InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC releases new Model Risk Management booklet
On August 18, the OCC issued a new Model Risk Management booklet as part of the Comptroller’s Handbook’s safety and soundness series. The booklet is used by OCC examiners when examining and supervising national banks, federal savings associations, and federal branches and agencies of foreign banking organizations. Among other things, the new booklet (i) outlines model risk management concepts and general principles; (ii) “informs and educates examiners about sound model risk management practices that should be assessed during an examination”; and (iii) “provides information needed to plan and coordinate examinations on model risk management, identify deficient practices, and conduct appropriate follow-up.” The booklet aligns with principals laid out in OCC Bulletin 2011-12 “Sound Practices for Model Risk Management: Supervisory Guidance on Model Risk Management.”
FINRA reminds firms of third-party supervisory obligations
On August 13, the Financial Industry Regulatory Authority (FINRA) reminded member firms of their supervisory obligations related to outsourcing to third-party vendors. Regulatory Notice 21-29 reiterates that supervisory obligations under FINRA Rule 3110 extend to member firms’ outsourcing of certain “covered activities” and reminds firms that under Regulatory Notice 05-48, “‘outsourcing an activity or function to … [a vendor] does not relieve members of their ultimate responsibility for compliance with all applicable federal securities laws and regulations and [FINRA] and MSRB rules regarding the outsourced activity or function.’” Emphasizing that “member firms have continued to expand the scope and depth of their use of technology and have increasingly leveraged [v]endors to perform risk management functions and to assist in supervising sales and trading activity and customer communications,” FINRA reminds member firms that supervisory systems and associated written supervisory procedures extend to the “outsourced activities or functions” of their vendors. The notice also cites examples of violations uncovered during previous examinations linked to third-party vendors related to data integrity, cybersecurity and technology governance, and books and records requirements. These include instances where firms’ vendors failed to implement technical controls or failed to properly manage customers’ nonpublic information. Member firms are encouraged to take a “risk-based approach” to vendor management and to assess whether their supervisory procedures for third-party vendors are “sufficient to maintain compliance with applicable rules.”
FHFA gives guidance on FHLB investments
On August 16, FHFA issued Advisory Bulletin AB 2021-02, which provides guidance regarding federal home loan banks’ investments in Agency Commercial Mortgage-Backed Securities (CMBS) that are issued and guaranteed by either the U.S. government (Ginnie Mae), or by government-sponsored entities Fannie Mae and Freddie Mac. The Bulletin recommends risk management practices, such as establishing certain limits to address the risks associated with unexpected prepayments of CMBS investments. FHFA also “encourages early adherence” to the guidance, but states that “by December 31, 2021, all Banks should have appropriate Agency CMBS concentration risk limits in place.” Guidance in the Bulletin includes, among other things: (i) pre-purchase analytics; (ii) the minimum risk-adjusted spread requirement; (iii) concentration limits; (iv) reporting; and (v) prepayment projections.
FFIEC gives authentication and access guidance to financial institutions
On August 11, the Federal Financial Institutions Examinations Council (FFIEC) published guidance, on behalf of its members, to provide financial institutions with examples of effective authentication and access risk management principles and practices for customers, employees, and third parties accessing digital banking services and financial institution information systems. Among other things, the guidance: (i) acknowledges significant risks associated with the cybersecurity threat landscape, which reinforces the need for financial institutions to effectively authenticate users and for customers to protect information systems, accounts, and data; (ii) provides examples of effective risk assessment practices, such as inventory of information systems and inventory of digital banking services and customers; and (iii) indicates that single-factor authentication with layered security is inadequate, therefore, multi-factor authentication or controls of equivalent strength with layered security may be more effective.
The guidance replaces the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011).
Federal agencies seek comments on third-party relationships
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
FSB addresses climate-related financial risks
On July 7, the Financial Stability Board (FSB) released several reports addressing climate-related financial risks. The FSB Roadmap for Addressing Climate-Related Financial Risks noted that a growing number of international initiatives are underway that address financial risks resulting from climate change. “Effective risk management at the level of individual companies and financial market participants is a precondition for a resilient financial system,” the report stated, adding that the “interconnections between climate-related financial risks faced by different participants in the financial system reinforce the case for coordinated action.” Among other things, the FSB set out a roadmap that focuses on four interrelated areas: (i) firm-level disclosures that should be used as the basis for pricing and managing climate-related financial risks at the level of individual entities and market participants; (ii) consistent metrics and disclosure data that can “provide the raw material for the diagnosis of climate-related vulnerabilities”; (iii) an analysis of vulnerabilities to provide the groundwork for designing and applying regulatory and supervisory framework and tools; and (iv) the establishment of regulatory and supervisory practices and tools to allow authorities to effectively identify climate-related risks to financial stability. FSB also released the Report on Promoting Climate-Related Disclosures, following a survey of members which explored national and regional current or planned climate-related disclosures. FSB presented several high-level recommendations, including, among other things, that financial authorities use a framework based on recommendations from the Task Force on Climate-Related Financial Disclosures (TCFD) across both non-financial corporates and financial institutions to propose a more consistent global approach. FSB issued another report entitled, The Availability of Data with Which to Monitor and Assess Climate-Related Risks to Financial Stability, that suggested various priorities to address climate-related data gaps “to improve the monitoring and assessment of climate-related risks to financial stability.”
