InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NYDFS tells industry to tighten third-party risk management
On April 27, NYDFS released a report warning the financial services industry to tighten third-party risk management measures, as the “next great financial crisis could come from a cyber-attack.” The report covers a December 2020 cyber-attack described as “part of a widespread, sophisticated cyber espionage campaign by Russian Foreign Intelligence Service actors” focusing on “stealth and stealing sensitive information.” According to the report, hackers installed malware into a software platform used by the government and financial services and telecommunications companies to monitor and manage the performance of their networks. This attack, NYDFS noted, is “the most visible, widespread, and intrusive information technology software supply chain attack” to date and “opened back doors into thousands of organizations, including almost 100 companies in New York’s financial services industry.” While none of NYDFS’s regulated entities’ networks were actively exploited, the regulator warned that these types of attacks highlight the financial services industry’s vulnerability to supply chain attacks. Moreover, because third-party risk management is a key part of NYDFS’s Cybersecurity Regulation, the regulator is “exploring ways to further address this critical component of cybersecurity.” Report findings highlight that, among other things, (i) the patch-management programs for many regulated entities “are immature and lack the proper ‘patching cadence’ needed to ensure timely remediation of high-risk cyber vulnerabilities,” and (ii) “supply chain” cyber-attacks are dangerous since “malware is embedded inside a legitimate product,” allowing “an attacker to access the networks of many organizations in a single stroke.”
The report provides several recommendations, including that entities should (i) include in their vendor risk-management policies and procedures “processes for due diligence and contractual protections that will ensure the company can monitor the cybersecurity practices and overall cyber hygiene of critical vendors”; (ii) adopt a “zero trust” approach and implement multiple layers of security and extra protection for sensitive information; (iii) address vulnerabilities in a timely manner through patch testing, validation processes, and deployment; and (iv) ensure their incident response plans address supply chain compromises.
Agencies issue MRMG; seek comments on BSA/AML compliance
On April 9, the Federal Reserve Board, FDIC, and OCC, in consultation with FinCEN and the NCUA, issued a joint statement on the use of risk management principles outlined in the agencies’ “Supervisory Guidance on Model Risk Management” (known as the “model risk management guidance” or MRMG) as it relates to financial institutions’ compliance with Bank Secrecy Act/anti-money laundering (BSA/AML) rules. While the joint statement is “intended to clarify how the MRMG may be a useful resource to guide a bank’s [model risk management] framework, whether formal or informal, and assist with BSA/AML compliance,” the agencies emphasized that the MRMG is nonbinding and does not alter existing BSA/AML legal or regulatory requirements or establish new supervisory expectations. In conjunction with the release of the joint statement, the agencies also issued a request for information (RFI) on the extent to which the principles discussed in the MRMG support compliance by financial institutions with BSA/AML and Office of Foreign Assets Control requirements. The agencies seek comments and information to better understand bank practices in these specific areas and to determine whether additional explanation or clarification may be helpful in increasing transparency, effectiveness, or efficiency. Comments on the RFI are due within 60 days of publication in the Federal Register.
Fed targets Swiss bank for BSA/AML compliance deficiencies
On December 22, the Federal Reserve Board announced an enforcement action against a Swiss bank for alleged Bank Secrecy Act/anti-money laundering (BSA/AML) compliance risk management deficiencies found during a 2019 examination of the bank’s New York branch. The consent order outlines a number of corporate compliance and governance measures that the bank is required to undertake, such as: (i) submitting a joint written plan by the board of directors, risk committee, and senior management within 90 days that outlines measures for strengthening their respective oversight of the bank’s U.S. operations’ compliance, including “provid[ing] for a sustainable governance framework that, at a minimum, addresses, considers, and includes actions to improve policies, procedures, and controls for BSA/AML compliance across the U.S. operations”; (ii) providing a written revised customer due diligence program for the New York branch within 90 days, which must outline measures such as risk-based policies and procedures to ensure complete and accurate customer information is collected, retained, and analyzed for all account holders; (iii) submitting a revised suspicious activity monitoring and reporting program demonstrating that the New York branch is engaging in timely suspicious activity monitoring and reporting; and (iv) implementing independent testing within the New York branch to ensure compliance with all applicable BSA/AML requirements.
