InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
NIST releases new AI framework to help organizations mitigate risk
On January 26, the National Institute of Standards and Technology (NIST) released voluntary guidance to help organizations that design, deploy, or use artificial intelligence (AI) systems mitigate risk. The Artificial Intelligence Risk Management Framework (developed in close collaboration with the private and public sectors pursuant to a Congressional directive under the National Defense Authorization for Fiscal Year 2021), “provides a flexible, structured and measurable process that will enable organizations to address AI risks,” NIST explained. The framework breaks down the process into four high-level functions: govern, map, measure, and manage. These categories, among other things, (i) provide guidance on how to evaluate AI for legal and regulatory compliance and ensure policies, processes, procedures and practices are transparent, robust, and effective; (ii) outline processes for addressing AI risks and benefits arising from third-party software and data; (iii) describe the mapping process for collecting information to establish the context to frame AI-related risks; (iv) provide guidance for employing and measuring “quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor AI risk and related impacts”; and (v) set forth a proposed process for managing and allocating risk management resources. Examples are also provided within the framework to help organizations implement the guidance.
“This voluntary framework will help develop and deploy AI technologies in ways that enable the United States, other nations and organizations to enhance AI trustworthiness while managing risks based on our democratic values,” Deputy Commerce Secretary Don Graves said in the announcement. “It should accelerate AI innovation and growth while advancing—rather than restricting or damaging—civil rights, civil liberties and equity for all.”
Fed announces climate scenario exercises
On January 17, the Federal Reserve Board provided additional details regarding its upcoming pilot climate scenario analysis exercise and the information on risk management practices that will be gathered from the program. As previously covered by InfoBytes, the Fed announced in September 2022, that six of the nation’s largest banks will participate in a pilot climate scenario analysis exercise intended to enhance the ability of supervisors and firms to measure and manage climate-related financial risks. According to the Fed, the banks will analyze the impact of scenarios for both physical and transition risks related to climate change on specific assets in their portfolios. The Fed noted that it will collect qualitative and quantitative information during the pilot, including details on governance and risk management practices, among other things. Additionally, the banks will be asked to consider the effect on corporate loans and commercial real estate portfolios using a scenario based on current climate policies and one based on reaching net-zero greenhouse gas emissions by 2050. The Fed noted that though no firm-specific information will be released, it anticipates publishing insights at an aggregate level, reflecting what has been learned about climate risk management practices and how insights can identify possible risks and promote risk management practices.
FHFA outlines MSR guidance for managing counterparty credit risk
On January 12, FHFA released an advisory bulletin communicating supervisory expectations for Fannie Mae and Freddie Mac (the Enterprises) related to the valuation of mortgage servicing rights (MSRs) for managing counterparty credit risk. FHFA emphasized that Fannie and Freddie’s “risk management policies and procedures should be commensurate with an Enterprise’s risk appetite[] and based on an assessment of seller/servicer financial strength and MSR risk exposure levels.” FHFA relayed that while sellers and servicers assign values to their MSRs, the Enterprises should implement their own processes to evaluate the reasonableness of seller/servicer MSR values. FHFA explained that Fannie and Freddie are “exposed to counterparty credit risk when seller/servicers provide representations and warranties that mortgage loans conform with its selling guide requirements,” and reiterated that “[f]ailure to meet such obligations and commitments may cause the Enterprise to incur credit losses and operational costs.”
The advisory bulletin lays out risk management expectations to ensure MSR values are reasonable, objective, and transparent, and provides guidance covering several areas, including (i) objective evaluation of MSR values; (ii) MSR valuations for mortgage loans owned or guaranteed by Fannie and Freddie as well as stress testing; (iii) MSR valuations for mortgage loans not owned or guaranteed by Fannie or Freddie; (iv) market data input; (v) use of third-party providers; (vi) frequency of evaluations; and (vii) discount to MSR values when servicing rights are terminated. The advisory bulletin is applicable only to MSRs for single-family mortgage loans and is effective April 1.
Agencies warn banks of crypto-asset risks
On January 3, the FDIC, Federal Reserve Board, and OCC issued a joint interagency statement highlighting key risks banks should consider when choosing to engage in cryptocurrency-related services. Risks flagged by the agencies include: (i) the possibility of fraud and scams among crypto-asset sector participants; (ii) legal uncertainties related to custody practices, redemptions, and ownership rights; (iii) misleading disclosures made by crypto firms that may be unfair, deceptive, or abusive; (iv) volatility in crypto-asset markets, including the susceptibility of stablecoins to run risk, which could impact deposit flows; (v) contagion risks resulting from interconnections among crypto-asset participants that may present concentration risks for banks with exposure to the crypto-asset sector; (vi) lack of maturity in risk management and governance practices within the crypto-asset sector; and (vii) elevated risks associated with open, public, and/or decentralized networks.
