InfoBytes Blog

SEC Announces Senior Staff Changes; New Office of Risk and Strategy

On March 8, the SEC announced a change in senior leadership, naming Robert M. Fisher the Managing Executive of the Office of Compliance Inspections and Examinations (OCIE). Succeeding Peter B. Driscoll, Fisher will be responsible for overseeing the OCIE’s business operations, technology servicers, examiner training, and Tips, Complaints and Referrals programs. The SEC also announced a new Office of Risk and Strategy within its Office of Compliance and Inspections and Examinations, naming Driscoll as its Chief Risk and Strategy Officer. The new office is intended to “consolidate and streamline the OCIE’s risk assessment, market surveillance, and quantitative analysis teams and provide operational risk management and organizational strategy for OCIE.” In his new role as Chief Risk and Strategy Officer, Driscoll will lead the Washington, D.C.-based Investment Adviser/Investment Company examination staff.

In a separate March 10 announcement, the SEC named Anthony S. Kelly Co-Chief of the Enforcement Division’s Asset Management Unit (Unit). Succeeding Julie Riewe, Kelly joins Marshall Sprung to lead the Unit, which focuses on misconduct by investment advisers, investment companies, and private funds.

Examination SEC Risk Management

OCC to Host Credit and Compliance Risks Workshops

On March 22, the OCC will host a Credit Risk workshop for directors of national community banks and federal savings associations. The workshop will focus on credit risk within the loan portfolio, including identifying trends and recognizing problems. In addition, the workshop will address (i) the board and management’s roles; (ii) how to stay informed of changes in credit risk; and (iii) how to effect change. On March 23, the OCC will host a separate Compliance Risk workshop that will include lectures, discussions, and exercises on key elements of a robust compliance risk management system. Topic discussions will include the BSA, Community Reinvestment Act, and the TRID rule. Both workshops will take place in Santa Ana, California; capacity is limited to the first 35 registrants.

OCC Bank Compliance Community Banks Risk Management

FDIC Updates Videos on Interest Rate Risk

On February 3, the FDIC issued FIL-10-2016 announcing the release of updated videos on interest rate risk. The new videos are intended to provide directors, management, and staff of financial institutions with a better understanding of interest rate risk and how to manage it. The FDIC previously released an interest rate video made specifically for directors, and a series of more technical videos tailored to management and staff responsible for interest rate risk management. The FDIC’s updated videos (i) reflect recent industry data and expand on relevant topics; (ii) emphasize the FDIC’s expectation that institutions prudently manage interest rate risk; and (iii) address industry trends, board and management responsibilities, types of interest rate risk, various risk measurement systems, key modeling assumptions, internal controls, and independent review. Finally, according to the FDIC, “[f]inancial institution balance sheets continue to reflect a heightened mismatch between asset and funding maturities that, coupled with tighter net interest margins, have left financial institutions more vulnerable to rising interest rates.”

FDIC Risk Management

FDIC Scott Strockoz to Serve as Acting National Director of Minority and Community Development Banking

On January 15, the FDIC announced that Robert W. Mooney, national director for Minority and Community Development Banking, retired at the end of 2015. Scott D. Strockoz will serve as acting national director for Minority and Community Development Banking. Strockoz currently serves as deputy regional director in the New York Region and oversees examination activities regarding financial institutions’ compliance with consumer protection, fair lending, and community reinvestment laws and regulations. Strockoz “holds examiner commissions in both risk management and consumer protection and has additionally served as review examiner, field supervisor, acting regional director, and acting associate director, Compliance and Consumer Protection.”

