InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FFIEC addresses LIBOR transition
On July 1, the member agencies of the Federal Financial Institutions Examinations Council (FFIEC) issued a joint statement highlighting several risks that will result from the anticipated cessation of LIBOR at the end of 2021. Institutions with LIBOR exposures should put in place appropriate risk management processes “commensurate with the size and complexity of their exposures” to identify and mitigate financial, legal, operational, and consumer protection risks related to the transition, the FFIEC warned. Among other things, the FFIEC noted that as part of the agencies’ examination activities, “supervisory staff will ask institutions about their planning for the LIBOR transition including the identification of exposures, efforts to include fallback language or use alternative reference rates in new contracts, operational preparedness, and consumer protection considerations.” Additionally, agencies will increase their supervisory focus on evaluating institutions’ preparedness for LIBOR’s discontinuation during 2020 and 2021, “particularly for institutions with significant LIBOR exposure or less-developed transition processes.” Key recommendations include (i) identifying and quantifying LIBOR exposure across all products; (ii) discontinuing the origination or purchase of LIBOR-indexed instruments to limit exposure; (iii) creating transition plans for consumer financial products in order to develop clear, timely consumer disclosures regarding any changes in terms; and (iv) developing strategic transition plans with milestones and key completion dates addressing areas such as third-party risk management.
The OCC also issued a bulletin expanding on the joint statement and providing guidance for regulated banks.
OCC highlights key risks for federal banking system, says compliance risk elevated due to Covid-19
On June 29, the OCC released its Semiannual Risk Perspective for Spring 2020, which reports on key risk areas that pose a threat to the safety and soundness of national banks and federal savings associations. In particular, the OCC focused this report on the financial impacts of the Covid-19 pandemic on the federal banking industry, emphasizing that weak economic conditions stemming from the shutdown will stress financial performances in 2020, and that banks should monitor elevated compliance risks that may occur as a result of their responses to the pandemic, including participating in the Paycheck Protection Program as well as forbearance and deferred payment programs. The report highlighted that the surge in consumer demands, government programs, and the modifications to operations due to remote work and the “short timelines for implementing changes placed additional strains on banks already operating in a stressed environment.” However, the report noted that, “[s]ome banks are leveraging innovative technologies and third parties, including fintech firms, to help manage these challenges,” and that “[b]ank risk management programs should maintain effective controls for third-party due diligence and monitoring and other oversight processes, operational errors, heightened cyber security risks, and potential fraud related to stimulus programs.” The report highlighted several areas of concern for banks, including (i) credit risk increases; (ii) interest rate risk, including risks related to the LIBOR cessation; (iii) operational risks related to banks’ Covid-19 response; (iv) heightened cyber risks; and (v) compliance risks related to Bank Secrecy Act/anti-money laundering laws, consumer compliance, and fair lending.
FFIEC discusses cloud computing risk management practices
On April 30, the FFIEC released a statement on risk management principles for cloud computing security in the financial services sector. The FFIEC emphasizes that the statement does not contain new regulatory expectations, but rather highlights examples of risk management practices for the safe and sound use of cloud computing services, along with safeguards for protecting customers’ sensitive information from risks that may cause potential consumer harm. Among other things, the statement stresses that management should understand the division of responsibilities between a financial institution and a cloud service provider in order to assess and implement appropriate controls over operations to prevent the increased risk of operational failures or security breaches. The FFIEC also addresses the importance of protecting customer-sensitive information from unsafe or unsound practices by implementing “an effective risk management process for cloud computing commensurate with the level of risk and complexity of the financial institution’s operations residing in a cloud computing environment.” The statement provides a list of government and industry resources and references to assist financial institutions when using cloud computing services.
Georgia Department of Banking and Finance issues bulletin regarding lending, liquidity, business continuity, and regulatory reporting
The Georgia Department of Banking and Finance has issued its monthly bulletin for financial institutions in which it provides guidance on lending, liquidity, business continuity planning, and regulatory reporting. Among other things, the department reiterates the importance of liquidity risk management during Covid-19 and urges financial institutions to consider the impact of certain scenarios on their liquidity. The department also provides questions that financial institutions should consider as part of their pandemic planning. The bulletin also notes that, for banks and credit unions, the department is implementing electronic document and payment submission for correspondence, applications, and requests, including any applicable fees.
OCC issues Comptroller’s Handbook booklet updating interest rate risk
On March 26, the OCC issued Bulletin 2020-26 announcing the revision of the Interest Rate Risk booklet of the Comptroller’s Handbook, which replaces the June 1997 version of the same name. The revised booklet “incorporates and reflects applicable statutes and regulations, guidance, and examination procedures,” and expands model risk and model risk management discussions, “including developing, reviewing, and stress testing model assumptions.” The revised booklet also provides guidelines “consistent with the Pillar 2 supervisory approach outlined in the Basel Committee on Banking Supervision’s Interest Rate Risk in the Banking Book.”
