InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC Issues Letter to Financial Institutions Regarding Applicability of Payday Lending Rules
On November 16, the FDIC issued FIL-52-2015 to advise financial institutions that it revised its 2005 guidance on payday lending, which established the FDIC’s expectations for prudent risk-management practices in the payday loan industry. The letter emphasizes that the 2005 payday lending guidance, as issued in FIL-14-2005, does not apply to depository institutions offering certain products and services, such as deposit accounts and extensions of credit, to non-bank payday lenders. Specifically, the letter states, “[f]inancial institutions that can properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing services to any category of business customers or individual customers operating in compliance with applicable state and federal laws.”
FFIEC Releases Revised Management Booklet with Emphasis on Sound IT Governance
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
Federal Reserve Chair Janet Yellen Delivers Semi-Annual Report on Supervision and Regulation
On November 4, Federal Reserve Chair Janet Yellen testified before the House Committee on Financial Services. The topic of Chair Yellen’s testimony was “the lessons of the financial crisis and how we have transformed our regulatory and supervisory approach.” She explained that, prior to the crisis, the Fed’s “primary goal was to ensure the safety and soundness of individual financial institutions” and that, since the crisis, the Fed’s aim has been to regulate and supervise “in a manner that promotes the stability of the financial system as a whole.” Yellen went on to explain that the regulatory approaches adopted to address both large financial institutions and companies and community banks have been different. According to Yellen, with respect to the large financial institutions, the Fed’s approach is “oriented toward both the safety and soundness of the individual firms, and the stability of the financial system as a whole." With respect to community banks, Chair Yellen noted that the Fed’s supervisory approach is risk based: “[i]n supervising these institutions, we follow a risk-focused approach that aims to target examination resources to higher-risk areas of each bank’s operations and to ensure that banks maintain risk-management capabilities appropriate to their size and complexity.”
FFIEC Issues Joint Statement Regarding Cyber Attacks Involving Extortion
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
DOJ Assistant Attorney General Stresses Public-Private Cooperation In the Event of a Cyber Breach
On September 30, U.S. Assistant Attorney General John Carlin delivered remarks at the 2015 Cybersecurity Summit hosted jointly by the U.S. Chamber of Commerce and the American Gaming Association. In his remarks, Carlin highlighted a variety of “tools,” including the use of sanctions, the DOJ may employ on individuals or entities that engage in malicious cyber-enabled activities against the U.S. Notably, Carlin discussed certain advantages for increased collaboration among the private sector and government to share information and best practices “to help defend against or disrupt [cyber] attacks before they happen or in real time,” adding that “law enforcement can also enlist the assistance of international partners to help retrieve stolen data or identify a perpetrator.” Concluding his remarks, Carlin urged companies to adopt a strong cybersecurity risk management program.
CFPB Reaches $700 Million Settlement to Resolve Credit Card Ancillary Products Investigation
On July 21, the CFPB announced a nearly $700 million settlement against a leading financial institution and its subsidiaries. According to the consent order, the Bureau alleges that the entities engaged in deceptive marketing, billing, and collection practices related to various credit card ancillary products, including debt protection and credit monitoring services. Specifically, the Bureau alleges that the institution or its vendors marketing practices, consisting of telemarketing calls, online enrollment, point-of-sale application, and direct enrollment at retailers, mislead consumers into enrolling for certain ancillary products. The Bureau further alleges that, in some instances, telemarketers failed to accurately disclose the cost and fees associated with the ancillary products. With respect to the unfair billing allegations, the Bureau contends that the institution or its vendors improperly charged consumers, without authorization, for services that were not rendered, and failed to provide full product benefits of the services marketed to consumers. In addition, the Bureau alleges that the institution misrepresented payment fee information to consumers by failing to disclose the actual purpose of the fee associated with making payments by phone on delinquent credit card accounts. Under terms of the settlement, the institution and its subsidiaries agreed to (i) provide $479 million in consumer relief related to its marketing practices; (ii) pay roughly $220 million in restitution related to its payments collection practices and for consumers not receiving the full benefits of services promised; and (iii) pay a $35 million civil money penalty.
In a parallel enforcement action, the OCC imposed a separate $35 million civil money penalty against the institution for engaging in similar practices, and requires the institution to strengthen its oversight of third-party vendors and develop a comprehensive risk management program for ancillary products marketed or sold by the bank.
Federal Reserve Orders Bank Holding Company to Strengthen its Firmwide Risk Management, Cites Capital Planning and Liquidity Risk Deficiencies
On July 7, the Board of Governors announced the execution of an enforcement action against a Boston-based bank holding company over deficiencies identified by the Federal Reserve Bank of Boston concerning the company’s governance, risk management, capital planning, and liquidity risk management operations. Pursuant to the Agreement, within 60 days of its execution the company must submit written plans detailing their efforts to strengthen board oversight of the company’s management and operations, bolster the risk management program, improve capital planning to match the company’s size and complexity, and strengthen liquidity risk management. No civil money penalty was imposed on the company.
FFIEC Releases Cybersecurity Assessment Tool
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
Federal Reserve Releases 2015 Annual Performance Plan
Recently, the Federal Reserve submitted to Congress its 2015 Annual Performance Plan, which sets forth the Board’s planned projects, initiatives, and activities for the upcoming year. The Plan, which complements the Federal Reserve’s Strategic Framework 2012-15, outlines planned activities in the following six areas aimed at assisting the Board in meeting its strategic framework’s long-term objectives: (i) supervision, regulation, and monitoring risks to financial stability; (ii) data governance; (iii) facilities infrastructure; (iv) human capital; (v) management process; and (vi) cost reduction and budgetary growth. Among its initiatives, the Board aims to continue building an interdisciplinary infrastructure for supervision, regulation, and monitoring of risks to financial stability. In addition, the Board’s staff plans to develop “analytical tools” that enhance the Board’s understanding of evolving market structures and practices, including changes in risk-management practices and incentives for financial institutions to appropriately manage risk exposures. With respect to the supervision of individual institutions, the report highlights the Board’s intent to develop supervisory approaches for community and regional banks, as well as for savings and loan holding companies, that “identify and support taking action against early warning indicators of outlier risk.”