InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Bank Holding Company and Nonbank Auto Lender Subsidiary Sign New Written Agreement with Boston Fed
On March 21, the Federal Reserve Bank of Boston (Boston Fed) and a national bank holding company and its nonbank subsidiary (a Dallas-based auto lender) entered into a Written Agreement to address concerns related to their July 2015 Written Agreement, which required a detailed description of the holding company’s efforts to strengthen board oversight specifically with regard to committees, executive positions, and lines of reporting (see July 2015 InfoBytes summary). The 2017 Written Agreement is a result of deficiencies identified by the Boston Fed in the subsidiary’s compliance risk management program. The terms of the current Written Agreement require, among other things, the board of directors of the subsidiary to submit a revised compliance risk management plan addressing, among others: (i) comprehensive compliance risk assessments to identify “risks associated with applicable consumer compliance laws”; (ii) enhanced written policies and procedures to address risks arising from noncompliance; and (iii) a revised code of conduct for employees that outlines rules governing compliance and reporting processes for known or suspected violations of consumer compliance laws, regulations, and supervisory guidance. Furthermore, the company must submit written revisions to its firmwide internal audit program with respect to auditing its revised compliance risk management program.
OCC to Host Workshops for Community Bank Directors in April
On April 25 and 26, the OCC will be hosting two workshops for directors of national community banks and federal savings associations supervised by the OCC. The April 25 workshop will cover “Risk Governance,” including both practical information to help directors effectively measure and manage risks, and insight into the OCC’s approach to risk-based supervision and major risks in the financial industry. The April 26 workshop will focus specifically on credit risk within a loan portfolio, including how to stay informed of changes in credit risk, identifying trends, recognizing problems, the roles of the board and management, and how to effect change.
FDIC Releases Winter 2016 “Supervisory Insights”
On March 7, the FDIC released its Winter 2016 Supervisory Insights, which contains articles discussing credit risk trends and balance sheet growth, emphasizes the importance of strong risk management practices, and provides a roundup of recently released regulatory and supervisory guidance. Doreen Eberley, Director of the FDIC’s Division of Risk Management Supervision, stated in the release that “[h]istorically, financial institutions that have prudently managed loan growth have been better positioned to withstand periods of stress and continue to serve the credit needs of their local communities.” Her statement goes on to “encourage bankers to identify and correct loan underwriting and administration problems before they adversely affect the bottom line.” The Supervisory Insights note that nearly 80 percent of insured institutions grew their loan portfolios during the third quarter of 2016, which is “a figure not far from the peak of nearly 83 percent of institutions that grew their portfolios in 2005.” While this edition focused primarily on lending in the following sectors—commercial real estate, agriculture, and oil and gas—it also stressed the need for managing loan concentrations through strong, forward-looking risk management practices that allow for early intervention.
BAFT Issues Comments on Proposed AML/CFT Guidance Revisions
On February 22, the Bankers Association for Finance and Trade (BAFT), an international financial services association for organizations engaged in international transaction banking, together with the Institute of International Finance (IIF) issued a letter to the Basel Committee on Banking Supervision (BCBS) with comments on BCBS’ proposed revisions to its risk management guidance related to anti-money laundering and counter-terrorism financing. In the letter, BAFT and IFF note that, while both associations are “particularly pleased with [BCBS’] recognition that not all correspondent banking relationships bear the same level of risk and [BCBS’] acknowledgment of the difference between inherent and residual risk,” they do summarize several areas where enhancements would assist with the “general usefulness” of the final guidance:
- BCBS should “design guidance that explicitly permits a correspondent bank to rely upon appropriate utilities for the vast majority of cases rather than simply permitting a correspondent bank to use a utility as another source of information supporting the due diligence process” with the purpose of “establishing international standards or sound practices for such utilities to create greater assurance of achieving official ALM/CFT goals.”
- BCBS should adopt “regulatory practices [that] include standards for ‘verification’ that national authorities could administer or supervise.”
The “[s]tandardization of information requirements (or templates) for utilities could also be extended to include [the] international standardization of basic due diligence information and ‘enhanced due diligence’ information for higher-risk relationships.” A “basic standardization would give both parties a ground of expectations to build upon in making judgments about how to do business. It could [also] eliminate a degree of unnecessary duplication of effort and costs.”
