Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On June 22, the Biden administration announced that the National Institute of Standards and Technology (NIST) launched a new public working group on generative AI. The Public Working Group on Generative AI will reportedly help NIST develop guidance surrounding the special risks posed by AI in order to help organizations and support initiatives to address the opportunities and challenges associated with generative AI’s creation of code, text, images, videos, and music. “The public working group will draw upon volunteers, with technical experts from the private and public sectors, and will focus on risks related to this class of AI, which is driving fast-paced changes in technologies and marketplace offerings” NIST stated. NIST also outlined the immediate, midterm, and long-term goals for the group. Initially, the working group will research how the NIST AI Risk Management Framework can be used to support AI technology development. The working group’s midterm goal will be to support NIST in testing, evaluation and measurement related to generative AI. In the long term, the group will explore the application of generative AI to address challenges in health, environment, and climate change. NIST encourages those interested in joining the working group to submit a form no later than July 9.
On June 16, Acting Comptroller of the Currency Michael J. Hsu warned that the unpredictability of artificial intelligence (AI) can pose significant risks to the financial system. During remarks presented at the American Bankers Association’s Risk and Compliance Conference, Hsu cautioned that banks must manage risks when adopting technologies such as tokenization and AI. Although Hsu reiterated his skepticism of cryptocurrency (covered by InfoBytes here), he acknowledged that AI and blockchain technology (where most tokenization efforts are currently focused) have the potential to present “significant” benefits to the financial system. He explained that trusted blockchains may improve settlement efficiency through tokenization of real-world assets and liabilities by minimizing lags and thereby reducing related frictions, costs, and risks. However, he warned that legal frameworks and risk and compliance capabilities for tokenizing real-world assets and liabilities at scale require further development, especially considering cross-jurisdictional situations and ownership and property rights.
With respect to banks’ adoption of AI, Hsu flagged AI’s “potential to reduce costs and increase efficiencies; improve products, services and performance; strengthen risk management and controls; and expand access to credit and other bank services.” But there are significant challenges, Hsu said, including bias and discrimination challenges in consumer lending, fraud, and risks created from the use of “generative” AI. Alignment is also the core challenge, Hsu said, explaining that because AI systems are built to learn and may not do what they are programed to do, governance and accountability challenges may become an issue. “Who can and should be held accountable for misaligned, unexpected, and harmful outcomes?” Hsu asked, pointing to banks’ use of third parties to develop and support their AI systems as an area of concern.
Hsu advised banks to approach innovation “responsibly and purposefully” and to proceed cautiously while keeping in mind three principles for managing risks: (i) innovate in stages, expand only when ready, and monitor, adjust and repeat; (ii) “build the brakes while building the engine” and ensure risk and compliance professionals are part of the innovation process; and (iii) engage with regulators early and often during the process and ask for permission, not forgiveness.
On June 14, the OCC released its Semiannual Risk Perspective for Spring 2023, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The agency reported that the overall strength of the federal banking system is sound but warned banks to remain diligent and maintain effective risk management practices over critical functions in order to withstand current and future economic and financial challenges.
The OCC highlighted liquidity, operational, credit, and compliance risk as key risk themes in the report. Observations include: (i) in response to recent bank failures and investment portfolio depreciation, liquidity levels have been strengthened; (ii) credit risk remains moderate, however in certain commercial real estate segments, signs of stress are increasing (high inflation and rising interest rates are also causing credit conditions to deteriorate); (iii) operational risk, including persistent cyber threats, is elevated, while opportunities and risks are created by banks’ increased use of third parties and the digitalization of banking products and service; and (iv) compliance risk remains heightened as banks continue to navigate a dynamic environment where compliance management systems try to keep pace with evolving products, services, and delivery channel offerings.
The report also discussed challenges banks face when trying to manage climate-related financial risks, as well as the importance of investing and aligning technology with banks’ business goals. Acting Comptroller of the Currency Michael Hsu urged banks “to ‘be on the balls of their feet’ with regards to risk management” and “guard against complacency.”
