InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
Fed urges banks to assess legality of crypto activities
On August 16, the Federal Reserve Board issued supervisory letter SR 22-6 recommending steps that Fed-supervised banking organizations engaging or seeking to engage in crypto-asset-related activities should take. The Fed stressed that organizations must assess whether such activities are legally permissible and determine whether any regulatory filings are required under the federal banking laws. Organizations should also notify the regulator and “have in place adequate systems, risk management, and controls to conduct such activities in a safe and sound manner” prior to commencing such activities. Risk management controls should cover, among other things, “operational risk (for example, the risks of new, evolving technologies; the risk of hacking, fraud, and theft; and the risk of third-party relationships), financial risk, legal risk, compliance risk (including, but not limited to, compliance with the Bank Secrecy Act, anti-money laundering requirements, and sanctions requirements), and any other risk necessary to ensure the activities are conducted in a manner that is consistent with safe and sound banking and in compliance with applicable laws, including applicable consumer protection statutes and regulations,” the supervisory letter explained, adding that state member banks are also encouraged to contact their state regulator before engaging in any crypto-asset-related activity. Organizations already engaged in crypto activities should contact the Fed “promptly” if they have not already done so, the agency said, noting that supervisory staff will provide any relevant supervisory feedback in a timely manner.
The supervisory letter follows an interagency statement released last November by the Fed, OCC, and FDIC (covered by InfoBytes here), which announced the regulators’ intention to provide greater clarity on whether certain crypto-asset-related activities conducted by banking organizations are legally permissible.
FDIC issues advisory on crypto companies’ deposit insurance claims
On July 29, the FDIC announced an advisory addressing certain misrepresentations about FDIC deposit insurance made by some crypto companies. The advisory, among other things, reminded insured banks that they must be aware of how FDIC insurance operates as well as the need to assess, manage, and control risks arising from third-party relationships, including those with crypto companies. The advisory noted that recently “some crypto companies have suspended withdrawals or halted operations," and that in certain cases, "these companies have represented to their customers that their products are eligible for FDIC deposit insurance coverage, which may lead customers to believe, mistakenly, that their money or investments are safe.” In dealing with crypto companies, the agency cautioned that “FDIC-insured banks should confirm and monitor that these companies do not misrepresent the availability of deposit insurance.” The FDIC also issued a Fact Sheet reminding the public that the FDIC only insures deposits held in insured banks and savings associations and only in the event of an insured bank’s failure. The FDIC does not insure assets issued by non-bank entities, such as crypto companies.
OCC reports on key risks facing the federal banking system
On June 23, the OCC released its Semiannual Risk Perspective for Spring 2022, which reports on key risks threatening the safety and soundness of national banks, federal savings associations, and federal branches and agencies. The OCC reported that as “banks continue to navigate the operational- and market-related impacts of the pandemic along with substantial government stimulus, current geopolitics have tightened financial conditions and increased downside risk to economic growth.” However, the OCC noted that banks’ financial conditions remain strong and that banks are well-positioned to “deal with the economic headwinds arising from geopolitical events, higher interest rates and increased inflation.”
The OCC highlighted operational, compliance, interest rate, and credit risks as key risk themes in the report. Observations include: (i) operational risk, including evolving cyber risk, is elevated, with an observed increase in attacks on the financial services industry given current geopolitical tensions; (ii) compliance risk remains heightened as banks navigate the current operational environment, regulatory changes, and policy initiatives; and (iii) credit risk remains moderate, with banks facing certain areas of weakness and potential longer-term implications resulting from the Covid-19 pandemic, inflation, and direct and indirect effects of the war in Ukraine. Staffing challenges among banks also present risks, with challenges posed by “strong competition” in the labor market.
The report also discussed the importance of appropriate due diligence of new digital asset products and services. The OCC said that it “continues to engage on an interagency basis to analyze various crypto-asset use cases,” and is looking to “provide further clarity on legal permissibility, as well as safety and soundness and compliance considerations related to crypto-assets” in the banking industry.
