InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC warns of crypto-asset and cybersecurity risks facing the federal banking system
On December 8, the OCC released its Semiannual Risk Perspective for Fall 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that, in the aggregate, banks “remain well capitalized” and have “ample liquidity and sound credit quality, although macroeconomic headwinds are a concern.” The OCC highlighted interest rate, operational, compliance, and credit risks as key risk themes. Observations include: (i) the rising rate environment has adversely impacted bank investment portfolios; (ii) operational risk, including evolving cyber risk, is elevated, with “threat actors continuing to target the financial services industry with ransomware and other attacks”; (iii) compliance risk remains heightened as banks navigate significant regulatory changes; and (iv) credit risk in commercial and retail loan portfolios remains moderate and demonstrates resiliency, “but signs of potential weakening in some segments warrant careful monitoring.”
The report discussed emerging risks related to innovation and the adoption of new products and services, including crypto-assets. Highlighting risks arising from banks’ expansion into digital offerings and the “heightened” threat of fraud risk associated with innovative peer-to-peer payment platforms, the OCC noted that banks should be “clearly communicating risks, educating customers on potential scams, and enhancing internal fraud monitoring capabilities” to mitigate threats and protect consumers. The report noted that “[b]anks may require additional or different controls to safeguard against fraud, financial crimes, violations of Bank Secrecy Act, anti-money laundering, and Office of Foreign Assets Control (BSA/AML/OFAC) requirements, and consumer protection or fair lending laws, or operational errors,” and should “maintain comprehensive operational resilience frameworks commensurate with the size and complexity of products, services, and operations being supported.”
The OCC reiterated the importance of taking a “careful and cautious approach” toward banks’ engagement with the crypto-related firms. Recent events in the crypto market have also “revealed a high degree of interconnectedness between certain crypto participants through a variety of opaque lending and investing arrangements,” which has led to “a high risk of contagion among connected parties.” The report noted that national banks and federal savings associations interested in engaging in crypto-asset activities should discuss the activities with their supervisory office before engaging the activities. Some activities may require a supervisory non-objection under OCC Interpretive Letter #1179.
The report cited risks related to cybersecurity and partnerships with fintech and other third parties. The OCC said it is applying a “heightened supervisory focus” to its scrutiny of banks’ oversight of third-party relationships and flagged an upward trend in ransomware attacks targeting banks’ service providers and other third parties. Partnering with fintechs to support operations or provide opportunities for customers to enter the digital asset market can “increase the risk of unfair or deceptive acts or practices because of the coordination, communication, and disclosure challenges involved in these partnerships,” the report said, adding that “[u]nclear or arbitrary partnership agreements may result in implementation breakdowns, untimely resolution of issues, or failure to deliver products or services as intended, and may result in significant customer remediation.” The OCC cautioned that banks must “conduct appropriate due diligence” before entering a partnership with a third party. “The scope and depth of due diligence, as well as ongoing monitoring and oversight of the third party’s performance, should be commensurate with the nature and criticality of the proposed activity.”
The report also discussed forthcoming climate risk management guidelines applicable to banks with more than $100 billion in total consolidated assets. As previously covered by InfoBytes, the OCC, Federal Reserve Board, and the FDIC announced they intend to issue final interagency guidance to promote consistency.
NY passes crypto mining bill
On November 22, the New York governor signed AB 7389, which establishes a moratorium on cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transaction. Among other things, the bill also establishes a section on the moratorium on air permit issuance and renewal that states that the state cannot approve a new application, or issue a new permit, for an electric generating facility that utilizes carbon-based fuel and that provides behind-the-meter electric energy consumed or utilized by cryptocurrency mining operations that use proof-of-work authentication methods to validate blockchain transactions. The bill is effective immediately.
