Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts

    Privacy, Cyber Risk & Data Security

    On February 15, the FDIC released  its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.

    Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.

    As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.

    Privacy/Cyber Risk & Data Security FDIC FFIEC OIG Vendor Management

  • OCC Supplements Exam Procedures Covering Third-Party Relationships: Risk Management Guidance

    Federal Issues

    On January 24, the OCC released Bulletin 2017-7 advising national banks, federal savings associations and technology service providers of examination procedures issued to supplement Bulletin 2013-29, “Third-Party Relationships: Risk Management Guidance,” issued October 30, 2013. As previously summarized in BuckleySandler’s Special Alert, Bulletin 2013-29 requires banks and federal savings associations (collectively “banks”) to provide comprehensive oversight of third parties, and warns that failure to have in place an effective risk management process commensurate with the risk and complexity of a bank’s third-party relationships “may be an unsafe and unsound banking practice.” Bulletin 2013-29 outlined a “life cycle” approach and provided detailed descriptions of steps that a bank should consider taking at five important stages of third-party relationships: (i) planning; (ii) due diligence and third party selection; (iii) contract negotiation; (iv) ongoing monitoring; and (v) termination. Following the OCC's issuance of Bulletin 2013-29, the Federal Reserve Board, on December 5, 2013, issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (SR 13-19). The FRB Guidance is substantially similar to Bulletin 2013-29.

    Bulletin 2017-7 outlines procedures designed to help prudential bank examiners: (i) tailor supervisory examinations of each bank commensurate with the level of risk and complexity of the bank’s third-party relationships; (ii) assess the quantity of the bank’s risk associated with its third-party relationships; (iii) assess the quality of the bank’s risk management of third-party relationships involving critical activities; and (iv) determine whether there is an effective risk management process throughout the life cycle of the third-party relationship. Consistent with the life cycle approach established in Bulletin 2013-29, the examination procedures identify steps examiners should take in requesting information relevant to assessing the banks’ third-party relationship risk management relative to each phase of the life cycle.

    For additional background, please see our Spotlight Series: Vendor Management in 2015 and Beyond.

    Federal Issues Banking Federal Reserve OCC Risk Management Vendor Management

  • CFPB Clarifies "Flexibility" in Third-Party Risk Management

    Federal Issues

    On November 1, the CFPB issued an update to its previous guidance on risk management for third-party service providers. The update is substantially similar to the Bureau’s previous guidance on third-party risk management, but clarifies that the depth and formality of an entity’s risk management program for service providers may vary depending upon (i) the service being performed, and (ii) the service provider’s compliance with federal consumer financial laws and regulations. With this update, the CFPB emphasized that supervised entities have flexibility to allow appropriate risk management of these relationships.

    Federal Issues Banking Consumer Finance CFPB Risk Management Vendor Management

  • CFPB Reissues Guidance on Service Providers

    Federal Issues

    On October 26, the CFPB published Bulletin 2016-02 on service providers to amend previously issued guidance covered in Bulletin 2012-03. Bulletin 2016-02 seeks to clarify that supervised banks and nonbanks have flexibility in managing the risks of service provider relationships. Specifically, the CFPB advises that “the depth and formality of the risk management program for service providers may vary depending upon the service being performed —its size, scope, complexity, importance and potential for consumer harm—and the performance of the service provider in carrying out its activities in compliance with Federal consumer financial laws and regulations.” The CFPB plans to post Bulletin 2016-02 on its website on October 31, 2016.

    Federal Issues Banking Consumer Finance CFPB Nonbank Supervision Bank Supervision Vendor Management

  • California AG Harris Launches New Consumer Privacy Tool

    State Issues

    On October 14, California AG Harris released an online complaint form designed to help consumers report potential violations of the California Online Privacy Protection Act (CalOPPA). Pursuant to the CalOPPA, commercial websites and online services collecting consumer information are required to post privacy policies that include “the categories of information collected, the types of the third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the [policy’s] effective date.” As part of AG Harris’s “multi-pronged” effort to improve online privacy for consumers, the form will allow consumers to “crowdsource” privacy policy violations, thus “exponentially increasing the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”

    State Issues State Attorney General Data Collection / Aggregation Privacy/Cyber Risk & Data Security Vendor Management

  • Federal Banking Agencies Consider Joint ANPR to Address Cybersecurity Standards

    Federal Issues

    On October 19, the FDIC, the OCC, and the Federal Reserve, issued an Advanced Notice of Proposed Rulemaking (ANPR) to further the “development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.” These standards, according to the ANPR, are intended to “increase the operational resilience” of supervised entities and their service providers and, based on the interconnectedness of these entities, “reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” The ANPR proposes organizing enhanced cyber standards into the following categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response. The ANPR further explains that the banking agencies “are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” Comments on the ANPR, which would not apply to community banks, are due January 17, 2017.