The agencies commented that while they will continue to take a cautious approach to current or proposed crypto-asset-related activities (and are not prohibiting nor discouraging banks from providing crypto services to customers, as permitted by law or regulation), they currently “believe that issuing or holding as principal crypto-assets that are issued, stored, or transferred on an open, public, and/or decentralized network, or similar system is highly likely to be inconsistent with safe-and-sound banking practices.” Moreover, the agencies expressed “significant safety and soundness concerns with business models that are concentrated in crypto-asset-related activities or have concentrated exposures to the crypto-asset sector.” Agencies have developed processes for banks to engage in robust supervisory discussions with their supervisory office about any proposed or existing crypto-asset-related activities, the agencies advised, adding that before launching any activities, banks should take appropriate risk management measures and assess whether the activity can be performed in a safe and sound manner, is legally permissible, and complies with applicable laws and regulations. Additional statements will be released in the future by the agencies.
“The events of the past year have been marked by significant volatility and the exposure of vulnerabilities in the crypto-asset sector,” the agencies said as they stressed the importance of keeping crypto-asset risks that cannot be mitigated or controlled from migrating to the banking system.
The OCC separately issued a bulletin advising supervised banks to follow processes outlined in OCC Interpretive Letter 1179 (covered by InfoBytes here) before engaging in certain crypto-asset-related activities.
FHFA issues model risk management guidance
On December 21, FHFA issued guidance to Freddie Mac, Fannie Mae, the Federal Home Loan Banks (FHLBanks), and the Office of Finance on its model risk management framework. According to the bulletin, the purpose of the guidance—formatted as Frequently Asked Questions—“is to provide supplemental guidelines that will address some of the gaps in [FHFA’s 2013 Model Risk Management guidance] prompted by changes in model-related technologies and questions generated from the expanded use of complex models by the FHLBanks.” “The supplemental guidance also addresses model documentation, the communication of model limitations, model performance tracking, on-top adjustments, challenger models, model consistency, and internal stress testing.”
NYDFS releases proposed guidance for mitigating climate-related risks
On December 21, NYDFS proposed guidance for regulated banking and mortgage institutions to support efforts for responding to evolving risks stemming from climate change. The proposed guidance—which was developed to align with the climate-related work of federal and international banking regulators—will aid institutions in identifying, measuring, monitoring, and controlling material climate-related financial risks, consistent with existing risk management principles. Institutions should “minimize and affirmatively mitigate adverse impacts on low- and moderate-income communities while managing climate-related financial risks,” NYDFS said, explaining that the proposed guidance focuses on areas of risk management related to corporate governance, internal control frameworks, risk management processes, data aggregation and reporting, and scenario analysis that also accounts for unknown future risks. Among other things, the proposed guidance warned institutions of the importance of ensuring fair lending is provided to all communities, including low- to moderate-income neighborhoods that may face heightened risks, when managing climate-related financial risks. The proposed guidance also outlined tools institutions should use to measure and protect against climate change risks. NYDFS warned institutions that they may have to directly absorb a greater portion of losses and should plan for insurance coverage premiums to either increase or be withdrawn entirely in areas where climate risks are prevalent.
NYDFS commented that the proposed guidance serves as a basis for supervisory dialogue and instructed interested parties to provide input as it undertakes a data-driven approach to formulating the final guidance. Comments are due by March 21, 2023. A webinar will be held on January 11, 2023 to provide an overview of the proposed guidance.
“Regulators must anticipate and respond to new risks to operational resiliency and safety and soundness, jeopardizing an institution’s future,” Superintendent Adrienne A. Harris said. “NYDFS is committed to working with all stakeholders to further refine expectations and finalize guidance appropriate for institutions to address material climate-related financial risks.”
OCC warns of crypto-asset and cybersecurity risks facing the federal banking system
On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”
The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”
The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.
The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”
The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.
Treasury official flags “de-risking” as a concern in combating illicit financial risks
On December 5, Assistant Secretary for Terrorist Financing and Financial Crimes at the U.S. Department of Treasury Elizabeth Rosenberg outlined key illicit finance risks impacting the broader financial system during the ABA/ABA Financial Crimes Enforcement Conference. Rosenberg noted that for many nations, the illicit finance threat posed by Russia related to its invasion into Ukraine is a top priority. She commented that more than 30 countries immediately implemented sanctions or other economic measures against Russia, and that since then, the U.S. and other countries have created an expansive, multilateral web of restrictions targeting Russia’s ability to fund its war. Rosenberg also recognized that by reassessing their understanding of Russian illicit financial risks and implementing adaptive measures, companies and financial institutions play an important role in providing critical insight into emerging threats. Rosenberg also discussed Treasury’s risk-based approach to crafting policy responses, including those related to beneficial ownership transparency, investment adviser misuse, and the use of residential and commercial real estate to hide and grow illicit funds.
