InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FinCEN Issues Advisory and Supplemental FAQs on Cyber-Events and Cyber-Enabled Crime
On October 25, FinCEN issued advisory bulletin FIN-2016-A005 reminding financial institutions of their Bank Secrecy Act (BSA) obligations to report certain cyber-events and cyber-enabled crime. The advisory highlights the importance of (i) reporting cyber-events and cyber-enabled crime through Suspicious Activity Reports (SARs); (ii) including cyber-related information such as IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information, in SAR reporting; (iii) collaborating with BSA/AML, cybersecurity, and other in-house units to facilitate “a more comprehensive threat assessment and develop appropriate risk management strategies to identify, report, and mitigate cyber-events and cyber-enabled crime”; and (iv) sharing cyber-related information – including specific malware signatures, IP addresses and device identifiers, and virtual currency addresses that seem anonymous – amongst financial institutions for the “purpose of identifying and, where appropriate, reporting money laundering or terrorist activities.” Importantly, the advisory distinguishes between mandatory SAR reporting of cyber-events, providing three specific examples, and voluntary reporting of cyber-events. Per the advisory, “[c]yber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
FinCEN simultaneously issued FAQs to supplement advisory bulletin FIN-2016-A005. The FAQs, which supersede 2001 FAQs regarding computer intrusion, provide answers to a set of nine questions. The FAQs address, among other things, (i) when cyber-related SAR reports should be filed; (ii) the type of information that should be included in cyber-related SARs; and (iii) cyber-event and cyber-enabled crime information sharing, pursuant to Section 314(b) of the USA PATRIOT Act, between financial institutions.
FDIC Releases Report on the Unbanked; Captures Movement to Online Banking
On October 20, the FDIC released a report on the use of the traditional banking system in the United States. According to the FDIC’s executive summary of the report, the percentage of U.S. households in which no one had a checking or savings account (the “unbanked”) dropped to 7.0 in 2015. This is the lowest unbanked percentage since 2009, the year the FDIC began conducting an annual survey of unbanked and underbanked households. The FDIC cited several reasons why some households remain unbanked, the most common of which was the cost of maintaining an account, with an estimated 57.4% of respondents citing it as a factor in their decision not to maintain an account, and 37.8% of respondents citing it as the main reason underlying their decision not to maintain an account. Consistent with past survey results, the report notes that unbanked and underbanked rates are higher among lower-income households, less-educated households, younger households, minority households, and working-age disabled households. Additional findings highlighted in the report include: (i) a 1.9% increase from 2013-2015 in the use of prepaid cards; (ii) rapid growth (31.9% of users in 2015 compared to 23.2% in 2013) in the use of mobile and online banking, reflecting “promising opportunities to use the mobile platform to increase economic inclusion”; and (iii) an opportunity for banks to meet the credit needs of some households with an “unmet demand” for credit by “promoting the importance of building credit history, incorporating nontraditional data into underwriting, and increasing households’ awareness of personal credit products.”
Federal Banking Agencies Consider Joint ANPR to Address Cybersecurity Standards
On October 19, the FDIC, the OCC, and the Federal Reserve, issued an Advanced Notice of Proposed Rulemaking (ANPR) to further the “development of enhanced cyber risk management standards for the largest and most interconnected entities under their respective supervisory jurisdictions, and those entities’ service providers.” These standards, according to the ANPR, are intended to “increase the operational resilience” of supervised entities and their service providers and, based on the interconnectedness of these entities, “reduce the impact on the financial system in case of a cyber event experienced by one of these entities.” The ANPR proposes organizing enhanced cyber standards into the following categories: (i) cyber risk governance; (ii) cyber risk management; (iii) internal dependency management; (iv) external dependency management; and (v) incident response. The ANPR further explains that the banking agencies “are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.” Comments on the ANPR, which would not apply to community banks, are due January 17, 2017.
NYDFS Issues New Guidance on Banks' Incentive Compensation Arrangements
On October 11, the New York Department of Financial Services (NYDFS) issued new guidance regarding incentive compensation arrangements, advising “all regulated banking institutions that no incentive compensation may be tied to employee performance indicators, such as the number of accounts opened, or the number of products sold per customer, without effective risk management, oversight and control.” At a minimum, the guidance requires that a bank’s incentive compensation arrangement address the following principles: (i) balance between risks and rewards; (ii) effective controls and risk management; and (iii) effective corporate governance. NYDFS stated that a bank’s lack of compliance with the guidance will be reflected in its regulatory examination rating and may result in additional regulatory action.
The NYDFS’s recently released guidance comes in the wake of a September action taken jointly by the OCC and the CFPB over a bank’s alleged sales practices under which, in an effort to meet sales goals and earn financial rewards under the bank’s incentive compensation program, employees purportedly opened deposit and credit card accounts for consumers without obtaining those consumers’ consent.
OFAC Publishes Fact Sheet and FAQ Related to Termination of Burma Sanctions Program; Updates SDN List
On October 7, OFAC published a Fact Sheet and Frequently Asked Question (FAQ) number 481 regarding the implementation of the President’s Executive Order entitled “Termination of Emergency with Respect to the Actions and Policies of the Government of Burma.” OFAC’s fact sheet explains that all OFAC-administered restrictions and authorizations under the Burma sanctions program pertaining to banking with Burma, including 2012 and 2013 OFAC general licenses that authorized certain correspondent account activity with Burmese banks, are terminated pursuant to the Executive Order. FAQ 481 clarifies that “[p]ending OFAC enforcement matters will proceed irrespective of the termination of OFAC-administered sanctions on Burma, and OFAC will continue to review apparent violations of the [Burmese Sanctions Regulations], whether [such violations] came to the agency’s attention before or after the Burma sanctions program was terminated.” In connection with terminating the Burma-related sanctions program, OFAC made several deletions to its SDN List.
