InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC instructs banks to provide notification when engaging with crypto assets
On April 7, the FDIC released FIL-16-2022, titled “Notification of Engaging in Crypto-Related Activities,” instructing banks that intend to engage in, or that are currently engaged in, any activities involving or related to crypto assets (also referred to as “digital assets”), to notify the FDIC of their intent and to provide “all necessary information that would allow the FDIC to engage with the institution regarding related risks.” The FDIC noted that, though it “supports innovations that are safe and sound,” the agency is “concerned that crypto assets and crypto-related activities are rapidly evolving, and risks of this area are not well understood given the limited experience with these new activities.” According to the FDIC, crypto-related activities “may pose significant safety and soundness risks as well as financial stability concerns,” digital asset activities “present risks to consumers,” and insured depository institutions “face risks in effectively managing the application of consumer protection laws and regulations” related to these “new and changing crypto-related activities.” The letter also specified that a bank should promptly "notify the appropriate FDIC Regional Director” of “information necessary to allow the agency to assess the safety and soundness, consumer protection, and financial stability implications” of digital asset activities. The FDIC will review the information and provide relevant supervisory feedback.
OCC’s Hsu discusses managing tail risks
On March 31, acting Comptroller of the Currency Michael J. Hsu spoke before the American Bankers Association Risk 2022 Conference to discuss managing low probability, high impact risk events, or tail risks. In particular, Hsu highlighted the connection between Russia’s invasion of Ukraine and heightened tail risks associated with geopolitical risk, cyber risk, and inflation risk. Hsu warned that multiple possible events stemming from the conflict, including cyber-attacks from Russia, broader conflict in Europe, and increased inflation could materialize simultaneously increasing the chances that tail risks materialize that could trigger a recession. Hsu noted that the increase of sanctions to oil and gas would put upward pressure on fuel prices, and “Ukraine’s role as a producer of wheat, neon, platinum, and palladium is also beginning to affect global prices in certain markets.” Despite the elevated risks, Hsu noted that enhanced stress testing has positioned large banks to absorb a range of shocks, but warned that “nonetheless, greater caution and risk management vigilance is warranted today, perhaps more than any time in recent memory.” Hsu also singled out risks associated with crypto assets and said that the OCC is collaborating with other agencies on “how to maintain a consistent, careful and cautious” approach to bank involvement in cryptocurrency. Hsu cautioned that in light of “limited or unreliable price histories” of crypto-assets, financial institutions should “carefully consider” the tail risks associated with factoring cryptocurrency positions into the overall risk management process. Hsu discussed his worry regarding the potential for crypto derivatives to create “wrong-way risk” in which a leveraged party use trades to “double-down” at the same time it is experiencing financial stress. Hsu stated that the OCC has engaged with government agencies in the U.K. and U.S. on “how to maintain a consistent, careful, and cautious approach to bank involvement in crypto.”
OCC applies heightened risk governance standards to mortgage servicer
Recently, the OCC published Interpretive Letter #1180 addressing the application of heightened risk governance standards under 12 C.F.R. Part 30, Appendix D, OCC Guidelines Establishing Heightened Standards (Guidelines) to a supervised bank. Specifically, the OCC determined that the bank’s operations were highly complex and presented a heightened risk. This determination was based on information provided by the Supervisory Office, which concluded that the bank’s operations, including significant mortgage servicing activities, warranted application of the Guidelines to the bank. “The Guidelines provide that a covered institution should establish and adhere to a written risk governance framework to manage and control its risk-taking activities,” the OCC stated, adding that the Guidelines “also provide minimum standards for an institution’s board of directors to oversee the risk governance framework.” In the interpretive letter, the OCC stated that it had notified the bank last December that it was considering exercising its reservation of authority to apply the Guidelines; however, the bank responded that application of the Guidelines was not appropriate at that time. The bank is expected to comply with the Guidelines by February 29, 2024.
As previously covered by InfoBytes, last October the OCC issued a consent order against the bank for allegedly maintaining inadequate risk management controls related to its servicing and default servicing activities. The OCC asserted that the bank had previously been informed about the alleged risk management deficiencies and did not take timely corrective action. Under the terms of the consent order, the bank was required to take comprehensive corrective measures, including developing and implementing internal controls that are “commensurate with the types and complexity of risks associated with all transactions the [b]ank executes.”
SEC proposes climate risk disclosures
On March 21, the SEC announced a proposed rule to require registrants to disclose certain climate-related information in their registration statements and periodic reports. According to the proposed rule, a registrant must disclose, among other things, information regarding its direct and certain indirect emissions of greenhouse gas (GHG). The GHG emissions disclosure proposals “would provide investors with decision-useful information to assess a registrant’s exposure to, and management of, climate-related risks, and in particular transition risks.”