Fed solicits feedback on proposed climate-related risk principles
On December 2, the Federal Reserve Board issued a notice requesting public comments on proposed Principles for Climate-Related Financial Risk Management for Large Financial Institutions. The proposed principles would provide a high-level framework for the safe and sound management of exposures to climate-related financial risks for the largest financial institutions (those with over $100 billion in total consolidated assets), as well as address the physical and transition risks associated with climate change. Notably the notice acknowledged that all financial institutions, regardless of size, can have material exposures to climate-related financial risks. Intended to support large financial institutions’ efforts in addressing climate-related financial risk management, the proposed principles cover six major areas related to: (i) governance; (ii) policies, procedures, and limits; (iii) strategic planning; (iv) risk management; (v) data, risk measurement, and reporting; and (vi) scenario analysis. The Fed noted that the proposed principles are substantially similar to those issued by the OCC and FDIC (covered by InfoBytes here and here), and said that the agencies intend to issue final interagency guidance to promote consistency. Comments on the proposed principles are due 60 days after publication in the Federal Register.
Governor Bowman stated that while she voted in favor of seeking input on the proposed principles, she reserves the right to vote against its finalization. She also emphasized that excluding financial institution with less than $100 billion in assets from the guidance “is appropriate based not only on the size of such firms, but also in light of the robust risk management expectations already applicable to such firms.”
However, Governor Waller issued a dissenting statement: “Climate change is real, but I disagree with the premise that it poses a serious risk to the safety and soundness of large banks and the financial stability of the United States. The Federal Reserve conducts regular stress tests on large banks that impose extremely severe macroeconomic shocks and they show that the banks are resilient.”
Senate Banking grills regulators on crypto
On November 15, the Senate Committee on Banking, Housing, and Urban Affairs held a hearing entitled “Oversight of Financial Regulators: A Strong Banking and Credit Union System for Main Street” to hear from federal financial regulators about growing risks related to bank mergers, bailouts, climate change, crypto assets, and cyberattacks, among other topics. Committee Chairman Sherrod Brown (D-OH) opened the hearing by emphasizing that Congress “must stay vigilant and empower regulators with the tools to combat these growing risks,” and said that banks and credit unions must be able to partner with third parties in a manner that enables competition but without risking consumer money. He also warned that big tech companies and shadow banks should not be allowed to “play by different rules because of special loopholes.” In his opening statement, Ranking Member Patrick J. Toomey (R-PA) challenged the regulators to “not stray beyond their mandates into politically contentious issues or establish unnecessary new regulatory burdens,” pointing to the participation of the Federal Reserve Board, FDIC, and OCC in the Network for the Greening the Financial System as an example of politicizing financial regulation.
Testifying at the hearing were the Fed’s Vice Chair for Supervision Michael S. Barr, NCUA Chair Todd M. Harper, acting FDIC Chairman Martin J. Gruenberg, and acting Comptroller of the Currency Michael J. Hsu. Cryptocurrency concerns were a primary focus during the hearing, where Toomey asked the regulators why they still have not provided public clarity on banks’ involvement in crypto activities, such as providing custody services or issuing stablecoins.
Pointing to a major cryptocurrency exchange’s recent major collapse, Toomey pressed Hsu on whether the OCC “discourages banks from providing custody services” for crypto assets. Toomey speculated, “it seems to me if people had access to custody services provided by a wide range of institutions, including regulated financial institutions, they might be able to sleep more comfortably knowing that those assets are unlikely to be used for some completely inappropriate purpose.” Answering that the OCC discourages banks from engaging in activities that are not safe, sound, and fair, Hsu acknowledged that there are underlying fundamental issues and questions about what it means to control crypto through a custody “which have not been fully worked out.” Toomey emphasized that part of the obligation rests on the OCC to provide clarity on how banks could provide these services in a safe, sound, and fair manner, and stressed that currently these activities are operating in a space outside the regulatory perimeter. Barr agreed that it would be useful for the Fed to provide guidance to banks on how to safely custody crypto assets and said it is something he plans to work on with his colleagues.
