InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Legislation Reintroduced to Base SIFI Determination on Risk Rather Than Asset Size
On July 19, Representative Blaine Luetkemeyer (R-Mo.) reintroduced legislation designed to overhaul the process used to manage systemic risk by basing the regulation of financial institutions on risk rather than asset size alone. As set forth in a press release issued by Rep. Luetkemeyer’s office, the Systemic Risk Designation Improvement Act of 2017 would replace the $50 billion threshold for designating a bank holding company as a Systemically Important Financial Institution (SIFI) with a series of standards for evaluating risk. The legislation would require the Federal Reserve to evaluate an “institution’s size, interconnectedness, substitutability, global cross-jurisdictional activity, and complexity” before designating it as a SIFI. The legislation was previously introduced in the House, but discussion was delayed to provide Rep. Luetkemeyer with time to propose a method for funding the proposed changes, which are estimated to cost more than $115 million. (See previous InfoBytes summary here.)
“This legislation supports economic growth throughout the country because it will free commercial banks to make loans while allowing financial regulators the ability to apply enhanced standards on banks based on actual risk posed to the financial system–rather than on arbitrary asset size alone," Luetkemeyer pronounced.
OFAC Settles with International Insurance Group over Charges of Violating Sanctions Programs
On June 26, the Treasury’s Office of Foreign Asset Control (OFAC) reached a settlement with an international financial services and insurance company based in New York for alleged violations of OFAC sanctions programs. OFAC claimed that the company “issued policies and insurance certificates, and/or processed claims and other insurance-related transactions that conferred economic benefit to sanctioned countries or persons and undermined the policy objectives of several U.S. economic sanctions programs.” Specifically, OFAC maintained the company violated the following sanctions programs: (i) Iranian Transactions and Sanctions Regulations, 31 C.F.R. Part 560 (ITSR); (ii) Weapons of Mass Destruction Proliferators Sanctions Regulations, 31 C.F.R. Part 544 (WMDPSR); (iii) Sudanese Sanctions Regulations, 31 C.F.R. Part 538 (SSR); and (iv) Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR). The settlement requires the company to pay $148,698 to settle the claims, which the company voluntarily self-disclosed to OFAC.
For others to avoid these issues, OFAC suggested that “the best and most reliable approach for insuring global risks without violating U.S. sanctions law is to insert in global insurance policies an explicit exclusion for risks that would violate U.S. sanctions laws.”
OCC Releases Spring 2017 Semiannual Risk Report
On July 7, the Office of the Comptroller of the Currency (OCC) announced the release of its Semiannual Risk Perspective for Spring 2017 indicating key risk areas for national banks and federal savings associations. Acting Comptroller of the Currency Keith Noreika pointed out in his remarks that, “[w]hile these are risks that the system faces as a whole, we note that the risks differ from bank to bank based on size, region, and business model. Compliance, governance, and operational risk issues remain leading risk issues for large banks while strategic, credit, and compliance risks remain the leading issues for midsize and community banks.”
The report details the four top risk areas:
- Elevated strategic risk—banks are expanding into new products and services as a result of fintech competition. According to the report, this competition is increasing potential risks. The OCC hopes to finish developing a special purpose banking charter for fintech companies soon.
- Increased compliance risk—banks must comply with anti-money laundering rules and the Bank Secrecy Act in addition to addressing increased cybersecurity challenges and new consumer protection laws.
- Upswing in credit risk—underwriting standards for commercial and retail loans have been relaxed as banks exhibit greater enthusiasm for risk and attempt to maintain loan market share as competition increases.
- Rise in operational risk—banks face increasingly complex cyber threats while relying on third-party service providers, which may be targets for hackers.
The report used data for the 12 months ending December 31, 2016.
Fed Fines New York Bank $3 Million for Violating Regulatory Risk Capital Requirements
On June 26, the Federal Reserve fined a New York-based bank $3 million for unsafe and unsound banking practices after the firm allegedly assigned a lower risk weighting to a portfolio of assets in violation of then-applicable Basel I regulatory risk capital requirements. According to the consent order, between 2010 and 2014, the bank consolidated a portfolio of collateralized loan obligations onto its balance sheet. It allegedly assigned a zero-risk weighting to the assets improperly, and therefore overstated its risk-based capital ratios and set aside less capital than it should have.
OCC to Host Operational Risk Workshop, Will Hold Innovation "Office Hours"
On July 25, the OCC will host an operational risk workshop in Charleston, WV for directors of national community banks and federal savings associations supervised by the OCC. The workshop will focus on the key components of operational risk, governance, third-party risk, vendor management, and cybersecurity.
Additionally, on July 24 through the 26, the OCC’s Office of Innovation will hold “Office Hours” in New York City for national banks, federal savings associations, and fintech companies to provide an opportunity for attendees to discuss matters related to financial technology, new products and services, bank or fintech partnerships, as well as other items related to financial innovation. Meeting requests are due by July 5.
OCC, Fed Supervisory Guidance on Model Risk Management Followed by FDIC
On June 7, the FDIC issued Financial Institution Letter FIL-22-2017 announcing that, in order to provide consistency across institutions and agencies, it is adopting the 2011 model risk management supervisory guidance that was issued by the Federal Reserve (SR 11-7 ) and the OCC (OCC Bulletin 2011-12) thereby making the guidance applicable to certain FDIC-supervised institutions, namely those with $1 billion or more in total assets. The FDIC guidance defines the term “model” as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” The FDIC indicated that banks’ heavy reliance on models in financial decision-making can come with costs, especially when the decisions are “based on models that are incorrect or misused.”