Additionally, Federal Reserve Board Vice Chair for Supervision, Randal K. Quarles, spoke before the Venice International Conference on Climate Change on July 11, in which he discussed the work of the TCFD and stressed the importance of improving data quality and addressing data gaps, as well as ultimately establishing "a basis of comprehensive, consistent, and comparable data for global monitoring and assessing climate-related financial risks."
FFIEC releases “Architecture, Infrastructure, and Operations” booklet
On June 30, the Federal Financial Institutions Examinations Council (FFIEC) published the “Architecture, Infrastructure, and Operations” booklet of the FFIEC Information Technology Examination Handbook, which provides guidance to examiners on assessing the risk profile and adequacy of an entity’s information technology architecture, infrastructure, and operations (AIO). According to FDIC FIL-47-2021, the booklet, among other things: (i) describes the principles and practices that examiners should review in order to assess an entity’s AIO functions; (ii) focuses on “enterprise-wide, process-oriented approaches regarding the design of technology within the overall enterprise and business structure, implementation of information technology infrastructure components, and delivery of services and value for customers”; and (iii) mentions “assessing an entity’s governance of common AIO-related risks, enterprise-wide IT architectural planning and design, implementation of virtual and physical infrastructure, and on assessing an entity’s related operational controls.” In addition, according to an OCC announcement, the booklet discusses how appropriate governance of the AIO functions and related activities can: (i) promote risk identification across banks, nonbank financial institutions, bank holding companies, and third-party providers; (ii) support implementation of effective risk management; (iii) assist management through the regular assessment of an entity’s strategies; and (iv) promote alignment and integration between the functions. The booklet replaces the Operations booklet issued in July 2004.
Texas permits banks to provide virtual currency custody services
On June 10, the Texas Department of Banking issued Industry Notice 2021-03, which notifies supervised Texas state-charted banks that they “may provide customers with virtual currency custody services, as long as the bank has adequate protocols in place to effectively manage the risks and comply with applicable law.” The Department noted that Texas state-chartered banks have long provided customers with safekeeping and custody resources through secure storage of assets, which is a critical role in the banking business. “While custody and safekeeping of virtual currencies will necessarily differ from that associated with more traditional assets the [Department] believes that the authority to provide these services with respect to virtual currencies already exists pursuant to Texas Finance Code §32.001,” the notice provided. In addition, the type of virtual currency a bank chooses to utilize will depend on that bank’s expertise, risk appetite, and business model. The notice also pointed out that the Department determined that custody services may be offered by a Texas state-chartered bank in a capacity that is fiduciary or non-fiduciary. A non-fiduciary capacity will allow the bank to act “as a bailee, taking possession of the customer’s asset for safekeeping while legal title to that asset remains with the customer.” Alternatively, in its fiduciary capacity, the bank will have oversight to control virtual currency assets as it would any other type of asset held in such capacity. The notice warned, however, that if a bank is offering virtual currency services, bank management must conduct due diligence and carefully examine the risks involved in offering a new product or service through a methodical risk assessment process.
OCC to host compliance risk management workshops
On May 26, the OCC announced a series of examiner-led virtual workshops for the boards of directors of community national banks and federal savings associations. The workshops will focus on emerging issues regarding compliance risk, and will provide training and guidance on implementing effective compliance risk management programs, as well as guidance on regulations such as the Bank Secrecy Act and ECOA. A schedule of the upcoming workshops is available here.
OCC examines effects of Covid-19 on federal banking system
On May 18, the OCC released its Semiannual Risk Perspective for Spring 2021, which reports on key risk areas posing a threat to the safety and soundness of national banks and federal savings associations. While, overall, banks maintained sound capital and liquidity levels throughout 2020, the OCC noted that bank profitability remains stressed as a result of low interest rates and low loan demand.
Key risk themes identified in the report include:
- Credit risk. The OCC reported that credit risk is evolving a year into the Covid-19 pandemic, specifically as the economic downturn continues to affect some borrowers’ ability to service debts and government assistance programs start to expire.
- Strategic risk. Strategic risk associated with how bank manage net interest margin compressions and earnings is elevated. The OCC suggested that banks attempting to improve earnings could implement various measures, including cost cutting and increasing credit risk.
- Operational risk. Elevated operational risk can be attributed to complex operating environments and increased cybersecurity threats. A flexible, risk-based approach, including surveillance, reporting, and managing third-party risk, is important for banks to be operationally resilient, the OCC stated.
- Compliance risk. Compliance risk is also elevated due to the expedited implementation of a number of Covid-19-related assistance programs, including the CARES Act Paycheck Protection Program and federal, state, and bank-initiated forbearance and deferred payment programs. These programs, the OCC noted, require “increased compliance responsibilities, high transaction volumes, and new fraud typologies, at a time when banks continue to respond to a changing operating environment.”