational losses, such as trading losses or litigation expenses, the proposed rules would replace an internal modeled operational risk requirement with a standardized measure.
Barr recommended that these enhanced capital rules apply only to banks and bank holding companies with $100 billion or more in assets. He emphasized that the proposed changes would not be fully effective for some years due to the notice and comment rulemaking process, and that any final rule would provide for an appropriate transition.