OCC warns of key banking risks
On November 9, the OCC released its Semiannual Risk Perspective for Fall 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC noted the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that while economic activity rebounded in the third quarter, there is significant ongoing risk. The report discusses, as a special topic in emerging risks, growing trends in payment products and services. The report also highlights several key risk areas for banks: credit, strategic, operational, and compliance. Specifically, the report notes that credit risk is increasing as government assistance programs expire and the economic downturn has led to elevated unemployment levels. The report further notes that strategic risks affecting profitability is an emerging issue due to low interest rates, which historically have negatively affected profitability when low for a long period of time. Moreover, the report notes elevated operational risks due to complex operating environments with cybersecurity being a key concern. The increase in large-scale telework has created unique security and internal control challenges. Lastly, the report discusses elevated compliance risks due to the expedited implementation of a number of Covid-19-related assistance programs.
Financial services firm fined $400 million for risk-management deficiencies
On October 7, the OCC and Federal Reserve Board announced enforcement actions against a financial services firm and its national bank subsidiary (bank) to resolve alleged enterprise-wide risk management, data governance, and internal controls deficiencies. According to the OCC’s announcement, the bank allegedly engaged in unsafe or unsound banking practices by failing to “establish effective risk management and data governance programs and internal controls.” While neither admitting nor denying the allegations, the bank has agreed to pay a $400 million civil money penalty. Additionally, under the terms of the OCC’s cease and desist order, the bank must implement corrective measures to improve its risk management, data governance, and internal controls. The agency’s announcement states that the order further requires the bank “to seek the OCC’s non-objection before making significant new acquisitions and reserves the OCC’s authority to implement additional business restrictions or require changes in senior management and the bank’s board should the bank not make timely, sufficient progress in complying with the order.”
In conjunction with the OCC’s action, the Fed also announced a cease and desist order against the financial services firm, which identified ongoing deficiencies with respect to areas of compliance risk management, data quality management, and internal controls. Among other things, the Fed claims the firm also failed to adequately remediate “longstanding” deficiencies identified in previously issued consent orders, including in areas such as anti-money laundering compliance. The order requires the firm to enhance firm-wide risk management and internal controls, and imposes a series of deadlines for the firm to take measures to ensure compliance with the OCC’s order, enhance its compliance risk management programs, devise a plan to hold senior management accountable, and improve data quality management.
OCC releases bank supervision operating plan for FY 2021
On October 1, the OCC’s Committee on Bank Supervision released its bank supervision operating plan (plan) for fiscal year 2021. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) credit risk management; (ii) commercial and residential real estate concentration risk management, with a focus in areas heavily impacted by the Covid-19 pandemic; (iii) allowances for loan and lease losses; (iv) cybersecurity and operational resiliency; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) compliance risk management related to Covid-19-related bank activities; (vii) Community Reinvestment Act performance; (viii) fair lending examinations and risk assessments; (ix) LIBOR phase-out preparations; (x) oversight of significant third-party relationships; (xi) change management to address significant operational changes; and (xii) payment systems products and services. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes previously has covered.
OCC outlines risk management guidance for loan purchases
On September 10, the OCC issued Bulletin 2020-81 to address sound risk management principles concerning loan purchase activities. The OCC reminded banks that loan purchase activities “are subject to certain regulatory standards and long-standing risk management guidelines,” and that banks are expected to engage in these activities “in a safe and sound manner and in compliance with applicable accounting standards, laws, and regulations.” Banks should also ensure loan purchase activities align with strategic plans and are supported by sound risk management systems, the OCC added. The Bulletin includes examples of sound risk management of loan purchase activities, such as (i) developing well-defined strategic plans; (ii) conducting underwriting analysis and due diligence of loans prior to purchase; (iii) evaluating ways loan purchase activities may affect “credit, strategic, reputation, interest rate, liquidity, compliance, and operational risks”; and (iv) ensuring policies and procedures “support effective processes for engaging in loan purchase activities.” Other topics addressed include credit administration, such as due diligence and independent credit analysis, loan portfolio and pool purchases, and recourse arrangements. The OCC also emphasized that because entering into new, modified, or expanded products or services may alter a bank’s risk profile, “bank management should engage in sound risk management to identify, measure, monitor, and control the risks associated with new loan purchase activities.”