The OCC further stated it “will continue to monitor the development of climate-related financial risk management frameworks at large banks,” and reported that “OCC large-bank examination teams will integrate the examination of climate-related financial risk into supervision strategies and continue to engage with bank management to better understand the challenges banks face in this effort, including identifying and collecting appropriate data and developing scenario analysis capabilities and techniques.”
OCC discusses use of AI
On May 13, OCC Deputy Comptroller for Operational Risk Policy Kevin Greenfield testified before the House Financial Services Committee Task Force on Artificial Intelligence (AI) discussing banks' use of AI and innovation in technology services. Among other things, Greenfield addressed the OCC’s approach to innovation and supervisory expectations, as well as the agency’s ongoing efforts to update its technological framework to support its bank supervision mandate. According to Greenfield’s written testimony, the OCC “recognizes the paramount importance of protecting sensitive data and consumer privacy, particularly given the use of consumer data and expanded data sets in some AI applications.” He noted that many banks use AI technologies and are investing in AI research and applications to automate, augment, or replicate human analysis and decision-making tasks. Therefore, the agency “is continuing to update supervisory guidance, examination programs and examiner skills to respond to AI’s growing use.” Greenfield also pointed out that the agency follows a risk-based supervision model focused on safe, sound, and fair banking practices, as well as compliance with laws and regulations, including fair lending and other consumer protection requirements. This risk-based approach includes developing supervisory strategies based upon an individual bank’s risk profile and examiners’ review of new, modified, or expanded products and services. Greenfield further noted that “the OCC is focused on educating examiners on a wide range of AI uses and risks including risks associates with third parties, information security and resilience, compliance, BSA, credit underwriting, and fair lending and data governance, as part of training courses and other educational resources.” According to Greenfield’s oral statement, “banks need effective risk management and controls for model validation and explainability, data management, privacy, and security regardless of whether a bank develops AI tools internally or purchases through a third party.”
OCC warns of key cybersecurity and climate-related banking risks
On December 6, the OCC reported in its Semiannual Risk Perspective for Fall 2021 the key issues facing national banks and federal savings associations and the effects of Covid-19 on the federal banking industry. The agency reported that although banks showed resilience in the current environment with satisfactory credit quality and strong earnings, weak loan demand and low net interest margins continue to affect performance.
The OCC identified elevated operational risk as banks continue to face increasingly complex cyberattacks, pointing to an increase in ransomware attacks across financial services. While innovation and technological advances can help counter such risks, the OCC warned they also come with additional concerns given the expansion of remote financial services offered through personally owned computers and mobile devices, remote work options due to the Covid-19 pandemic, and the reliance on third-party providers and cloud-based environments. “The adoption of innovative technologies to facilitate financial services can offer many benefits to both banks and their customers,” the report stated. “However, innovation may present risks. Risk management and control environments should keep pace with innovation and emerging trends and a comprehensive understanding of risk should be achieved to preserve effective controls. Examiners will continue to assess how banks are managing risks related to changes in operating environments driven by innovative products, services, and delivery channels.”
The report calls on banks to “adopt robust threat and vulnerability monitoring processes and implement stringent and adaptive security measures such as multi-factor authentication or equivalent controls” to mitigate against cyber risks, adding that critical systems and records must be backed up and stored in “immutable formats that are isolated from ransomware or other destructive malware attacks.”
The report further highlighted heightened compliance risks associated with the changing environment where banks serve consumers in the end stages of various assistance programs, such as the CARES Act’s PPP program and federal, state, and bank-initiated forbearance and deferred payment programs, which create “increased compliance responsibilities, high transaction volumes, and new types of fraud.”
The report also discussed credit risks, strategic risk challenges facing community banks, and climate-related financial risks. The OCC stated it intends to request comments on its yet-to-be-published climate risk management framework for large banks (covered by InfoBytes here) and will “develop more detailed expectations by risk area” in 2022.
States, consumer advocates urge agencies to explicitly disavow rent-a-bank schemes
On October 18, consumer advocates and several state attorneys general and financial regulators responded to a request for comments issued by the OCC, Federal Reserve Board, and the FDIC on proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. (See letters here and here.) As previously covered by InfoBytes, the proposed guidance addressed key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Consumer advocates and the states, however, expressed concerns that the agencies’ proposed guidance does not “highlight the significant risks associated with high-cost lending involving third-party relationships,” and does not include measures to prevent banks from entering into nonbank lending partnerships (e.g. “rent-a-bank schemes”).
