InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC updates risk management, consumer compliance examination policies
Recently, the FDIC updated Section 2.1 of its Risk Management Manual of Examination Policies related to capital. The FDIC noted that since capital adequacy assessments are central to the supervisory process, examination staff “evaluate all aspects of a financial institution’s risk profile and activities to determine whether its capital levels are appropriate and in compliance with minimum regulatory requirements.” This includes examining a financial institution’s capital ratios, risk-weighted assets, regulatory capital requirements, community bank leverage ratios, capital adequacy (including liquidity, earnings, and market risk), and adherence to laws and regulations. The FDIC also announced updates to the Privacy—Telephone Consumer Protection Act section within its Consumer Compliance Examination Manual (CEM). The CEM includes supervisory policies and examination procedures for FDIC examination staff evaluating financial institutions’ compliance with federal consumer protection laws and regulations.
FINRA reminds firms of their obligation to supervise digital signatures
Recently, FINRA issued Regulatory Notice 22-18 reminding member firms of their obligation to supervise for digital signature forgery and falsification. FINRA reported it has received a rising number of reports claiming registered representatives and associated persons have been forging or falsifying customer signatures, as well as those of colleagues or supervisors in some instances. Issues have been flagged in “account opening documents and updates, account activity letters, discretionary trading authorizations, wire instructions and internal firm documents related to the review of customer transactions.” FINRA advised member firms to review outlined methods and scenarios for identifying digital signature forgery or falsification in order to mitigate risk and meet regulatory obligations.
FDIC warns financial institutions about NSF fees
On August 18, the FDIC issued FIL-40-2022 along with supervisory guidance to warn supervised financial institutions that charging customers multiple non-sufficient funds (NSF) fees on re-presented unpaid transactions may increase regulatory scrutiny and litigation risk. According to the FDIC, some institutions’ disclosures did not fully or clearly describe their re-presentment practices and failed to explain that the same unpaid transaction may result in multiple NSF fees if presented more than once. Failing to disclose “material information to customers about re-presentment and fee practices has the potential to mislead reasonable customers,” the agency said, noting that the material omission of this information is considered to be deceptive pursuant to Section 5 of the FTC Act. Additionally, “there are situations that may also present risk of unfairness if the customer is unable to avoid fees related to re-presented transactions,” the FDIC said.
The supervisory guidance also discussed the agency’s approach for addressing violations of law, noting that it will focus on identifying re-presentment-related issues to ensure correction of deficiencies and remediation to harmed customers. The agency stated that examiners “will generally not cite UDAP violations that have been self-identified and fully corrected prior to the start of a consumer compliance examination,” and noted that it “will consider an institution’s record keeping practices and any challenges an institution may have with retrieving, reviewing, and analyzing re-presentment data, on a case-by-case basis, when evaluating the time period institutions utilized for customer remediation.” However, the FDIC warned that “[f]ailing to provide restitution for harmed customers when data on re-presentments is reasonably available will not be considered full corrective action.” Financial institutions are encouraged to review practices and disclosures related to the charging of NSF fees for re-presented transactions and should consider FDIC risk-mitigation practices to reduce the risk of customer harm and potential violations.
Fed urges banks to assess legality of crypto activities
On August 16, the Federal Reserve Board issued supervisory letter SR 22-6 recommending steps that Fed-supervised banking organizations engaging or seeking to engage in crypto-asset-related activities should take. The Fed stressed that organizations must assess whether such activities are legally permissible and determine whether any regulatory filings are required under the federal banking laws. Organizations should also notify the regulator and “have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner” prior to commencing such activities. Risk management controls should cover, among other things, “operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations,” the supervisory letter explained, adding that state member banks are also encouraged to contact their state regulator before engaging in any crypto-asset-related activity. Organizations already engaged in crypto activities should contact the Fed “promptly” if they have not already done so, the agency said, noting that supervisory staff will provide any relevant supervisory feedback in a timely manner.
The supervisory letter follows an interagency statement released last November by the Fed, OCC, and FDIC (covered by InfoBytes here), which announced the regulators’ intention to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible.
