InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC to host risk management workshops
On February 7, the OCC released its lineup of free, virtual workshops for boards of directors of community national banks and federal savings associations. Included as part of the workshops to be held this spring is a risk management series focusing on credit risk, operational risk, compliance risk, and risk governance. Another workshop will present guidance for directors and senior managers on building blocks for success. A schedule of the upcoming workshops and registration information is available here.
OCC seeks comments on compliance risk for reverse mortgages
On January 28, the OCC published a notice and request for comment in the Federal Register seeking feedback on the renewal of its guidance for managing compliance and reputation risks for reverse mortgage products. The OCC, along with the FDIC, Federal Reserve Board, and the NCUA issued final guidance in 2010 focusing on the need for institutions “to provide adequate information to consumers about reverse mortgage products, to provide qualified independent counseling to consumers considering these products, and to avoid potential conflicts of interest.” The 2010 guidance also addressed related policies, procedures, internal controls, third party risk management, training, and program maintenance. The current notice seeks feedback on (i) whether the collection of the information is necessary and carries a practical utility; (ii) the accuracy of the estimates of the information collection burden; (iii) methods for enhancing the quality, utility and clarity of the information to be collected; (iv) ways to minimize the information collection burden for respondents; and (v) “[e]stimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.” Comments are due March 29.
Fed reiterates supervisory guidance on risk management
On December 10, the Federal Reserve Board announced SR Letter 21-19, which reiterates the Fed’s supervisory expectations for large banks’ risk management practices related to investment funds. The letter applies to institutions supervised by the Fed that have large derivatives portfolios and relationships with investment funds, and follows a review by the Fed of the high-profile default and failure of one investment firm, which resulted in losses of more than $10 billion for several large banks. Among other things, the Fed warned firms that poor communication frameworks and inadequate risk management functions hinder their potential to identify and address risk, and that “[r]isk management and control functions should have the experience and stature to effectively control risks associated with investment funds.”
The Fed also reminded firms that, consistent with the guidance in Interagency Supervisory Guidance on Counterparty Credit Risk Management, they should: (i) “[r]eceive adequate information with appropriate frequency to understand the risks of the investment fund, including position and counterparty concentrations, and either reconsider the relationship or set sufficiently conservative terms for the relationship if the client does not meet appropriate levels of transparency; (ii) “[e]nsure the risk-management and governance approach applied to the investment fund is capable of identifying the fund's risk initially and monitoring it throughout the relationship, and ensure applicable areas of the firm – including the business line and the oversight function – are aware of the risk their investment fund clients pose to the firm and have tools to manage that risk”; and (iii) “[e]nsure that margin practices remain appropriate to the fund's risk profile as it evolves, avoiding inflexible and risk-insensitive margin terms or extended close-out periods with their investment fund clients.”
NYDFS addresses multi-factor authentication weaknesses
On December 7, NYDFS issued guidance on multi-factor authentication (MFA) to all regulated entities. According to NYDFS, “MFA weaknesses are the most common cybersecurity gap exploited at financial services companies,” affecting both large companies and small businesses. The regulator noted that, since the Cybersecurity Regulation (23 NYCRR Part 500) went into effect (covered by InfoBytes here), MFA failures have continued to impact both financial services entities and consumers. From January 2020 to July 2021, more than 18.3 million consumers were affected by reported cyber incidents involving covered entities’ MFA failures, according to NYDFS. NYDFS has also taken two enforcement actions in the past year against companies whose failure to implement MFA fully resulted in unauthorized access to nonpublic information. The New York banking regulator is increasing its review of MFA during examinations and will focus on searching for common MFA failures discussed in the guidance. Covered entities are advised to consider carefully the importance of MFA as they implement their risk-based cybersecurity programs. Under the Cybersecurity Regulation, MFA is required for remote access, and must “be implemented beyond that as necessary to ensure effective access controls based on a comprehensive risk assessment.” The guidance provides examples of common problems related to MFA as well as recommendations for preventing problems.
OCC warns of key cybersecurity and climate-related banking risks
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment with satisfactory credit quality and strong earnings, weak loan demand and low net interest margins continue to affect performance.
The OCC identified elevated operational risk as banks continue to face increasingly complex cyberattacks, pointing to an increase in ransomware attacks across financial services. While innovation and technological advances can help counter such risks, the OCC warned they also come with additional concerns given the expansion of remote financial services offered through personally owned computers and mobile devices, remote work options due to the Covid-19 pandemic, and the reliance on third-party providers and cloud-based environments. “The adoption of innovative technologies to facilitate financial services can offer many benefits to both banks and their customers,” the report stated. “However, innovation may present risks. Risk management and control environments should keep pace with innovation and emerging trends and a comprehensive understanding of risk should be achieved to preserve effective controls. Examiners will continue to assess how banks are managing risks related to changes in operating environments driven by innovative products, services, and delivery channels.”
The report calls on banks to “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls” to mitigate against cyber risks, adding that critical systems and records must be backed up and stored in “immutable formats that are isolated from ransomware or other destructive malware attacks.”
The report further highlighted heightened compliance risks associated with the changing environment where banks serve consumers in the end stages of various assistance programs, such as the CARES Act’s PPP program and federal, state, and bank-initiated forbearance and deferred payment programs, which create “increased compliance responsibilities, high transaction volumes, and new types of fraud.”
The report also discussed credit risks, strategic risk challenges facing community banks, and climate-related financial risks. The OCC stated it intends to request comments on its yet-to-be-published climate risk management framework for large banks (covered by InfoBytes here) and will “develop more detailed expectations by risk area” in 2022.