According to the consumer advocates’ letter, the agencies’ guidance “should unequivocally declare that it is inappropriate for a bank to rent out its charter to enable attempted avoidance of state consumer protection laws, in particular interest rate and fee caps, or state oversight through licensing regimes.” The consumer advocates stated that they are aware of six FDIC-supervised banks involved in rent-a-bank schemes with nonbank lenders making allegedly illegal high-cost loans, and urged the FDIC to take immediate, “overdue” action to put an end to them. Among other things, the consumer advocates said the new guidance should explicitly specify: (i) that a bank’s involvement in lending that exceeds state interest rate limits with a nonbank is a “critical activity”; (ii) that lending partnerships involving loans exceeding a fee-inclusive 36 percent annual percentage rate (APR) “pose especially high risks”; and (iii) that in instances where a loan exceeds the Military Lending Act’s 36 percent APR, the federal banking supervisor will directly examine the third-party partner and charge the bank for the cost of the examination.
The states wrote in their letter that “experience teaches us that, in the absence of an explicit disavowal of rent-a-bank schemes, the [p]roposed [g]uidance invites continued abuse of banks’ interest exportation rights, to the considerable detriment of state regulation, consumer protection, and banks’ safety and soundness.” The states strongly encouraged the agencies to “explicitly disavow rent-a-bank schemes.”
OCC releases bank supervision operating plan for FY 2022
On October 15, the OCC’s Committee on Bank Supervision released its bank supervision operating plan for fiscal year 2022. The plan outlines the agency’s supervision priorities and highlights several supervisory focus areas including: (i) strategic and operational planning; (ii) credit risk management, including allowances for loan and lease losses and credit losses; (iii) cybersecurity and operational resiliency; (iv) third-party oversight; (v) Bank Secrecy Act/anti-money laundering compliance; (vi) consumer compliance management systems and fair lending risk assessments; (vii) Community Reinvestment Act performance; (viii) LIBOR phase-out preparations; (ix) payment systems products and services; (x) fintech partnerships involving potential cryptocurrency-related activities and other services; and (xi) climate-change risk management. The plan will be used by OCC staff members to guide the development of supervisory strategies for individual national banks, federal savings associations, federal branches, federal agencies, and technology service providers.
The OCC will provide updates about these priorities in its Semiannual Risk Perspective, as InfoBytes has previously covered.
Agencies extend comment period on proposed third-party relationship risk management guidance
On September 10, the OCC, Federal Reserve Board, and FDIC extended the comment period on the regulators’ proposed interagency guidance designed to aid banking organizations in managing risks related to third-party relationships, including relationships with fintech-focused entities. The deadline has been extended to October 18 and interested parties may submit comments until the deadline.
As previously covered by InfoBytes, the proposed guidance addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Coupled with the release of a Federal Reserve Board paper describing community bank and fintech partnerships, as well as interagency guidance to help community banks evaluate fintech relationships (covered by InfoBytes here), the federal bank regulators are demonstrating continued and increased focus on third-party risk management issues.
Federal agencies seek comments on third-party relationships
On July 13, the Federal Reserve Board, FDIC, and OCC announced a request for public comments on proposed guidance designed to aid banking organizations manage risks related to third-party relationships, including relationships with financial technology-focused entities. The guidance also responds to industry feedback requesting alignment among the agencies with respect to third-party risk management guidance. The proposed guidance provides “a framework based on sound risk management principles for banking organizations to consider in developing risk management practices for all stages in the life cycle of third-party relationships that takes into account the level of risk, complexity, and size of the banking organization and the nature of the third-party relationship.” The proposal addresses key components of risk management, such as (i) planning, due diligence and third-party selection; (ii) contract negotiation; (iii) oversight and accountability; (iv) ongoing monitoring; and (v) termination. Comments on the proposal are due 60 days after publication in the Federal Register.