On June 6, the OCC, Federal Reserve Board, and FDIC issued interagency guidance to aid banking organizations in managing risks related to third-party relationships, including relationships with financial technology-focused entities. (See also FDIC FIL-29-2023 and Federal Reserve Board memo here.) The joint guidance, final as of June 6, replaces each agency’s existing general guidance on third-party risk management and is directed to all supervised banking organizations. Designed to streamline government guidance on mitigating risks when working with third parties, the final guidance establishes principles for banking organizations to consider when implementing risks management practices. Banking organizations are advised to consider and account for the level of risk, complexity, and size of the institution, as well as the nature of the third-party relationship, when conducting sound risk management.
After considering public comments received on proposed guidance issued in July 2021 (covered by InfoBytes here), the final guidance provides directions and expectations for oversight at all stages in the life cycle of a third-party relationship, including topics relating to planning, due diligence and third-party selection, contract negotiations, ongoing monitoring, and termination. Guidance on conducting independent reviews, maintaining documentation, and reporting is also included. The agencies advised banking organizations, particularly community banks, to review illustrative examples to help align risk management practices with the scope and risk profile of their third-party relationships. Additionally, banking organizations should maintain a complete inventory of their third-party relationships, identify higher-risk and critical activities, periodically conduct reviews to determine whether risks have changed over time, and update risk management practices accordingly, the agencies said.
The final guidance emphasizes that the agencies will review a banking organization’s third-party risk management practices as part of the standard supervisory process. When assessing whether activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, examiners will, among other things, (i) evaluate a banking organization’s ability to oversee and manage third party relationships; (ii) assess the effects of those relationships on a banking organization’s risk profile and operational performance; (iii) perform transaction testing to evaluate whether activities performed by a third party comply with applicable laws and regulations; (iv) conduct conversations relating to any identified material risks and deficiencies with senior management and board of directors; (v) review how a banking organization remediates any deficiencies; and (vi) consider supervisory findings when rating a banking organization.
The agencies stressed that they may take corrective measures, including enforcement actions, to address identified violations or unsafe or unsound banking practices by the banking organization or its third party. The agencies further announced that they plan to immediately engage with community banks and will develop additional resources in the future to help these organizations manage relevant third-party risks.
On May 25, the OCC announced revisions to its Policies and Procedures Manual (PPM) for bank enforcement actions. According to OCC Bulletin 2023-16, the recently revised version of PPM 5310-3 replaces and rescinds a version issued in November 2018 (covered by InfoBytes here), and now includes “Appendix C: Actions Against Banks With Persistent Weaknesses” to provide increased transparency and clarity on how the OCC determines whether a bank has persistent weaknesses and how the agency considers what actions may be needed to address these issues. The OCC explained that “persistent weaknesses” may include “composite or management component ratings that are 3 or worse, or three or more weak or insufficient quality of risk management assessments, for more than three years; failure by the bank to adopt, implement, and adhere to all the corrective actions required by a formal enforcement action in a timely manner; or multiple enforcement actions against the bank executed or outstanding during a three-year period.”
Possible actions taken against a bank that exhibits persistent weaknesses may include additional requirements and restrictions, such as requirements that a bank improve “composite or component ratings or quality of risk management assessments,” as well as restrictions on the bank’s growth, business activities, or payments of dividends. A bank may also be required “to take affirmative actions, including making or increasing investments targeted to aspects of its operations or acquiring or holding additional capital or liquidity.”
“Should a bank fail to correct its persistent weaknesses in response to prior enforcement actions or other measures . . . the OCC will consider further action to require the bank to remediate the weaknesses,” the agency said. “Such action could require the bank to simplify or reduce its operations, including that the bank reduce its asset size, divest subsidiaries or business lines, or exit from one or more markets of operation.” PPM 5310-3 also incorporates additional clarifications and updates legal and regulatory citations.
The same day, the OCC issued updates to its “Liquidity” booklet of the Comptroller’s Handbook used by examiners when assessing the quantity of a bank’s liquidity risk and the quality of its liquidity risk management. The booklet replaces an August 2021 version and reflects changes in regulations, makes clarifying edits, and addresses OCC issuances published since the last update.