The proposed rule also establishes that accelerated filers and large accelerated filers would be required to include an attestation report from an independent attestation service provider covering certain emissions disclosures, with a phase-in over time, to promote the reliability of GHG emissions disclosures for investors. The proposed rule further noted additional disclosure requirements for registrants that have made a so-called net-zero commitment or adopted a plan to reduce their GHG footprint or exposures.
The same day, the SEC released a Fact Sheet on the proposed rule, which summarized the content of the proposed disclosure and presentation and attestation requirements, among other things. According to a statement released by SEC Chair Gary Gensler, the proposed rule will “provide investors with consistent, comparable, and decision-useful information for making their investment decisions and would provide consistent and clear reporting obligations for issuers.” However, a statement released by SEC Commissioner Hester M. Peirce took a different view, stating that the proposed amendments would “turn[] the disclosure regime on its head” and noting that some elements are “missing,” such as “[a] credible rationale for such a prescriptive framework when our existing disclosure requirements already capture material risks relating to climate change;[a] materiality limitation; [and] [a] compelling explanation of how the proposal will generate comparable, consistent, and reliable disclosures.” Treasury Secretary Janet L. Yellen also released a statement commending the proposal and the SEC, calling the effort “an important step to protect investors and strengthen the overall resilience of the financial system.”
Comments on the proposal are due 30 days after publication in the Federal Register, or 60 days after the date of issuance and publication on sec.gov, whichever period is longer.
OCC’s Hsu discusses climate financial risk management, diversity and inclusion
On March 7, acting Comptroller of the Currency Michael J. Hsu spoke before the Institute of International Bankers Annual Washington Conference to discuss climate-related financial risk and diversity and inclusion in the banking industry. In his remarks, Hsu described the agency as “laser-focused on the safety and soundness aspects of climate change risks.” Specifically, he noted that the OCC is concentrating on “large banks’ climate risk management capabilities: identifying, measuring, monitoring and mitigating climate-related exposures and risks.” He stated that “[w]eaknesses in risk management could adversely affect a bank’s safety and soundness, as well as the overall financial system.” Hsu also stressed the importance of cyber defense, saying “[h]eightened vigilance is clearly warranted.”
Hsu further discussed draft principles, which were released in December 2021, and are intended to support the identification and management of climate-related financial risks at OCC-regulated institutions with over $100 billion in total consolidated assets. (Covered by InfoBytes here). He noted that the principles will be finalized later this year when more detailed guidance will be developed in collaboration with the Federal Reserve Board and FDIC. After “an appropriate transition period,” Hsu noted that an assessment of large banks’ climate risk management capabilities would begin. He also noted that for midsize and community banks, it will be a number of years before OCC examiners conduct climate risk management examinations and suggested to bankers to use time “wisely.”
At the end of his remarks, Hsu compared “diversity and inclusion” to “safety and soundness,” in that it should be treated as a single idea, and without it, “diversity over time becomes a box to be checked, not a state to strive for or a value to be upheld.”
FATF to strengthen beneficial ownership transparency
On March 4, the U.S. Treasury Department announced that the Financial Action Task Force (FATF) concluded its sixth plenary meeting, in which it, among other things, “agreed upon a revised standard to combat the misuse of anonymous shell companies and set the stage for its members and the broader global FATF network to be held accountable to more stringent standards.” FATF adopted amendments on beneficial ownership transparency for legal persons, which will “enhance the quality of beneficial ownership information (BOI) collected by governments,” and will “enable efficient access by law enforcement to this information and require improved international cooperation.” FATF also agreed upon a new updated Mutual Evaluation Methodology and an updated Mutual Evaluation Procedures. FATF will publish a report on migrant smuggling, which is intended to “raise awareness to the importance of developing a comprehensive understanding of the financial component of this criminal activity among both the public and private sectors.” Additionally, FATF is planning to launch a public consultation on updated Risk Based Guidance for the real estate sector this spring.
NIST to update cybersecurity framework with a focus on supply chain risk
On February 22, the National Institute of Standards and Technology (NIST) published a notice and request for information (RFI) in the Federal Register seeking information to assist in the evaluation and improvement of the agency’s “Framework for Improving Critical Infrastructure Cybersecurity,” as well as other existing and potentials standards related to supply chain cybersecurity. NIST stated it is considering updating the framework (last updated in 2018) to account for the changing landscape of cybersecurity risks, technologies, and resources, and noted that it recently announced it intends to launch the National Initiative for Improving Cybersecurity in Supply Chains (NIICS) to address cybersecurity risks in this space. Responses to the RFI will help to inform the direction of the NIICS, including how it may be integrated and aligned with the framework. NIST explained that the framework outlines standards and guidance for private and public sector companies on how to prevent and respond to cyber threats. Acknowledging that much has changed in the cybersecurity landscape since the framework was last updated, including an increased awareness and emphasis on supply chain cybersecurity risks, the RFI seeks information that will support the identification and prioritization of supply chain-related cybersecurity needs across sectors. Among other things, NIST is interested in: the usefulness of the framework for managing risks; the relationship of the framework to other NIST risk management resources; and how companies manage security risks to their software supply chains and whether this area of increasing concern should be incorporated into the framework or whether a new, separate framework focusing on cybersecurity supply chain risk management might be more valuable. Comments are due April 25.