    Federal Issues FDIC Banking Federal Reserve OCC Agency Rule-Making & Guidance Privacy/Cyber Risk & Data Security Vendor Management

  • FFIEC Revises Information Security Booklet

    Privacy, Cyber Risk & Data Security

    On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”

    Examination FFIEC Vendor Management Privacy/Cyber Risk & Data Security

  • OCC Senior Deputy Comptroller Highlights the Importance of SCRA and MLA Compliance

    Consumer Finance

    On August 29, OCC Senior Deputy Comptroller Grovetta Gardineer delivered remarks at the 2016 Association of Military Banks of America Workshop, emphasizing the significance of banks’ compliance with the Servicemember Civil Relief Act (SCRA) and the Military Lending Act (MLA). Although Gardineer noted that SCRA-related issues have decreased since making SCRA compliance an examination focus, she stressed that room for improvement remains. Gardineer advised banks to perform due diligence with third-party vendors, noting that banks “will be held accountable for failures” by their third-party vendors. Gardineer further cautioned that, in light of the new MLA requirements taking effect on October 3, banks must ensure that they properly identify military borrowers entitled to the MLA’s expanded coverage, which will include “nearly all consumer credit covered under the Truth in Lending Act.”

    TILA OCC SCRA Military Lending Act Vendor Management

  • FDIC Seeks Comments on Proposed Guidance for Third-Party Lending

    Consumer Finance

    On July 29, the FDIC issued FIL-50-2016 to request comments on the agency’s proposed Guidance for Third-Party Lending, which aims to “set forth safety and soundness and consumer compliance measures FDIC-supervised institutions should follow when lending through a business relationship with a third party.” Pursuant to the proposed guidance, third-party lending would be defined as “a lending arrangement that relies on a third party to perform a significant aspect of the lending process.” Intended to supplement the FDIC’s 2008 Guidance for Managing Third-Party Risk, the proposed guidance seeks to establish specific expectations for third-party lending arrangements. FIL-50-2016 includes 10 questions related to (i) the proposed definition of third-party lending and the scope of the guidance; (ii) the potential risks arising from the use of third parties, with a particular emphasis on risks associated with third-party lending programs; (iii) the proposed expectations for establishing a third-party lending risk management program, including expectations around strategic planning policy development, risk assessment, due diligence and ongoing oversight, model risk management, vendor oversight, and contract structuring and review; (iv) supervisory considerations, including, but not limited to, credit underwriting and administration, loss recognition practices, and consumer compliance; and (v) the proposed examination procedures, which would establish “a 12-month examination cycle for institutions with significant third-party lending programs, including for those institutions that may otherwise qualify for an 18-month examination cycle.” Comments on the proposed guidance, with a particular emphasis on the questions posed in FIL-50-2016, are due by October 27, 2016.

    FDIC Online Lending Risk Management Vendor Management

  • CFPB Orders National Bank to Pay $10 Million Over Overdraft Practices

    Consumer Finance

    On July 14, the CFPB ordered a Delaware-based national bank to pay a $10 million civil penalty to settle allegations that its overdraft fee practices were deceptive and violated Regulation E of the Electronic Fund Transfer Act because the bank allegedly charged consumers overdraft fees in connection with ATM and one-time debit card transactions without obtaining their affirmative consent. The CFPB alleges that the bank incentivized sales representatives of a third-party telemarketing vendor to market its overdraft service through “Opt-in Call Campaigns.” According to the consent order, vendor representatives deviated from sales scripts approved by the bank and provided consumers with incomplete, inaccurate, or misleading information to persuade them to enroll in the overdraft service. The CFPB alleges that the bank failed to properly monitor the vendor and detect “widespread problems” throughout the Opt-in Call Campaigns, including, but not limited to: (i) enrolling consumers in the bank’s overdraft program without their consent; (ii) falsely advertising the overdraft program as free, when in fact consumers were charged $35 per overdraft; (iii) misleading consumers into believing they would be charged overdraft fees regardless of whether or not they signed up for the program, or telling consumers they would face additional charges if they opted out of the program; and (iv) falsely claiming that the purpose of the call was “not a sales call” but rather to let consumers know that the bank had changed its name. In addition to imposing a $10 million civil penalty, the consent order requires the bank to, among other things, (i) validate that all consumers who were enrolled in the program through its vendor wish to remain in the program; (ii) stop using a vendor to conduct the marketing of its overdraft service; and (iii) develop and implement a new or revised written policy to govern vendor management for Service Providers engaged in telemarketing of consumer financial products or services.

    CFPB Overdraft EFTA Vendor Management

Pages

Upcoming Events