OFAC Updates Iran-Related FAQs
On October 7, OFAC updated its Frequently Asked Questions (FAQs) relating to the Listing of Certain U.S. Sanctions under the Joint Comprehensive Plan of Action (JCPOA). In addition to adding three FAQs related to due diligence (see M.10 through M.12), OFAC amended two FAQs (C.7 and C.15) regarding Financial and Banking Measures and one FAQ (K.19) related to Foreign Entities Owned or Controlled by U.S. Persons. FAQ M.10 clarifies that while “[i]t is not necessarily sanctionable for a non-U.S. person to engage in transactions with an entity that is not on the SDN List but that is minority owned, or that is controlled in whole or in part, by an Iranian or Iran-related person on the SDN List,” it is recommended that persons engaging in such transactions exercise caution to ensure that they do not involve Iranian or Iran-related persons on the SDN List. FAQs M.11 and M.12, respectively, address (i) due diligence expectations related to the screening of potential Iranian counterparties; and (ii) the circumstances under which OFAC expects a non-U.S. financial institution to repeat the due diligence their customers have already performed on an Iranian customer.
ABA and Regional Members Lend Perspective on CFPB's Proposed Rule on Payday, Title, and Certain Other Installment Loans
On October 7, the American Bankers Association (ABA) sent a comment letter to the CFPB regarding the agency’s proposed rule on payday, title, and certain other installment loans. Describing the proposal as “exceedingly and unnecessarily complex,” the ABA argues that the proposed rule imposes significant restrictions on the small-dollar credit industry by limiting financial institutions’ ability to make small-dollar loans to consumers in need of such credit. In addition to asserting that the proposal reflects an over-reach of the CFPB’s statutory authority to regulate unfair, deceptive or abusive acts or practices, the comment letter contends that, if adopted, the proposed rule would, among other things, (i) “stifle innovation in consumer lending, reduce consumer choice, and directly harm the very borrowers [it] was intended to protect”; (ii) impose an unlawful cap on interest rates; (iii) regulate insurance, thereby violating the Dodd-Frank Act; and (iv) levy substantial costs on consumers and lenders. Furthermore, the comment letter includes several testimonials to illustrate how receiving short-term credit helped consumers establish credit and overcome arduous financial conditions. In an effort to safeguard affordable financial services, the ABA urged the CFPB to “protect the ability of community banks to continue to meet small dollar lending needs.” In particular, the ABA sought to exempt entities that make no more than 2,500 loans subject to the proposed rule in the course of a year “if those loans comprise no more than 10% of the lender’s gross annual revenue.”
In addition to the ABA’s comment letter, various regional ABA members, such as individual banks and state bankers associations, sent a letter to CFPB Director Richard Cordray expressing concern about the “substantial barriers and costs” the proposed rule would impose if adopted. ABA members called on the CFPB to “restore its previously proposed ‘5 percent payment-to-income ratio’ alternative compliance option” so that banks may maintain their ability to offer small-dollar credit.
OCC Releases Bulletin on Revised Examination Procedures for the Military Lending Act
On October 7, following the Federal Reserve’s and the CFPB’s leads, the OCC released Bulletin 2016-33 advising financial institutions of updated interagency examination procedures for compliance with the Department of Defense’s (DoD) Military Lending Act (MLA) July 2015 final rule. As previously summarized in BuckleySandler’s Special Alert, the DoD issued an interpretive rule regarding the amendments to the regulations implementing the MLA on August 26, 2016. The 2015 final rule went into effect for consumer credit products other than credit cards on October 3, 2016. The requirements will take effect for credit card accounts one year later, on October 3, 2017. The OCC plans to include the updated interagency examination procedures in the Comptroller’s Handbook.
OCC Issues Bulletin Regarding Mandatory Contractual Stay Requirements for Qualified Financial Contracts
On October 3, the OCC issued Bulletin 2016-31 seeking comment on a proposed rule intended to “enhance the resilience and the safety and soundness of federally chartered and licensed financial institutions.” Pursuant to the proposal, a covered bank would be required to ensure that a covered qualified financial contract (i) contains a contractual stay-and-transfer provision equivalent to those contained in the Dodd-Frank Act’s stay-and-transfer provision under title II and in the Federal Deposit Insurance Act; and (ii) restricts the use of default rights based on an affiliate’s insolvency. Moreover, the proposal would “make conforming amendments in certain definitions in the capital adequacy standards in 12 CFR 3 and the liquidity risk measurement standards in 12 CFR 50.” Comments on the proposed rule are due by October 18, 2016.
FinCEN Assesses Civil Money Penalty Against Nevada-Based Casino for BSA/AML Violations
On October 3, FinCEN assessed a $12 million civil money penalty against a Nevada-based casino for willfully violating the anti-money laundering (AML) provisions of the Bank Secrecy Act (BSA). Pursuant to the Statement of Facts, from March 2009 through September 28, 2015, the casino allegedly failed to (i) develop and implement an effective AML program reasonably designed to ensure compliance with the BSA; (ii) exercise due diligence in its monitoring of suspicious activity; and (iii) maintain sufficient AML compliance controls, procedures, training, and audits, which resulted in multiple filing and recordkeeping control violations. As part of the FinCEN’s Assessment and the Non-Prosecution Agreement filed by the U.S. Attorney’s Officers, the casino must (i) perform a series of required Remedial Measures to ensure compliance going forward; and (ii) conduct a look-back review to ensure that suspicious transactions and attempted transactions were appropriately reported for transactions that occurred between 2010 and 2013.