NYDFS issues final guidance for insurers on climate change financial risks
On November 15, NYDFS issued final guidance to New York regulated-domestic insurers on managing climate change-related financial risks. The final guidance reflects the agency’s consideration of stakeholder comments from proposed guidance issued in March, and was informed by NYDFS’s collaboration with the insurance industry and international regulators. Building on a 2020 insurance circular letter addressing climate change and financial risks, the final guidance outlines expectations that insurers begin “integrating the consideration of the financial risks from climate change into their governance frameworks, business strategies, risk management processes and scenario analysis, and developing their approach to climate-related financial disclosure.” Specifically, an insurer should (i) incorporate into its governance structure, at either “the group or insurer entity level,” climate-risk considerations; (ii) consider current and forward-looking climate-related implications on its operations through “time horizons” appropriately tailored to the insurer’s activities and decisions; (iii) incorporate in its current financial risk management framework analyses of the effect of climate risks on existing risk factors; (iv) employ scenario analysis to inform business strategy decisions, risk assessments, and identification; and (v) disclose its climate risks and engage with NYDFS’s Task Force on Climate-related Financial Disclosures when developing climate disclosure approaches. NYDFS will monitor insurers’ progress in implementing these expectations with respect to organizational structures, which insurers must have in place by August 15, 2022. The NYDFS noted it will provide further guidance on timing for implementing “the more complex expectations outlined in the guidance.”
OCC consent order addresses risk management at mortgage servicer
On October 26, the OCC issued a consent order against a leading subservicer of mortgage loans for allegedly maintaining inadequate risk management controls related to its servicing and default servicing activities. According to the OCC, the bank’s “internal controls and risk management practices do not support the current risk profile and size of the [b]ank’s mortgage sub-servicing portfolio, which is an unsafe or unsound practice.” The OCC also asserted that the bank had previously been informed about the alleged risk management deficiencies and did not take timely corrective action. Under the terms of the consent order, the bank is required, among other things, to take comprehensive corrective measures, including developing and implementing internal controls that are “commensurate with the types and complexity of risks associated with all transactions the [b]ank executes.” The bank is also required to implement an effective default operations program for its loss mitigation, foreclosure, and claims activities to ensure compliance with applicable state and federal laws and GSE requirements. The order also requires the bank to receive a non-objection from OCC prior to onboarding new clients or before paying dividends to shareholders while the order is in effect. The order does not indicate any specific violations of consumer protection laws and does not contain a civil money penalty. The bank did not admit or deny the allegations.
OCC issues semi-annual Interest Rate Risk Statistics Report
On October 20, the OCC published the fall 2021 edition of the Interest Rate Risk Statistics Report. The report presents interest rate risk data gathered during examinations of OCC-supervised midsize and community banks and federal savings associations with reported data by asset size, charter type, and minority depository institutions. The OCC’s supervisory process for the fall 2021 report reviewed banks’ reported data from September 30, 2019 to June 30, 2021, including exposures, risk limits, and non-maturity deposit assumptions. The OCC notes that the statistics presented within the report “are for informational purposes only and do not represent OCC-suggested limits or exposures.”
NIST issues draft cybersecurity framework to mitigate ransomware events
Recently, the National Institute of Standards and Technology (NIST) issued a draft version of its Cybersecurity Framework Profile for Ransomware Risk Management, which proposes recommended steps for organizations to follow to prevent and mitigate ransomware events. The profile identifies Cybersecurity Framework Version 1.1 security objectives and can be used as a risk-management guide to help gauge an organization’s readiness level. Steps include “identifying and protecting critical data, systems, and devices; detecting ransomware events as early as possible (preferably before the ransomware is deployed); and preparing for responses to and recovery from any ransomware events that do occur.” The profile also outlines basic preventative measures organizations should take, including: (i) using antivirus software at all times to automatically scan emails and flash drives; (ii) ensuring computers are fully patched and running scheduled checks to identify and install new patches; (iii) segmenting internal networks as a precaution against malware; (iv) continuously monitoring directory services (and other primary user stores) to identify indicators of compromise or active attack; (v) blocking access to potentially malicious web resource and allowing only authorized applications; (vi) using standard user accounts; (vii) restricting personally owned devices and the use of personal applications on work computers; (viii) educating employees about social engineering; and (ix) assigning and managing credential authorization and running periodic reviews to ensure each account has the appropriate access only. Among other things, NIST further outlines five cybersecurity framework functions (identify, protect, detect, respond and recover), and advises organizations to develop an incident recovery plan; develop, implement, and test data backups and restoration strategies; and maintain updated contacts for ransomware attacks. According to NIST, taking these proactive measures will help organizations recover from future ransomware events.
OCC issues updated LIBOR self-assessment tool
On October 18, the OCC released an updated self-assessment tool for banks to evaluate their preparedness for the LIBOR cessation at the end of the year. The updated guidance reminds banks that they should cease entering into new contracts using LIBOR as a reference rate as soon as practicable but no later than December 31, 2021. The self-assessment tool may be used by banks to identify and mitigate a bank’s LIBOR transition risks, and management should use the tool to evaluate whether preparations for the transition are sufficient. The OCC notes that “LIBOR exposure and risk assessments and cessation preparedness plans should be complete or near completion with appropriate management oversight and reporting in place,” and “most banks should be working toward resolving replacement rate issues while communicating with affected customers and third parties, as applicable.” The OCC also reminds banks to tailor risk management processes to the size and complexity of a bank’s LIBOR exposures and “consider all applicable risks (e.g., operational, compliance, strategic, and reputation) when scoping and completing LIBOR cessation preparedness assessments.”
Bulletin 2021-46 rescinds Bulletin 2021-7 published in February (covered by InfoBytes here).