FDIC Bank Compliance Community Banks Risk Management

Second Circuit Affirms District Court Ruling, Dismisses Case Alleging Breach of Fiduciary Duty

On January 6, the Court of Appeals for the Second Circuit affirmed the Southern District of New York’s decision to dismiss a derivative action alleging that the Chief Executive Officer, Chairman of the Board of Directors, ten other Board members, and two former corporate officers and advisers of the nominal defendant financial institution ignored “glaring ‘red flags’ of suspicious and illicit misconduct associated with” Bernard Madoff’s Ponzi scheme and Madoff’s investment advisory unit’s account with the institution. Cent. Laborers’ Pension Fund v. Dimon, No. 14-4516, (2nd Cir. Jan. 6, 2015). In July 2014, “the District Court dismissed plaintiffs’ complaint on the ground that they ‘failed to allege with particularity facts sufficient to excuse [their] failure to make demand upon the Board prior to filing’ their action.” The District Court found that the plaintiffs had not alleged that the defendants (i) “‘utterly failed to implement any reporting or information system or controls’”; or (ii) “‘having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.’” (quoting Stone v. Ritter, 911 A.2d 362, 370 (Del. 2006)). The District Court further found that because the plaintiffs only claimed that the financial institution’s controls were “inadequate,” as opposed to nonexistent, they were unable to maintain a Caremark action, i.e., an action for failure to monitor. See Caremark Int’l Inc. Derivative Litig., 698 A.2d 959 (Del. Ch. 1996). Plaintiffs challenged the District Court’s ruling on the grounds that “they should have been required to plead only defendants’ ‘utter failure to attempt to assure a reasonable information and reporting system existed,” as opposed to failing to implement any reporting or information system or controls. The Second Circuit upheld the District Court’s decision, however, maintaining that “the standard that the District Court applied was taken verbatim from Stone v. Ritter, a Delaware Supreme Court decision that the District Court was obligated to follow,” and although the language the plaintiffs contended should have been used was taken from Caremark, Caremark is not controlling because it was issued by a lower court than Stone before Stone was issued and Stone interpreted Caremark. The Second Circuit further opined that it was not clear that replacing the Stone standard with the language from Caremark would have made a “difference in the disposition of plaintiffs’ action” because of facts demonstrating an “attempt to assure a reasonable information and reporting system existed.”

Risk Management Second Circuit

FINRA Releases 2016 Regulatory and Examination Priorities Letter

On January 5, FINRA released a letter regarding its regulatory and examination priorities for 2016. The letter focuses on the following three broad issues within the securities industry: (i) culture, conflicts of interest and ethics; (ii) supervision, risk management and controls; and (iii) liquidity. Regarding FINRA’s assessment of firm culture, the letter notes that FINRA “will focus on the frameworks that firms use to develop, communicate, and evaluate conformance to their culture,” assessing five specific indicators of a firm’s culture, including (among others) whether policy or control breaches are tolerated. In connection with supervision and risk management, FINRA will focus its examination efforts on the following four areas that continue to affect firms’ business conduct and market integrity: (i) management of conflicts of interest; (ii) technology; (iii) outsourcing; and (iv) anti-money laundering. Finally, in connection with liquidity, FINRA plans to review firms’ contingency funding plans as they relate to their business models, noting that the framework for FINRA’s reviews will be driven by the effective practices contained in Regulatory Notice 15-33. Additional areas of regulatory and examination focus for FINRA in 2016 will include but are not limited to: (i) protecting seniors and vulnerable investors from fraud, sales practice abuse, and financial exploitation; (ii) private placements and Regulation A+ public offerings; (iii) financial and operational controls concerning exchange-traded funds and fixed-income prime brokerage; and (iv) market integrity.

Examination FINRA Investment Adviser Broker-Dealer Risk Management

Vendor Management in 2015 and Beyond

With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.

CFPB Guidance

In 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:

• Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
• Reviewing the service provider’s policies, procedures, internal controls, and training materials
• Including clear expectations in written contracts
• Establishing internal controls and on-going monitoring procedures
• Taking immediate action to address compliance issues

Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution.