Toomy further noted that Congress’s failure “to pass legislation in this space and the failure of regulators to provide clear guidance has created ambiguity that has driven developers and entrepreneurs overseas where regulations are often lax at best.” Senator Bill Haggerty (R-TN) cautioned that lawmakers should not resort to a “heavy-handed” regulatory response to the cryptocurrency exchange’s collapse. “No amount of poorly considered, knee-jerk over-regulation here in the U.S. would have prevented a foreign-domiciled company like [the collapsed cryptocurrency exchange] from doing what it did,” Haggerty said. “The fact of the matter is that crypto, much like all of finance, isn’t beholden to a specific country or a specific legal system, and by not acting and by failing to provide legal clarity here in the United States, Congress only incentivizes activity to migrate outside of our country’s borders,” Haggerty stated, adding that it is “important to recognize that whatever happened with a bad actor running a centralized exchange and defrauding customers” has “nothing to do with the technology underpinning crypto itself.” When asked by Sen. John Kennedy (R-LA) which regulator was responsible for watching the collapsed cryptocurrency exchange, Gruenberg said “I think in the first instance, you’d probably want to engage with the market regulators, the SEC and the CFTC, to talk about the activities and the authorities in this area.”
The regulators also discussed efforts to mitigate cybersecurity risks and strengthen information security within the banking industry. Hsu stressed during the hearing that “the greatest risk is the risk of complacency,” while noting in his prepared remarks that the OCC is aware of the risks associated with cybersecurity and has “encouraged banks to stay abreast of new technology and threats.” Barr pointed to the importance of operational resilience in his prepared remarks, noting that “technology-based failures, cyber incidents, pandemics, and natural disasters,” combined with the growing reliance on third-party service providers, expose banks to a range of operational risks that are often challenging to anticipate. Harper commented in his prepared remarks that the NCUA continues to provide guidance for credit unions to reinforce their ability to withstand potential cyberattacks, and recommends that credit unions report cyber incidents to the NCUA, the FBI, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In his prepared remarks, Gruenberg pointed to recent examination findings revealing that banks that have dedicated resources for implementing appropriate controls are better at defending against cyberattacks, and said the FDIC is “piloting technical examination aids that will help [] examiners focus on the controls [] found to be most effective in defending against these attacks.”
The House Financial Services Committee also held a hearing later in the week that focused on similar topics with the regulators. Chair Maxine Waters (D-CA) and Rep. Patrick McHenry (R-NC) also announced that the committee will hold a hearing in December to investigate the aforementioned cryptocurrency exchange’s collapse and understand the broader consequences the collapse may have on the digital asset ecosystem.
Fed releases Supervision and Regulation Report
Recently, the Federal Reserve Board released its Supervision and Regulation Report, which summarizes banking system conditions and the Fed’s supervisory and regulatory activities. The current report noted that even though the “vast majority of firms maintained capital above regulatory minimums,” and loan delinquencies were historically low with liquidity levels generally remaining high, increasing economic uncertainty “may create new risks for firms to manage.” In response, firms increased credit loss provisions during the first half of 2022 and started taking measures to prepare for weaker economic conditions. The report also revealed that while the financial condition of large banks generally remains sound, firms should take steps to ensure their stress analyses, liquidity, and capital positions are able to adjust to developing market conditions. The report also highlighted recent regulatory actions, including supervisory guidance issued in August for banks seeking to engage in crypto-asset-related activities (covered by InfoBytes here). The Fed commented that it will continue to work with the OCC and FDIC on crypto-asset-related policy initiatives. The report also discussed operational risks related to the transition from LIBOR to an alternative interest rate benchmark and measures to address climate change implications for banks.
OCC releases bank supervision operating plan for FY 2023
On October 6, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2023. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) operational resiliency; (iii) third-party oversight and risk management; (iv) credit risk management with a focus on new products, areas of highest growth, and portfolios representing concentrations; (v) allowances for credit losses (ACL), including instances where ACL processes use third-party modeling techniques; (vi) interest rate risk; (vii) liquidity risk management; (viii) consumer compliance management systems with a focus on how programs are disclosed in relation to UDAP and UDAAP statutes; (ix) Bank Secrecy Act/AML compliance; (x) fair lending risks; (xi) Community Reinvestment Act strategies and the potential for modernization rulemaking; (xii) new products and services in areas such as payments, fintech, and digital assets; and (xiii) climate-change risk management. The plan will be used by OCC staff to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches and agencies of foreign banking organizations, and certain identified third-party service providers subject to OCC examination.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered here.
