Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment with satisfactory credit quality and strong earnings, weak loan demand and low net interest margins continue to affect performance.
The OCC identified elevated operational risk as banks continue to face increasingly complex cyberattacks, pointing to an increase in ransomware attacks across financial services. While innovation and technological advances can help counter such risks, the OCC warned they also come with additional concerns given the expansion of remote financial services offered through personally owned computers and mobile devices, remote work options due to the Covid-19 pandemic, and the reliance on third-party providers and cloud-based environments. “The adoption of innovative technologies to facilitate financial services can offer many benefits to both banks and their customers,” the report stated. “However, innovation may present risks. Risk management and control environments should keep pace with innovation and emerging trends and a comprehensive understanding of risk should be achieved to preserve effective controls. Examiners will continue to assess how banks are managing risks related to changes in operating environments driven by innovative products, services, and delivery channels.”
The report calls on banks to “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls” to mitigate against cyber risks, adding that critical systems and records must be backed up and stored in “immutable formats that are isolated from ransomware or other destructive malware attacks.”
The report further highlighted heightened compliance risks associated with the changing environment where banks serve consumers in the end stages of various assistance programs, such as the CARES Act’s PPP program and federal, state, and bank-initiated forbearance and deferred payment programs, which create “increased compliance responsibilities, high transaction volumes, and new types of fraud.”
The report also discussed credit risks, strategic risk challenges facing community banks, and climate-related financial risks. The OCC stated it intends to request comments on its yet-to-be-published climate risk management framework for large banks (covered by InfoBytes here) and will “develop more detailed expectations by risk area” in 2022.
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
On October 15, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2022. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) credit risk management, including allowances for loan and lease losses and credit losses; (iii) cybersecurity and operational resiliency; (iv) third-party oversight; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) consumer compliance management systems and fair lending risk assessments; (vii) Community Reinvestment Act performance; (viii) LIBOR phase-out preparations; (ix) payment systems products and services; (x) fintech partnerships involving potential cryptocurrency-related activities and other services; and (xi) climate-change risk management. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.
On September 10, the OCC, Federal Reserve Board, and FDIC extended the comment period on the regulators’ proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. The deadline has been extended to October 18 and interested parties may submit comments until the deadline.
As previously covered by InfoBytes, the proposed guidance addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Coupled with the release of a Federal Reserve Board paper describing community bank and fintech partnerships, as well as interagency guidance to help community banks evaluate fintech relationships (covered by InfoBytes here), the federal bank regulators are demonstrating continued and increased focus on third-party risk management issues.
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.
- Buckley Webcast: Privacy and cybersecurity outlook for 2022
- Jonice Gray Tucker to discuss “Be Your Compliance Best in 2022” at the California Mortgage Bankers Association webinar
- Hank Asbill to discuss white collar ethics issues at the Stetson Law Review Symposium
- Lauren R. Randell to discuss “Significant legal developments in the Northeast” at the 37th Annual National Institute on White Collar Crime
- Jonice Gray Tucker to discuss “Small business & regulation: How fair lending has evolved & where it is heading?” at the Consumer Bankers Association Live program
- Jonice Gray Tucker to discuss “Regulators always ring twice: Responding to a government request” at ALM Legalweek
- Max Bonici to discuss “Fintech-bank partnerships and potential enforcement” at the 2022 ABA Spring Meetings
- Jonice Gray Tucker and Kari Hall to discuss “Equity, equality, regulation and enforcement – The evolving regulatory landscape of fair lending, redlining, and UDAAP” at the ABA Business Law Committee Hybrid Spring Meeting