CFPB, OCC issue consent orders against national bank
On July 14, the CFPB announced a consent order against a national bank to resolve allegations that the bank engaged in unfair and abusive acts or practices with respect to unemployment insurance benefit recipients who filed notices of error concerning alleged unauthorized electronic fund transfers (EFTs). The CFPB alleged that the bank violated the CFPA by, among other things: (i) determining that “no error had occurred and [by] freezing cardholder accounts based solely on the results of [the bank’s] automated Fraud Filter”; (ii) “retroactively applying its automated Fraud Filter to reverse permanent credits for unemployment insurance benefit prepaid debit cardholders whose notices of error [the bank] had previously investigated and paid”; and (iii) “impeding unemployment insurance benefit prepaid debit cardholders’ efforts to file notices of error and seek liability protection from unauthorized EFTs.” The CFPB also claimed that the bank violated the EFTA and Regulation E by “fail[ing] to conduct reasonable investigations” of cardholders’ notices of error. Under the terms of the Bureau’s consent order, the bank is required to provide redress to harmed consumers, review and reform its unemployment insurance benefit prepaid debit card program, and pay a $100 million civil penalty to the Bureau.
The same day, the OCC announced a consent order and a $125 million civil money penalty against the bank for alleged unsafe or unsound practices related to the same prepaid card program. According to the OCC, the bank, among other things: (i) “fail[ed] to establish effective risk management” over its unemployment card program”; and (ii) “beginning in 2020, denied or delayed many consumers’ access to unemployment benefits when consumers filed or attempted to file [unemployment insurance benefits] unauthorized transaction claims.” The OCC’s civil money penalty and remediation requirement is in addition to the CFPB’s civil money penalty.
Fed discusses cybersecurity risk management and emerging threats
On July 7, the Federal Reserve Board published its 2022 Cybersecurity and Financial System Resilience Report. Issued pursuant to the Consolidated Appropriations Act, the Fed’s report described measures it has taken to strengthen cybersecurity in the financial services sector. The report identified cybersecurity as a high priority for the Federal Reserve System and Board-supervised institutions and recognized the increasing and evolving nature of cybersecurity threats to the financial system. It delivered an overview of the Fed’s supervisory policies and procedures, which, among other things, require supervised institutions to implement internal controls and information systems appropriate to the size of the institution and to the nature, scope, and risk of its activities. The report explained that examiners’ cybersecurity evaluations consider “the business model and activities conducted by supervised institutions as part of a principles-based supervision program.” According to the Fed, an examination’s scope “is set as part of a multiyear supervisory plan that considers key cybersecurity risks, the industry landscape, and other factors such as emerging technologies.” The Fed explained that as part of these evaluations, “examiners consider business-line controls, risk-management practices, assurance functions, and governance activities performed by the firm’s senior management and board of directors.”
The report also outlined intergovernmental, international, and public and private sector coordination activities, and included a list of recent actions taken by the Fed and other agencies to promote cybersecurity. Additionally, the report discussed current or emerging threats to financial institutions’ ability to operate and protect customer data, including ransomware, sophisticated distributed denial of service threats, increasing geopolitical tensions, and attacks to supply chains or third parties. Other emerging technology-related cybersecurity threats are also discussed including “[p]otential cybersecurity vulnerabilities in fintech applications,” such as cryptocurrency exchanges, banking applications, and other platforms that provide “threat actors an opportunity to steal funds or data by compromising victims’ computer systems or technology infrastructure used to interact with the products or services.”
Brainard stresses need for crypto regulation
On July 8, Fed Vice Chair Lael Brainard warned that “[r]ecent volatility has exposed serious vulnerabilities in the crypto financial system.” Speaking before a Bank of England conference, Brainard explained that while crypto-assets are presented as a “fundamental break from traditional finance,” they are still susceptible to leverage, settlement, opacity, and maturity and liquidity transformation risks. The recent bankruptcy of a prominent crypto hedge fund and failed projects in the cryptocurrency space demonstrate that the crypto ecosystem faces many of the same challenges that are well known from traditional finance, she said. Brainard acknowledged that a “digital native form of safe central bank money could enhance stability by providing the neutral trusted settlement layer in the future crypto financial system,” but she also stressed that it is important “that the foundations for sound regulation of the crypto financial system be established now before the crypto ecosystem becomes so large or interconnected that it might pose risks to the stability of the broader financial system.” Novel crypto products often come with new risk factors, she said, adding that it may also be difficult “to distinguish between hype and value.” A strong regulatory framework that imposes “guardrails for safety and soundness, market integrity, and investor and consumer protection will help ensure that new digital finance products, platforms and activities are based on genuine economic value and not on regulatory evasion,” Brainard stated. She also noted that strong regulatory guardrails would also help investors and developers build “a resilient digital native financial infrastructure” and help banks, payments providers, and fintech companies “improve the customer experience, make settlement faster, reduce costs, and allow for rapid product improvement and customization.”