According to the FIL, the guidance contains “technical conforming changes” that make it relevant to institutions that are regulated by the FDIC, such as a “revised definition of 'banks' to reflect the FDIC's supervisory authority.”
Among other things, the FIL highlights that an effective model risk management framework should include the following:
- “disciplined and knowledgeable development that is well documented and conceptually sound”;
- “controls to ensure proper implementation”;
- “processes to ensure correct and appropriate use”;
- “effective validation processes”; and
- “strong governance, policies, and controls.”
For institutions with assets totaling less than $1 billion, the guidance will only apply in certain circumstances, such as when “the institution's model use is significant, complex, or poses elevated risk to the institution.”
Special Alert: OCC Issues Supplement to Third-Party Oversight Guidance, Emphasizes Bank Responsibilities in Managing Risks in Fintech Relationships
On June 7, the Office of the Comptroller of the Currency (OCC) issued Bulletin 2017-21 as a supplement to Bulletin 2013-29, the OCC’s 2013 risk management guidance related to third-party relationships. The OCC’s latest release answers 14 frequently asked questions (FAQs) and marks the second supplement issued this year to Bulletin 2013-29. Previously, on January 24, 2017, the OCC issued Bulletin 2017-7 to advise national banks, federal savings associations, and technology service providers of examination procedures the OCC would follow during supervisory examinations.
As previously summarized in Buckley Sandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third-party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures set forth in Bulletin 2017-7 identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management at each phase of the life cycle.***
Click here to read full special alert.If you have questions about the ruling or other related issues, visit our Vendor Management and FinTech practice pages for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.
OCC Supplement Answers Frequently Asked Questions Covering Third-Party Relationships: Risk Management Guidance
On June 7, the OCC released Bulletin 2017-21, which provides answers to frequently asked questions from national banks and federal saving associations concerning third-party procedure guidance. The Bulletin, issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance” released October 30, 2013, highlights the OCC’s responses to the following topics:
- defines third-party relationships and provides guidance on conducting due diligence and ongoing monitoring of service providers;
- provides insight on how to adjust risk management practices specific to each relationship;
- discusses ways to structure third-party risk management processes;
- discusses advantages and disadvantages to collaboration between multiple banks when managing third-party relationships;
- outlines bank-specific requirements when using collaborative arrangements;
- provides information-sharing forums that offer resources to help banks monitor cyber threats;
- discusses how to determine whether a fintech relationships is a “critical activity” and covers risks associated with engaging a start-up fintech company;
- addresses ways in which banks and fintech companies can partner together to serve underbanked populations;
- covers criteria to consider when entering into a marketplace lending arrangement with a nonbank entity;
- clarifies whether OCC Bulletin 2013-29 applies when a bank engages a third-party to provide mobile payments options to consumers;
- outlines the OCC’s compliance management requirements;
- discusses banks’ rights to access interagency technology service provider reports; and
- answers whether a bank can rely on the accuracy of a third-party’s risk management report.
As previously covered in InfoBytes, the OCC released a supplement (Bulletin 2017-7) to Bulletin 2013-29 in January of this year identifying steps prudential bank examiners should take when assessing banks’ third-party relationship risks.
OCC to Host Workshops for Community Bank Directors in June
On June 20 and 21, the OCC will be hosting two workshops in Nashville for directors of national community banks and federal savings associations supervised by the OCC. The June 20 “Credit Risk” workshop will focus on ways to identify trends and recognize problems within a loan portfolio. In addition, the workshop will discuss board and management roles, how to stay informed of changes in credit risk, and how to effect change. The June 21 “Operational Risk” workshop will focus on the key components of operational risk, and also cover governance, third-party risk, vendor management, and cybersecurity.
Additionally, from June 26 to 28, the OCC will be hosting a “Building Blocks for Directors” workshop in Atlanta for directors, senior management team members, and other key executives of national community banks and federal savings associations supervised by the OCC. The workshop will: (i) focus on the duties and core responsibilities of directors and management; (ii) discuss major laws and regulations; and (ii) provide insight on the examination process.
OCC Updates Comptroller’s Handbook, Issues New Guidance for Evaluating Retail Lending Risk Management
On April 12, the OCC issued Bulletin OCC 2017-15 announcing its new booklet, “Retail Lending,” which discusses retail lending risks and measures for evaluating retail credit risk management activities. The booklet, part of the Comptroller’s Handbook, applies to “examinations of all institutions engaged in retail lending” and supplements the following core assessment sections: “Large Bank Supervision,” “Community Bank Supervision,” and “Federal Branches and Agency Supervision.” According to the Bulletin, Examiners should reference this booklet when review beyond the core assessment is appropriate because the specific products, services, or activities “have a material impact on the risk profile and financial condition” of banks. The new booklet describes (i) “characteristics of an effective retail credit risk management framework”; (ii) “criteria examiners should consider when evaluating retail credit originations, account management, collections, and portfolio management activities and processes”; and (iii) “objectives of control functions commonly used in a retail lending business to measure performance, make decisions about risk, and assess the effectiveness of processes and personnel.”