Rosenberg warned, however, that there are challenges in implementing a truly risk-based approach. She pointed to observations made by the Financial Action Task Force, which showed that while many countries and their financial institutions “are keenly aware of where enhanced due diligence is needed,” many “often can not readily identify the inverse: places where simplified due diligence should be expected and permitted.” She cautioned that focusing on high-risk areas rather than lower-risk parts “is not without costs,” and illustrated a common form of de-risking that occurs “when financial institutions categorically cut off relationships or services to avoid perceived risks—for example, certain geographic regions—rather than applying a nuanced, risk-based approach.” Doing so can lead to “deleterious effects,” she warned, such as excluding businesses based on their location or status, or impacting emerging markets that could serve underbanked populations. Rosenberg said Treasury intends to study these concerns through the Anti-Money Laundering Act of 2020, and will develop a strategy for addressing de-risking, including recommendations on ways to improve public-private engagement on the issue, regulatory guidance and adjustments, and international supervision.
OCC discusses credit risk management, diversity and inclusion
On December 5, acting Comptroller of the Currency Michael J. Hsu delivered remarks at the RMA Risk Management and Internal Audit Virtual Conference, where he spoke about the current expected credit losses standard (CECL) and the importance of workforce diversity and inclusion. Hsu started by discussing CECL and mentioning that though loan portfolios have generally remained resilient and widespread, “deterioration isn’t currently evident in credit quality metrics, the effects of high inflation, rising interest rates, lagging wage growth, supply chain disruptions, and stress from geopolitical events threaten the unexpectedly strong credit performance observed over the past few years.” He further pointed out that the longer-term effects of the Covid-19 pandemic, such as the shift in preferences toward online shopping and remote work, and other circumstances, can erode business profit margins, debt service capacity, and collateral valuations, in addition to adversely affecting credit risk levels at financial institutions. When speaking about sound practice, Hsu stated that maintaining safe and sound credit risk management practices through this period of economic uncertainty is critical. He also noted that “timely risk identification and ratings, increased focus on concentrated portfolios and vulnerable borrowers, and stress testing and sensitivity analysis are particularly critical risk management activities at this time.” He further warned that the “flexibility” provided by CECL must ensure safety and soundness, arguing that there needs to be “appropriate support and documentation of management’s judgments,” as well as management’s assumptions, decisions, expectations, and qualitative adjustments. He emphasized that the first step to improving diversity, equity, and inclusion requires more transparency from the financial services industry regarding the diversity of their boards and executive leadership, and organizations need to develop diversity plans and monitor outcomes. He also emphasized that financial institutions should actively “foster a true sense of belonging for everyone.” In closing, Hsu stated that “improving diversity and inclusion is a ‘need to have’ for [the OCC] to achieve our mission of assuring safety and soundness, fair access to financial services, and fair treatment of customers.”
Fed solicits feedback on proposed climate-related risk principles
On December 2, the Federal Reserve Board issued a notice requesting public comments on proposed Principles for Climate-Related Financial Risk Management for Large Financial Institutions. The proposed principles would provide a high-level framework for the safe and sound management of exposures to climate-related financial risks for the largest financial institutions (those with over $100 billion in total consolidated assets), as well as address the physical and transition risks associated with climate change. Notably the notice acknowledged that all financial institutions, regardless of size, can have material exposures to climate-related financial risks. Intended to support large financial institutions’ efforts in addressing climate-related financial risk management, the proposed principles cover six major areas related to: (i) governance; (ii) policies, procedures, and limits; (iii) strategic planning; (iv) risk management; (v) data, risk measurement, and reporting; and (vi) scenario analysis. The Fed noted that the proposed principles are substantially similar to those issued by the OCC and FDIC (covered by InfoBytes here and here), and said that the agencies intend to issue final interagency guidance to promote consistency. Comments on the proposed principles are due 60 days after publication in the Federal Register.
Governor Bowman stated that while she voted in favor of seeking input on the proposed principles, she reserves the right to vote against its finalization. She also emphasized that excluding financial institution with less than $100 billion in assets from the guidance “is appropriate based not only on the size of such firms, but also in light of the robust risk management expectations already applicable to such firms.”
However, Governor Waller issued a dissenting statement: “Climate change is real, but I disagree with the premise that it poses a serious risk to the safety and soundness of large banks and the financial stability of the United States. The Federal Reserve conducts regular stress tests on large banks that impose extremely severe macroeconomic shocks and they show that the banks are resilient.”