InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Fed announces enforcement action against Kansas bank for operational deficiencies
On September 5, the Fed announced a cease and desist order (the “order”) against a Kansas bank holding company and its subsidiary bank (collectively, the “bank”) for having significant operational deficiencies, including deficiencies related to staffing, internal controls, credit risk management, lending and credit administration, capital, information technology and information security, books and records, regulatory reporting, liquidity and funds management, earnings, interest rate risk management, third-party risk management, and other deficiencies such as compliance with federal laws related to AML/BSA requirements.
The order directs the bank to, among other things, (i) strengthen board oversight; (ii) engage a third party to conduct an assessment of the bank’s corporate governance and staffing; (iii) improve lending and credit administration policies and procedures; (iv) correct the identified information technology and information security deficiencies; (v) revise its allowance for credit losses methodology to comply with supervisory guidance; (vi) enhance interest rate risk management practices; (vii) improve internal controls; (viii) submit a written plan to maintain sufficient capital; (ix) enhance liquidity risk management; and (x) improve the bank’s earnings and overall condition. The order also directs the Bank to improve its BSA/AML compliance program and internal audit program, and to take all necessary steps to correct all violations of law or regulation and to ensure future compliance.
FDIC announces launch of new examination portal
On September 5, the FDIC announced the launch of a new Banker Engagement Site (“BES”) through FDICconnect. The BES will provide a secure and efficient electronic portal through which financial institutions may exchange documents, information and communications for consumer compliance and Community Reinvestment Act examinations. BES will not be used for other FDIC examinations, including safety and soundness examinations. The announcement notes that the FDIC’s existing tool to exchange examination information, the Enterprise File Exchange, will continue to be used when the pre-planning for consumer compliance and CRA activity initiated prior to the availability of BES and also may be utilized in some additional circumstances.
Federal and state financial regulatory agencies issue joint statement on the effects of Hurricane Idalia on supervisory practices
On September 1, the FDIC, Fed, NCUA, OCC and CSBS issued a joint statement recognizing the serious impact of Hurricane Idalia on the customers and operations of many financial institutions in the effected area.
The guidance discusses the following aspects of financial institution operations:
- Lending: The agencies encourage financial institutions to work constructively with borrowers in affected communities, including prudent efforts to adjust existing loan terms, and declares that the agencies will not subject such efforts to examiner criticism. “The agencies recognize that efforts to work with borrowers in communities under stress can be consistent with safe-and-sound practices as well as in the public interest.”
- Temporary Facilities: The agencies understand that many financial institutions face staffing, power, telecommunications, and other challenges in re-opening facilities and will expedite, as appropriate, any request to operate in temporary facilities.
- Publishing Requirements: The agencies understand that the damage that the hurricane caused may affect compliance with publishing and other requirements for branch closings, relocations, and temporary facilities. Impacted institutions should contact their primary federal and/or state regulator.
- Regulatory Reporting Requirements: Impacted institutions that expect to encounter difficulty meeting the agencies' reporting requirements should contact their primary federal and/or state regulator to discuss their situation.
- Community Reinvestment Act: Financial institutions may receive CRA consideration for community development loans, investments or services that revitalize or stabilize federally designated disaster areas.
- Investments: The agencies encourage financial institutions to monitor municipal securities and loans affected by the hurricane, including those related to local government projects.
CFPB posts guidance on RESPA
On September 1, the CFPB posted guidance to its website that affirms guidance on the Real Estate Settlement Procedures Act (RESPA) that the Department of Housing and Urban Development previously issued. In 2011, the Dodd-Frank Act transferred responsibility for RESPA from HUD to the CFPB. At the time, the Bureau stated that it would apply “the official commentary, guidance, and policy statements” that HUD had issued on RESPA “pending further CFPB action” and would give “due consideration” to other (i.e., informal) guidance and interpretations. Although the Bureau has issued certain consent orders and other statements that may cast doubt on whether it interprets RESPA in the same manner that HUD did, in the most recent posting, the Bureau confirms that the list of documents posted by the Bureau generally “continue to be applied today by the CFPB.”
CFPB reaches $2.6 billion settlement with credit repair telemarketers
On August 28, the CFPB announced a proposed settlement with Utah-based credit repair telemarketers and various affiliates (collectively, "defendants") for allegedly committing deceptive acts and practices in violation of the Telemarketing Sales Rule (TSR) and the Consumer Financial Protection Act (CFPA) by collecting illegal advance fees. As previously covered by InfoBytes, in its initial lawsuit the CFPB alleged the defendants requested and received payment of “prohibited” upfront fees for telemarketed credit repair services when they signed up. In June, a district court ruling put a hold on the Bureau’s initial attempt to impose the settlement because of “outstanding issues of fact” which precluded it from entering the agency’s requested relief at that time (covered by InfoBytes here). The Bureau and defendants have now agreed to a new settlement which will, among other things, (i) impose over $2.7 billion in redress (understanding that the principal corporate defendant is in Chapter 11 bankruptcy proceedings); (ii) impose over $64 million in civil money penalties; (iii) ban defendants from telemarketing and from doing business with certain marketing affiliates for ten years; and (iv) require defendants to send a notice of the settlement to “any remaining enrolled customers who were previously signed up through telemarketing.”