The U.S. Treasury Department recently released its “first of its kind” strategy to address financial institution de-risking. Mandated by the Anti-Money Laundering Act of 2020, the 2023 De-Risking Strategy examines customer categories most often impacted by de-risking and provides findings and policy recommendations to address ongoing problems. Treasury defines de-risking as financial institutions restricting or terminating business relationships indiscriminately with broad classes of customers rather than analyzing and managing specific risks in a targeted manner. The report found that customers most frequently subject to de-risking are small-to-medium-sized money service businesses (MSB) that are often used by immigrant communities to send remittances abroad. Other commonly impacted customer categories include non-profit organizations operating overseas in high-risk jurisdictions and foreign financial institutions with low correspondent banking transaction volumes. De-risking is particularly acute for entities operating in financial environments characterized by significant money laundering/terrorism financing risks, the report notes. Identifying “profitability as the primary factor in financial institutions’ de-risking decisions,” the report found that profitability is influenced by several factors, including the cost to implement anti-money laundering/countering the finance of terrorism (AML/CFT) compliance measures and systems commensurate with customer risk.
The report presents several recommendations for policymakers, such as promoting consistent supervisory expectations and training federal examiners to consider the effects of de-risking, as well as suggesting that financial institutions analyze account termination notices and notice periods for non-profits and MSBs to identify ways to support longer notice periods where possible. Treasury also encourages heightened international cooperation to strengthen foreign jurisdictions’ AML/CFT regimes, and encourages policymakers to continue assessing the risks and opportunities of innovative and emerging technologies for AML/CFT compliance solutions. Treasury may also consider requiring financial institutions to have “reasonably designed and risk-based AML/CFT programs supervised on a risk basis, possibly taking into consideration the effects of financial inclusion.”
Acting Comptroller of the Currency Michael J. Hsu recently discussed the evolution and impact of open banking during remarks at the Spring FDX Global Summit. Defining open banking as “enabling consumer-permissioned sharing of financial data with third parties to empower consumers, foster competition, and expand financial inclusion,” Hsu explained that, under the concept, consumers may eventually be able to access a wide range of financial service providers and move checking and savings accounts between providers more readily. Hsu cautioned, however, that new risks may arise due to increases in the “volume and complexity of consumer-permissioned sharing.” Hsu highlighted the interconnectedness of open banking, safety and soundness, and the changing culture of banking due to the digitalization of banking and the associated promises of innovation. “The potential for open banking to provide consumers with greater control over their financial data, to increase the portability of banking accounts, and to foster greater competition and fairness in the provision of financial services is significant and may impact banking in a variety of ways,” he said.
Hsu commented that, while the OCC supports opening banking, it is also cautious about potential increases to liquidity, operational, and compliance risks. While account portability “will be empowering for consumers, in isolation this would likely increase the liquidity risk of retail deposits for banks,” Hsu said. Additionally, increasing the volume and complexity of consumer-permissioned sharing has the potential to introduce new risks and necessitate new controls, Hsu said, adding that banks operating as data providers will need to “interact with aggregators, fintechs, technology firms, and competitor banks,” and “expand from reliably handling their customers’ money, to also reliably handling their financial data.” Underscoring the blurred lines between banking and commerce in the digital arena, Hsu emphasized that “[o]pen banking cannot be accomplished by banks alone. Data aggregators and fintechs already play a significant role, which will expand as open banking is more fully adopted.”
On March 16, NYDFS issued a consent order against a payment service provider for allegedly failing to comply with the state’s virtual currency and cybersecurity regulations. The company was licensed to engage in virtual currency business activity in the state pursuant to 23 NYCRR Part 200. Licensees under Part 200 are required to, among other things, comply with federal and state laws mandating effective controls to guard against money laundering and certain other illegal activities. A 2022 NYDFS examination revealed that, although the company made improvements to address deficiencies within its AML and cybersecurity compliance programs that were identified during a 2018 examination, the programs still required additional improvements to achieve regulatory compliance. NYDFS concluded that the company violated sections of Part 200 by allegedly failing to develop adequate internal policies and controls to maintain compliance with applicable AML laws or to develop procedures to ensure compliance with necessary risk management requirements under applicable OFAC regulations. Furthermore, the company violated the state’s cybersecurity regulation (23 NYCRR Part 500) by failing to conduct periodic cybersecurity risk assessments and failing to timely appoint a designated chief information security officer responsible for overseeing, implementing, and reporting on the company’s cybersecurity program. Under the terms of the consent order, the company agreed to pay a $1 million civil monetary penalty and submit an action plan to NYDFS within 180 days detailing its remediation efforts. The company also agreed to conduct a comprehensive cybersecurity risk assessment within 150 days and to continue to strengthen its controls, policies, and procedures to prevent future violations.