FIO joins global green initiative
On February 17, the U.S. Treasury Department’s Federal Insurance Office (FIO) announced that it joined the Network of Central Banks and Supervisors for Greening the Financial System (NGFS). As previously covered by InfoBytes, Treasury announced in August 2021 a request for information seeking public comments on the FIO’s future work related to the insurance sector and climate-related financial risks. This was in response to an executive order issued by President Biden instructing financial regulators to mitigate climate-related risk related to the financial system (covered by InfoBytes here). According to the recent announcement, the FIO “intends to publish a climate report by the year’s end focusing on insurance supervision and regulation, with an assessment of climate-related issues or gaps in the supervision and regulation of insurers, including their potential impacts on U.S. financial stability.” The same day, the Federal Advisory Committee on Insurance (FACI), which provides advice and recommendations to assist the FIO in carrying out its statutory authorities, launched the Climate Related Financial Risk Subcommittee to support the FACI provision of information relevant to the FIO’s work on climate-related risks in the insurance sector.
FHFA releases AI/ML risk management guidance for GSEs
On February 10, FHFA released Advisory Bulletin (AB) 2022-02 to Fannie Mae and Freddie Mac (GSEs) on managing risks related to the use of artificial intelligence and machine learning (AI/ML). Recognizing that while the use of AI/ML has rapidly grown among financial institutions to support a wide range of functions, including customer engagement, risk analysis, credit decision-making, fraud detection, and information security, FHFA warned that AI/ML may also expose a financial institution to heightened compliance, financial, operational, and model risk. In releasing AB 2022-02 (the first publicly released guidance by a U.S. financial regulator that specifically focuses on AI/ML risk management), FHFA advised that the GSEs should adopt a risk-based, flexible approach to AI/ML risk management that should also be able “to accommodate changes in the adoption, development, implementation, and use of AI/ML.” Diversity and inclusion (D&I) should also factor into the GSEs’ AI/ML processes, stated a letter released the same day from FHFA’s Office of Minority and Women Inclusion, which outlined its expectations for the GSEs “to embed D&I considerations throughout all uses of AI/ML” and “address explicit and implicit biases to ensure equity in AI/ML recommendations.” The letter also emphasized the distinction between D&I and fairness and equity, explaining that D&I “requires additional deliberation because it goes beyond the equity considerations of the impact of the use of AI/ML and requires an assessment of the tools, mechanisms, and applications that may be used in the development of the systems and processes that incorporate AI/ML.”
Additionally, AB 2022-02 outlined four areas of heightened risk in the use of AI/ML: (i) model risk related to bias that may lead to discriminatory or unfair outcomes (includes “black box risk” where a “lack of interpretability, explainability, and transparency” may exist); (ii) data risk, including concerns related to the accuracy and quality of datasets, bias in data selection, security of data from manipulation, and unfamiliar data sources; (iii) operational risks related to information security and IT infrastructure, among other things; and (iv) regulatory and compliance risks concerning compliance with consumer protection, fair lending, and privacy laws. FHFA provided several key control considerations and encouraged the GSEs to strengthen their existing risk management frameworks where heightened risks are present due to the use of AI/ML.
SEC proposes cybersecurity risk management rules and amendments
On February 9, a divided SEC voted to release proposed cybersecurity risk management rules and amendments to certain requirements for registered investment advisers and funds. (See SEC fact sheet here.) Commissioner Hester Peirce voted against the proposal, stressing that because “an adviser’s or fund’s system has been successfully breached should not lead us to the immediate conclusion that that adviser or fund was lax in its efforts to protect client data and funds.” She added that “[a]bsent circumstances that suggest deliberate or reckless disregard of known vulnerabilities by the firm, we should resist the temptation to pile on with an enforcement action after a breach.”
Under the proposed rules, advisers and funds would be required to adopt and implement written policies and procedures reasonably designed to address cybersecurity risks that could harm advisory clients and fund investors. Advisers would also be required to file a confidential report for a significant cybersecurity incident to the SEC on a new form. Additionally, advisers and funds must also publicly disclose cybersecurity risks and significant cybersecurity incidents that occurred in the last two fiscal years “that have significantly disrupted or degraded the adviser’s ability to maintain critical operations, or that have led to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser or its clients in their brochures and registration statements.” Advisers and funds would be required to comply with new cybersecurity-related recordkeeping requirements to assist SEC inspection and enforcement capabilities. Comments on the proposal are due 60 days following publication on the SEC’s website or 30 days after publication in the Federal Register, whichever period is longer.