Fed announces pilot climate scenario analysis for large banks
On September 29, the Federal Reserve Board announced that six of the nation’s largest banks will participate in a pilot climate scenario analysis exercise intended to enhance the ability of supervisors and firms to measure and manage climate-related financial risks. The Fed noted that the scenario analysis, in which the resilience of banks is assessed under different hypothetical climate scenarios, is an emerging tool for assessing climate-related financial risks. The Fed further noted that the process is exploratory in nature and that “there will be no capital or supervisory implications from the pilot.” Over the course of the exercise, the participating banks will analyze the impacts of hypothetical climate scenarios on specific portfolios and business strategies. The climate analysis will be separate and distinct from bank stress tests, which are designed to assess whether large banks have enough capital to continue lending to households and businesses during a severe recession. The Fed noted that the climate scenario analysis "can assist firms and supervisors in understanding how climate-related financial risks may manifest and differ from historical experience.”
Treasury says financial system is critical in addressing climate change
On September 9, the U.S. Treasury Department’s Under Secretary for Domestic Finance Nellie Liang spoke at the Office of Financial Research’s Climate Implications for Financial Stability Conference discussing the Department’s efforts to assess climate-related risks to the economy, financial institutions, and investors. Pointing to several studies showing the increasing economic and financial costs of climate change, Liang noted that the financial system has a “critical role to play” in addressing climate-related financial risks and that regulators and standard setters have a “responsibility to make the financial system more resilient to climate change.” In particular, Liang identified a Financial Stability Oversight Council (FSOC) report that contained numerous recommendations for its members to consider to address climate change-related threats to financial stability. She also discussed interagency working groups created by FSOC to “bring together the agencies and leverage their efforts to improve data quality and availability, data infrastructure, climate risk metrics, and scenario analysis.” According to Liang, ongoing research—such as that presented at the event regarding how a bank’s climate commitments, the tax code, or borrowers’ scope disclosures “affect the[] cost and availability of credit, and the sensitivity of market-based measures of financial firms’ stress to climate risks”—is “important for regulators and policymakers to better understand private behavior and how incentives can help to manage climate-related financial risks.”
Fed vice chair for supervision outlines future priorities
On September 7, Federal Reserve Board Vice Chair for Supervision Michael Barr laid out his goals for making the financial system safer and fairer during a speech at the Brookings Institution, highlighting priorities related to risk-focused capital frameworks and bank resiliency, mergers and acquisitions, digital assets and stablecoins, climate-related financial risks, innovation, and Community Reinvestment Act modernization plans. Addressing issues related to resolvability, Barr signaled that the Fed would begin “looking at the resolvability of some of the other largest banks [in addition to globally systemically important banks] as they grow and as their significance in the financial system increases.” With respect to bank mergers, Barr commented that “the advantages that firms seek to gain through mergers must be weighed against the risks that mergers can pose to competition, consumers and financial stability.” He said he plans to work with Fed staff to assess how the agency performs merger analysis and whether there are areas for improvement. Barr also discussed financial stability risks posed by new forms of private money created through stablecoins and stressed that Congress should work quickly to enact legislation for bringing stablecoins (especially those intended to serve as a means of payment) within the prudential regulatory perimeter. He added that the Fed plans to make sure that the crypto activity of supervised banks “is subject to the necessary safeguards that protect the safety of the banking system as well as bank customers,” and said “[b]anks engaged in crypto-related activities need to have appropriate measures in place to manage novel risks associated with those activities and to ensure compliance with all relevant laws, including those related to money laundering.”
Treasury establishes data hub to assist with climate-risk assessments
On July 28, the U.S. Department of Treasury’s Office of Financial Research (OFR) announced the establishment of the Climate Data and Analytics Hub pilot, which will be used to help financial regulators assess risks to financial stability due to climate change. According to the announcement, the Climate Data and Analytics Hub permits participants to integrate data from across the federal government, including wildfire, crop condition, precipitation, and other climate-related data, with their public supervisory data for a more precise view of the relationship between climate change and financial stability risk. Additionally, it is “equipped with statistical and visualization applications that will allow deeper insight into climate-related financial risks and vulnerabilities.” Access to the pilot is initially limited to the Federal Reserve Board of Governors and the Federal Reserve Bank of New York, with the goal of expanding access to all of the Financial Stability Oversight Council member agencies. The OFR also released a Fact Sheet, which provides more information on the Climate Data and Analytics Hub.