The proposed settlement is subject to final approval by the court.
DOJ announces international malware action, recovers $8.6 million in illicit profits
On August 29, the DOJ announced a multinational operation involving the U.S., France, Germany, the Netherlands, the UK, Romania, and Latvia to “disrupt” a malware’s infrastructure called Qakbot. Attorney General Merrick B. Garland stated that, “[t]ogether with our international partners, the Justice Department has hacked Qakbot’s infrastructure, launched an aggressive campaign to uninstall the malware from victim computers in the United States and around the world, and seized $8.6 million in extorted funds. ” The main method by which the Qakbot malware spreads to target computers is via spam emails that contain harmful attachments or links. Upon successfully infecting a target computer, the DOJ mentioned that Qakbot gains the capability to introduce other types of malware, such as ransomware. Over the past few years, many ransomware collectives have used Qakbot as an initial avenue for initiating infections and has caused hundreds of millions of dollars in damages. The DOJ highlighted that “[t]he action represents the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals to commit ransomware, financial fraud, and other cyber-enabled criminal activity.”
SEC charges broker-dealer with failure to file suspicious activity reports
On August 29, the SEC announced that it had brought charges against a Chicago-based broker-dealer. The SEC alleged that between August 2012 and September 2020 the broker-dealer failed to file over 400 hundred legally required suspicious financial transaction reports related to over-the-counter securities transactions executed in the broker-dealer’s alternative trading system (ATS). According to the SEC’s order, it was found that the broker-dealer did not establish an anti-money laundering surveillance program until September 2020, despite having thousands of high-risk microcap and penny stock securities transactions executed daily on its ATS.
Daniel R. Gregus, Director of the SEC’s Chicago Regional Office, stated, “All SEC-registered broker-dealers have the responsibility to comply with the requirements of the Bank Secrecy Act, including the obligation to file SARs.”
Without admitting or denying that it violated Section 17(a) of the Securities Exchange Act and Rule 17a-8, the broker-dealer agreed to a censure and a cease-and-desist order, along with a $1.5 million penalty.
FDIC, Fed issue new rules and guidance aimed to strengthen resolution planning at large banks
On August 29, the FDIC and the Federal Reserve Board issued a joint press release inviting public comment on proposed guidance that serves to toughen requirements for non-G-SIB large bank holding companies’ resolution plans, or “living wills” that set forth strategies for rapid and orderly resolution under bankruptcy in the event of financial distress or failure. The proposed guidance, which includes guidance for both domestic triennial full filers and guidance for foreign triennial full filers, will generally apply to certain bank holding companies and foreign banking associations with between $250 billion and $700 billion in total assets. This guidance is separate from the guidance previously issued to the largest and most complex companies, which is already in place. The guidance (i) is organized around key areas of potential vulnerability, such as capital, liquidity, and operational capabilities; (ii) provides agency expectations for both single point of entry and multiple point of entry strategy needs; and (iii) proposes that foreign banking organizations develop U.S. resolution strategies that complement their global resolution plans. The proposed guidance will be published in the Federal Register, with comments due by November 30, 2023.
Separately on August 29, the FDIC approved a notice of proposed rulemaking to enhance resolution planning for insured depository institutions (IDIs) with at least $100 billion in total assets. The proposed rule would strengthen existing IDI resolution planning requirements under 12 CFR § 360.10 and would require a resolution submission from covered IDIs every two years, with limited filings in between. Covered IDIs would be required to submit comprehensive resolution plans that would “enhance current IDI resolution planning requirements by incorporating useful elements of existing guidance and important lessons learned from past plan reviews and from past large bank resolutions, including those earlier this year.” Additionally, IDIs with total assets of at least $50 billion but less than $100 billion would submit more limited informational filings and would not be required to develop a resolution strategy. Comments on the proposed rule are due by November 30, 2023.
OCC allows institutions in Florida affected by Hurricane Idalia to temporarily close
On August 29, the OCC issued a proclamation permitting OCC-regulated institutions, at their discretion, to close offices in areas of Florida affected by Hurricane Idalia “for as long as deemed necessary for bank operation or public safety.” In issuing the proclamation, the OCC noted that only bank offices directly affected by potentially unsafe conditions should close, and that banks should make every effort to reopen as quickly as possible to address customers’ banking needs. The proclamation directs institutions to OCC Bulletin 2012-28 for further guidance on natural disasters and other emergency conditions.
Find continuing InfoBytes coverage on disaster relief here.
FDIC releases July enforcement actions, including breaches of fiduciary duty and FDPA violations
On August 25, the FDIC announced a list of administrative enforcement actions taken against banks and individuals in July. The 10 orders include “two orders that combined a prohibition order and order to pay CMP; one combined personal consent order and order to pay CMP; four prohibition orders; one order modifying a prohibition order; one order of termination of deposit insurance; and one order to pay CMP for pattern or practice violations of the Flood Disaster Protection Act.” The FDIC assessed a civil money penalty against a North Dakota-based bank for alleged violations of the Flood Disaster Protection Act and the National Flood Insurance Act including providing or extending loans secured by a building or mobile home situated in or intended for placement within an area with a recognized risk of flooding, without promptly notifying the borrower and/or the servicer about the availability of flood insurance for the asset.