OCC updates FAQs on third-party risk management
On March 5, the OCC released Bulletin 2020-10, which provides answers to frequently asked questions (FAQs) concerning its existing guidance on management of third-party relationships, including relationships with fintech firms and data aggregators. This bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” rescinds (but incorporates the substance of) OCC Bulletin 2017-21 (covered by InfoBytes here). Key topics addressed in the new FAQs include:
- clarifying the definition of “third-party relationships” and “business arrangements”;
- outlining expectations for banks that have third-party relationships with cloud computing providers or data aggregators;
- addressing a bank’s reliance on and use of third party-provided reports, certificates of compliance, and independent audits;
- discussing risk management when a third party—such as a less established fintech firm, start-up, or other small business—has limited ability to provide the same level of financial information or other due diligence-related information as a more established third party;
- suggesting approaches for due diligence and ongoing monitoring in instances where the bank has limited negotiating power;
- addressing ways banks can offer products or services to underbanked/underserved populations through fintech third-party relationships;
- discussing considerations for banks when entering into a marketplace lending arrangement with a nonbank entity; and
- outlining measures to address risk management when obtaining alternative data from a third party that may be used by or on behalf of a bank.
The bulletin also reiterates that banks are expected “to practice effective risk management regardless of whether the bank performs an activity internally or through a third party,” and that a “bank’s use of third parties does not diminish the bank’s responsibility to perform the activity in a safe and sound manner and in compliance with applicable laws and regulations.”
FDIC guide encourages fintech/bank partnerships
On February 24, the FDIC’s technology lab, FDiTech, announced the release of a new guide intended to assist fintech companies and other third parties with bank partnerships. Conducting Business with Banks: A Guide for Fintechs and Third Parties identifies several areas for third parties to consider when exploring potential partnerships with banks relevant to navigating regulatory requirements and due diligence processes. These include being able to: (i) “[u]nderstand the framework of laws and regulations” applicable to banks, such as those “related to consumer protection, privacy and data security, . . . the Bank Secrecy Act[,] and federal anti-money laundering laws”; (ii) “[m]aintain a well-managed and financially strong business”; (iii) respond to requests for information from potential partners that demonstrate “product integrity, risk management mitigation, and consumer protection”; and (iv) demonstrate the ability to ensure ongoing compliance with applicable laws and regulations and that appropriate monitoring systems have been implemented. In addition, the guide also outlines special considerations for modelers, and emphasizes that banks will expect to understand a third party’s use of models and algorithms or other automated decision-making systems.
As previously covered by InfoBytes, FDiTech was established in 2019 to encourage innovation within the banking industry, support collaboration for piloting new products and services, eliminate regulatory uncertainty, and manage risks.
Fannie Mae adds new entities to fake-employer list
On January 29, Fannie Mae issued a new fraud alert to mortgage lenders warning them of 15 new potentially fictitious employers that have recently been appearing on mortgage applications. As previously covered in InfoBytes, Fannie Mae’s mortgage fraud program has issued several prior alert bulletins to the mortgage industry regarding active and potentially fraudulent schemes, all of which have identified fake employers in California. This new alert adds 15 additional California companies to that list, which now includes 65 potentially fake companies. The GSE alert offers “red flags” for lenders to be aware of when processing loan applications, including high starting salaries and paystubs that lack common withholdings for such things as health insurance and 401(k). Additionally, the alert bulletin suggests that lenders verify the existence of employers listed on borrower applications, and practice careful due diligence in the entire application process.
CFTC adopts NIST Privacy Framework
On January 28, the CFTC announced that it has adopted the National Institute of Standards and Technology (NIST) Privacy Framework, making it the first federal agency to do so. The September NIST release of a preliminary draft of the framework described it as “[a] Tool for Improving Privacy through Enterprise Risk Management,” covered by InfoBytes here. Among other things, the privacy framework, which advances guidance to mitigate cybersecurity risk, describes processes to mitigate risks associated with data processing and privacy breaches and to assess current privacy risk management measures. According to the announcement, the CFTC will utilize the framework to “better manage and communicate privacy risk throughout the agency,” making them a leader in the data privacy protection arena.
SEC reports cybersecurity and resiliency observations
On January 27, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced the release of a report entitled Cybersecurity and Resiliency Observations, compiled from an assessment of prior examinations. The report provides best practices for regulated entities to increase readiness and awareness related to cybersecurity. Echoing themes from the OCIE’s risk-based exam priorities, previously covered by InfoBytes here, the report also emphasizes risk management. Some of the highlights of the report include:
- Governance and Risk Management. OCIE lists senior level engagement as an important factor in an effective cybersecurity program. Also important is a thorough program risk assessment as well as the application of policies and procedures based on the assessment. Additionally, the cybersecurity program should continuously evolve, and provide for constant testing and monitoring.
- Access Rights and Controls. OCIE emphasizes the need for controls to limit access to certain data only to authorized users. Organizations should set out policies and procedures to monitor for unauthorized users, require periodic password changes for users, and review systems for changes that are not approved.
- Data Loss Prevention. Many firms protect sensitive data by using vulnerability scanning as well as perimeter security to monitor network traffic. Firms may utilize technology that can monitor for and detect network threats and insider threats. Also, encrypting data as it moves into and out of the network, and segmenting data for use only by authorized systems are key data loss prevention measures.
- Mobile Security. Firms that use mobile devices and applications may require enhanced security policies including the use of multi-factor authentication, limiting firm information that can be extracted from devices, and enabling the firm to remotely clear content when devices are lost or stolen. Training is also an important practice.
- Incidence Response and Resiliency. Effective risk-based incident response plans developed by firms focus on detection and corrective actions. The plans include business continuity as well as regular testing and reassessment of the plan.
- Vendor Management. OCIE promotes proper due diligence of vendors as well as effective management of vendors including monitoring and testing to ensure security requirements are continually met.
- Training and Awareness. OCIE notes that many firms incorporate effective policies and procedures into training, periodically re-evaluate training programs, and ensure employee participation.