OCC Supplements Exam Procedures Covering Third-Party Relationships: Risk Management Guidance
On January 24, the OCC released Bulletin 2017-7 advising national banks, federal savings associations and technology service providers of examination procedures issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. As previously summarized in BuckleySandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Following the OCC's issuance of Bulletin 2013-29, the Federal Reserve Board, on December 5, 2013, issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (SR 13-19). The FRB Guidance is substantially similar to Bulletin 2013-29.
Bulletin 2017-7 outlines procedures designed to help prudential bank examiners: (i) tailor supervisory examinations of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships; (ii) assess the quantity of the bank’s risk associated with its third-party relationships; (iii) assess the quality of the bank’s risk management of third-party relationships involving critical activities; and (iv) determine whether there is an effective risk management process throughout the life cycle of the third-party relationship. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management relative to each phase of the life cycle.
For additional background, please see our Spotlight Series: Vendor Management in 2015 and Beyond.
Special Alert: OCC Takes the Next Step Toward a Fintech National Bank Charter
On December 2, 2016, the Office of the Comptroller of the Currency (“OCC”) announced its plans to move forward with developing a special purpose national bank charter for financial technology (“fintech”) companies. Accompanying the Comptroller of the Currency, Thomas J. Curry’s announcement, the OCC published a white paper that describes the OCC’s authority to grant national bank charters to fintech companies and outlines minimum supervisory standards for successful fintech bank applicants.[1] These standards would include capital and liquidity standards, risk management requirements, enhanced disclosure requirements, and resolution plans. Over the past several months, the OCC has taken a series of carefully calculated steps to position itself as the preeminent regulator of fintech companies in a hotly-contested race among other federal and state regulators who have similarly expressed interest in formalizing a regulatory framework for fintech companies. This proposal from the OCC reflects the culmination of those efforts.
Click here to read the full special alert
* * *
BuckleySandler welcomes questions regarding this new approach to fintech and banking, and would be happy to assist companies in determining whether a national bank charter would be beneficial for executing on their corporate strategies. Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Jeremiah S. Buckley, (202) 349-8010
- John P. Kromer, (202) 349-8040
- Jeffrey P. Naimon, (202) 349-8030
- Clinton R. Rockwell, (310) 424-3901
- Walter E. Zalenski, (202) 461-2910
FDIC Vice-Chairman Speaks On Strengthening Global Capital
FDIC Vice-Chairman Thomas M. Hoenig spoke at the 22nd Annual Risk USA Conference in New York on November 9. He delivered prepared remarks on “Strengthening Global Capital: An Opportunity Not To Be Lost.” Hoenig discussed his views on key factors at the core of the debate over what defines adequate capital. Specifically, he discussed the controversy over alternative measurements for judging adequate capital currently being considered by the Basel Committee, which he believes will weaken current standards and ultimately justify lower levels of capital. According to Hoenig, “[m]omentum is developing within the Basel Committee to undermine measures that could increase bank capital levels, and some jurisdictions are threatening to walk away if the measures are thought too strict.” Hoenig recommended that the United States “should avoid joining this race to the bottom.”
OCC Updates Community Bank Supervision Comptroller's Handbook
On November 3, the OCC announced an update to the “asset quality core assessment procedures” in its Community Bank Supervision Comptroller’s Handbook (Handbook). Among other things, the revised Handbook: (i) updates concentration risk management procedures and stress testing guidance for community banks; (ii) incorporates procedures for credit underwriting assessments; (iii) enhances appraisal, evaluation, allowance, and credit review examination procedures; and (iv) updates the asset quality references and standard request letter.
CFPB Clarifies "Flexibility" in Third-Party Risk Management
On November 1, the CFPB issued an update to its previous guidance on risk management for third-party service providers. The update is substantially similar to the Bureau’s previous guidance on third-party risk management, but clarifies that the depth and formality of an entity’s risk management program for service providers may vary depending upon (i) the service being performed, and (ii) the service provider’s compliance with federal consumer financial laws and regulations. With this update, the CFPB emphasized that supervised entities have flexibility to allow appropriate risk management of these relationships.
FFIEC Releases FAQs on Cybersecurity Assessment Tool
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.