Agencies release customer relationship and due diligence guidance
On July 6, the FDIC, Federal Reserve Board, FinCEN, NCUA, and OCC issued a joint statement concerning banks’ risk-based approach for assessing customer relationships and conducting customer due diligence (CDD). Specifically, the joint statement reinforces the agencies’ “longstanding position that no customer type presents a single level of uniform risk or a particular risk profile related to money laundering (ML), terrorist financing (TF), or other illicit financial activity.” Banks are reminded that they must apply a risk-based approach to CDD and adopt appropriate risk-based procedures for conducting ongoing CDD when developing risk profiles of their customers. Because customer relationships present varying levels of ML, TF, and other illicit financial activity risks, the agencies advised banks to, among other things, (i) understand the nature and purpose of customer relationships; and (ii) “conduct ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information.”
Additionally, banks that comply with applicable Bank Secrecy Act/anti-money laundering (BSA/AML) legal and regulatory requirements and effectively manage and mitigate risks related to the unique characteristics of customer relationships, “are neither prohibited nor discouraged from providing banking services to customers of any specific class or type,” the agencies said, adding that “as a general matter” they will not direct banks to open, close, or maintain specific accounts as they “recognize that banks choose whether to enter into or maintain business relationships based on their business objectives and other relevant factors, such as the products and services sought by the customer, the geographic locations where the customer will conduct or transact business, and banks’ ability to manage risks effectively.” Banks are encouraged “to manage customer relationships and mitigate risks based on customer relationships, rather than decline to provide banking services to entire categories of customers.”
The joint statement is applicable to all customer types referenced in the Federal Financial Institutions Examination Council (FFIEC) BSA/AML Examination Manual, as well as to those not specifically addressed in the manual. These include “independent automated teller machine owners or operators, nonresident aliens and foreign individuals, charities and nonprofit organizations, professional service providers, cash intensive businesses, nonbank financial institutions, and customers the bank considers politically exposed persons.” The agencies reiterated that the joint statement does not alter existing BSA/AML legal or regulatory requirements, nor does it establish new supervisory expectations. Moreover, the FFIEC BSA/AML Examination Manual does not establish requirements for banks, nor should the inclusion of sections on specific customer types be interpreted as a signal that certain customer types present uniformly higher risk.
OCC reports on key risks facing the federal banking system
On June 23, the OCC released its Semiannual Risk Perspective for Spring 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that as “banks continue to navigate the operational- and market-related impacts of the pandemic along with substantial government stimulus, current geopolitics have tightened financial conditions and increased downside risk to economic growth.” However, the OCC noted that banks’ financial conditions remain strong and that banks are well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates and increased inflation.”
The OCC highlighted operational, compliance, interest rate, and credit risks as key risk themes in the report. Observations include: (i) operational risk, including evolving cyber risk, is elevated, with an observed increase in attacks on the financial services industry given current geopolitical tensions; (ii) compliance risk remains heightened as banks navigate the current operational environment, regulatory changes, and policy initiatives; and (iii) credit risk remains moderate, with banks facing certain areas of weakness and potential longer-term implications resulting from the Covid-19 pandemic, inflation, and direct and indirect effects of the war in Ukraine. Staffing challenges among banks also present risks, with challenges posed by “strong competition” in the labor market.
The report also discussed the importance of appropriate due diligence of new digital asset products and services. The OCC said that it “continues to engage on an interagency basis to analyze various crypto-asset use cases,” and is looking to “provide further clarity on legal permissibility, as well as safety and soundness and compliance considerations related to crypto-assets” in the banking industry.
The OCC further stated it “will continue to monitor the development of climate-related financial risk management frameworks at large banks,” and reported that “OCC large-bank examination teams will integrate the examination of climate-related financial risk into supervision strategies and continue to engage with bank management to better understand the challenges banks face in this effort, including identifying and collecting appropriate data and developing scenario analysis capabilities and techniques.”
OCC seeks comments on BSA/AML risk assessment
On June 8, the OCC issued a notice in the Federal Register seeking comments concerning its information collection titled, ‘‘Bank Secrecy Act/Money Laundering Risk Assessment,’’ also known as the Money Laundering Risk (MLR) System. According to the notice, the MLR System “enhances the ability of examiners and bank management to identify and evaluate Bank Secrecy Act/Money Laundering and Office of Foreign Asset Control (OFAC) sanctions risks associated with banks’ products, services, customers, and locations.” The notice stated that the agency will collect MLR information for OCC supervised community and trust banks, and explained that the annual Risk Summary Form (RSF), which collects data about different products, services, customers, and geographies (PSCs), will include three significant changes in 2022. The changes in the 2022 RSF are: (i) the addition of six new PSCs; (ii) the addition of three new customer types under the money transmitters category; and (iii) the deletion of four existing PSCs. Comments close on August 8.