FINRA fines firm for alleged financial risk management failures
On July 30, the Financial Industry Regulatory Authority (FINRA) entered into a Letter of Acceptance, Waiver and Consent (AWC), fining a global securities firm $650,000 for allegedly failing to “establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage the financial risks of its market access business activity.” As a result, because the firm’s controls allegedly failed to monitor and prevent (i) orders exceeding pre-set customer credit thresholds, or (ii) erroneous orders, the firm executed erroneous orders on “at least two trade dates.” Additionally, FINRA claimed that even though the firm knew internally of the potential issues in its financial risk management controls, in several instances it took years for the identified gaps to be fixed. The firm neither admitted nor denied the findings set forth in the AWC agreement but agreed to pay the fine and complete a review of its financial risk management controls and supervisory procedures to ensure compliance with SEC regulations.
FFIEC discusses additional Covid-19 loan accommodations
On August 3, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement on managing loan accommodations granted to borrowers pursuant to federal, state, and local law to address Covid-19 related hardships. Specifically, the statement provides risk management and consumer protection principles to financial institutions working with borrowers that are near the end of their initial loan accommodation period. Among other things, the statement outlines:
- Risk Management Practices. The statement encourages financial institutions to institute sound credit risk management practices following an accommodation period, such as “reassess[ing] risk ratings for each loan based on a borrower’s current debt level, current financial condition, repayment ability, and collateral.” Additionally, the statement encourages institutions to provide “clear, accurate, and timely information to borrowers and guarantors regarding the accommodation” being granted.
- Sustainable Accommodations. The statement notes that the Covid-19 pandemic may have “long-term adverse impact[s] on borrower’s future earnings” and financial institutions should consider additional accommodation options to mitigate losses for the borrower and institutions by assessing “each loan based upon the fundamental risk characteristics affecting the collectability of that particular credit.”
- Consumer Protection. The statement encourages financial institutions to provide consumers with options to support repayment at the end of accommodations to avoid delinquencies and to consider offering credit product term changes to “support sustainable and affordable payments for the long term.”
- Accounting and Regulatory Reporting. The statement emphasizes that financial institutions should consider the effects of the Covid-19 pandemic in its allowance for loan and lease losses, or credit losses, estimation processes, consistent with generally accepted accounting principles.
- Internal Control Systems. The statement notes that internal control functions for the end of initial accommodation periods and for additional accommodations typically “include appropriate targeted testing of the process for managing each stage of the accommodation.” Additionally, the statement reminds financial institutions of their responsibility for ensuring service providers in charge of these functions act consistently with the institution’s policies and all applicable laws and regulations.
FDIC seeks input on voluntary certification of innovative technologies
On July 20, the FDIC issued a Request for Information (RFI) seeking input on whether a public/private standard-setting partnership and voluntary certification program could be established to (i) promote the efficient and effective adoption of innovative technologies at supervised financial institutions; and (ii) support financial institutions’ efforts to implement innovative models, manage risk, and conduct due diligence of third-party fintech firms. The RFI is being issued as part of the agency’s FDiTech initiative (covered by InfoBytes here), which was established in 2019 to encourage innovation within the banking industry (particularly at community banks), support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
The FDIC stated that establishing a standards-setting body, developed by regulators and industry stakeholders, would help promote innovation across the banking sector and streamline the vetting process for fintech partners. The agency noted that a voluntary certification program could assist in standardizing due diligence practices and reduce costs for financial institutions that choose to participate. Additionally, the FDIC emphasized that it “is especially interested in information on models and technology services developed and provided by [fintechs].” Comments are due 60 days after publication in the Federal Register.