The Risk Management Lifecycle and Best Practices

The CFPB is but one of many agencies that have circulated vendor management guidance.  Other federal prudential regulators—most notably the Office of the Comptroller of the Currency—have developed regulatory guidance describing a “lifecycle” for oversight of third parties that supervised institutions are expected to follow.  The risk management lifecycle of a service provider relationship consists of:

• Planning/risk assessment
• Due diligence and service provider selection
• Contract negotiation and implementation
• Ongoing relationship monitoring
• Relationship termination/contingency plans

Supplemented by enhanced risk management processes, including meaningful involvement by the Board of Directors and extensive monitoring of performance and condition, the new framework for oversight of third parties can present both cost and operational challenges for all institutions.  Financial institutions would be prudent to implement the following best practices into their vendor management procedures, among others:

• Staffing sufficiently to ensure that service providers are properly monitored
• Incorporating Board and senior executive involvement throughout the process
• Documenting its efforts at every stage of the lifecycle

CFPB OCC Vendors Risk Management Valerie Hletko Jeffrey Naimon Chris Witeck Jon Langlois

OCC Releases Semiannual Risk Perspective Report

On December 16, the OCC released its Semiannual Risk Perspective report to provide an overview of supervisory concerns for the federal banking system, including operational and compliance risks. According to the report, which covers data through June 30, 2015, risks relating to strategic, compliance, and interest rates remain unchanged, but risks connected to underwriting and cybersecurity continue to grow. Notable findings in the report reveal that (i) the low interest rate environment has led banks to reevaluate risk tolerance and extend their reach for yield; and (ii) banks are responding to competitive pressures and growth objectives by adopting a more relaxed approach toward credit underwriting standards and practices, particularly in high-growth loan segments, such as indirect auto, commercial and industrial, and multifamily.

The report emphasizes cyber threats and Bank Secrecy Act (BSA) and anti-money laundering (ALM) risks as growing concerns, commenting that “[c]yber attacks against cybersecurity products and services further increase risk to banks because of the release or sale of malware and zero-day vulnerabilities,” and “BSA/AML risks remain high, as technological developments that benefit customers through enhanced products and greater access to financial services may be vulnerable to criminals who exploit such innovations.”

OCC Anti-Money Laundering Bank Secrecy Act Risk Management Privacy/Cyber Risk & Data Security

New York DFS Announces Enforcement Action Against Pakistan-Based Bank's New York Branch

On December 17, the New York DFS announced an enforcement action against a New York branch of a Pakistan-based bank. The Federal Reserve Bank of New York (FRBNY) and the DFS recently conducted an examination of the branch and found significant risk management and compliance failures with regard to state and federal laws, rules, and regulations relating to anti-money laundering (AML) compliance. Under the terms of the DFS’s order, the branch agreed to reform its policies and procedures to ensure compliance with AML laws. Per the order, the bank must submit to the DFS, within 60 days of the order, a number of written programs regarding its (i) corporate governance and management oversight; (ii) BSA/AML compliance review; (iii) customer due diligence; and (iv) suspicious activity monitoring and reporting. The branch must also hire an independent third-party approved by the DFS and the FRBNY to review the effectiveness of the bank’s compliance program, and to prepare a written report of its findings, conclusions, and recommendations for the program. Because the branch’s compliance with OFAC regulations was insufficient, the order also mandates that the bank retain an independent third-party to examine its U.S. dollar-clearing transactions between October 2014 and March 2015. Significantly, the order does not require the branch to pay a civil money penalty.

Examination Anti-Money Laundering Bank Secrecy Act Bank Compliance Enforcement OFAC Risk Management NYDFS

OCC Updates Risk Assessment Guidance

On December 3, the OCC revised its Comptroller’s Handbook to include updated guidance regarding its risk assessment system (RAS). The RAS guidance clarifies the relationship between RAS and the Uniform Financial Institutions Rating System known as CAMELS. In addition, the guidance revises the definition of banking risk and applies a single definition – “the potential that events will have an adverse effect on a bank’s current or projected financial condition and resilience” – to all categories. Finally, the guidance expands the quality of risk management assessment to include a category of “insufficient,” between the already existing categories of “satisfactory” and “weak,” and also expands the assessment of strategic and reputation risk to consider both quantity of risk and quality of risk management.

OCC Risk Management