On February 23, the FDIC, Federal Reserve Board, and OCC released a joint statement addressing bank liquidity risks tied to crypto-assets. The agencies warned that using sources of funding from crypto-asset-related entities may expose banks to elevated liquidity risks “due to the unpredictability of the scale and timing of deposit inflows and outflows.” The agencies addressed concerns related to deposits placed by crypto-asset-related entities for the benefit of end customers where the deposits may be influenced by the customer’s behavior or crypto-asset sector vulnerabilities, rather than the crypto-asset-related entity itself, which is the bank’s direct counterparty. The agencies warned that the “uncertainty and resulting deposit volatility can be exacerbated by end customer confusion related to inaccurate or misleading representations of deposit insurance by a crypto-asset-related entity.” The agencies also addressed issues concerning deposits that constitute stablecoin-related reserves, explaining that the stability of these types of deposits may be dependent on several factors, including the “demand for stablecoins, the confidence of stablecoin holders in the stablecoin arrangement, and the stablecoin issuer’s reserve management practices,” and as such, may “be susceptible to large and rapid outflows stemming from, for example, unanticipated stablecoin redemptions or dislocations in crypto-asset markets.”
The agencies’ statement reminded banking organizations to apply effective risk management controls when handling crypto-related deposits, commensurate with the associated liquidity risk of those deposits. The statement suggested certain effective risk management practices, which include: (i) understanding the direct and indirect drivers of potential deposit behavior to ascertain which deposits are susceptible to volatility; (ii) assessing concentrations or interconnectedness across crypto deposits, as well as the associated liquidity risks; (iii) incorporating liquidity risks or funding volatility into contingency funding planning; and (iv) performing robust due diligence and ongoing monitoring of crypto-asset-related entities that establish deposit accounts to ensure representations about these types of deposit accounts are accurate. The agencies further emphasized that banks are required to comply with applicable laws and regulations, including brokered deposit rules, as applicable, and Call Report filing requirements. The joint statement also reminded banks that they “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type, as permitted by law or regulation.”
As previously covered by InfoBytes, the agencies issued a statement in January highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services.
On February 8, the U.S. Treasury Department launched the interagency Cloud Services Steering Committee in an effort to improve regulatory and private sector cooperation and develop best practices for cloud-adoption frameworks and contracts. As part of the announcement, Treasury released a first-of-its-kind report discussing potential benefits and challenges associated with the adoption of cloud services technology by financial services firms. While recognizing that cloud-based technologies can improves access and reliability for local communities and help community banks compete with financial technology firms, Treasury found that financial services firms that rely on these technologies need more visibility, staff support, and cybersecurity incident response engagement from cloud service providers (CSPs).
The report identified several significant challenges resulting from the use of cloud-based technologies in the financial sector. These include: (i) insufficient transparency to support due diligence and monitoring by financial institutions (financial institutions must fully understand the risks associated with cloud services in order to implement appropriate protections for consumers); (ii) gaps in human capital and tools to securely deploy cloud services (CSPs should engage experts and improve tools and frameworks to ensure financial institutions are able to implement resilient, secure platforms for customers); (iii) exposure to potential operational incidents (financial institutions have expressed concerns that cyber vulnerabilities originating at a CSP could have a cascading impact); (iv) potential impact of market concentration in cloud service offerings on the financial sector’s resilience (the current market relies on a small number of CSPs that likely exists across banking, securities, and insurance markets); (v) dynamics in contract negotiations given market concentration (the small number of CSPs could affect financial institutions’ bargaining power); and (vi) international landscape and regulatory fragmentation (regulatory conflicts could result from the patchwork of global regulatory and supervisory approaches to cloud technology).
The report, which received extensive input from U.S. regulators, private sector stakeholders, trade associations, and think tanks, does not impose any requirements, nor does it endorse or discourage firms from using a specific provider or cloud service. It does, however, recommend that Treasury and the broader financial regulatory community further evaluate the financial risks associated with having a limited number of CSPs offer cloud services.