InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FDIC, Fed issue new rules and guidance aimed to strengthen resolution planning at large banks
On August 29, the FDIC and the Federal Reserve Board issued a joint press release inviting public comment on proposed guidance that serves to toughen requirements for non-G-SIB large bank holding companies’ resolution plans, or “living wills” that set forth strategies for rapid and orderly resolution under bankruptcy in the event of financial distress or failure. The proposed guidance, which includes guidance for both domestic triennial full filers and guidance for foreign triennial full filers, will generally apply to certain bank holding companies and foreign banking associations with between $250 billion and $700 billion in total assets. This guidance is separate from the guidance previously issued to the largest and most complex companies, which is already in place. The guidance (i) is organized around key areas of potential vulnerability, such as capital, liquidity, and operational capabilities; (ii) provides agency expectations for both single point of entry and multiple point of entry strategy needs; and (iii) proposes that foreign banking organizations develop U.S. resolution strategies that complement their global resolution plans. The proposed guidance will be published in the Federal Register, with comments due by November 30, 2023.
Separately on August 29, the FDIC approved a notice of proposed rulemaking to enhance resolution planning for insured depository institutions (IDIs) with at least $100 billion in total assets. The proposed rule would strengthen existing IDI resolution planning requirements under 12 CFR § 360.10 and would require a resolution submission from covered IDIs every two years, with limited filings in between. Covered IDIs would be required to submit comprehensive resolution plans that would “enhance current IDI resolution planning requirements by incorporating useful elements of existing guidance and important lessons learned from past plan reviews and from past large bank resolutions, including those earlier this year.” Additionally, IDIs with total assets of at least $50 billion but less than $100 billion would submit more limited informational filings and would not be required to develop a resolution strategy. Comments on the proposed rule are due by November 30, 2023.
Warren urges Fed to finalize capital requirements for large banks
On August 29, Senator Elizabeth Warren (D-MA) sent a letter to the Fed regarding its recent notice of proposed rulemaking, urging them to “finalize the rules as quickly as possible.” In July, the Fed announced amendments to the regulatory capital requirements for large banking organizations that would implement the final components of the Basel III agreement (previously covered by InfoBytes here). Warren noted that she is concerned about the Fed’s intent to seek potential modifications as it could result in weakening the proposed rule. Warren also warned that big bank lobbyists has been “engaging in a full-court press to fend off higher capital requirements” before the release of the proposed rule, and that big banks lobbying expenditures were up 20 percent compared to the same period of time in the previous year, indicating a “clear effort to fend off stronger rules” following recent bank failures. The senator finally noted that the capital bank requirements are a threat to bank’s “massive payouts for executives and shareholders.”
Fed issues enforcement action against state bank and its holding company
On August 17, the Fed announced an enforcement action against a state bank and its holding company for failing to comply with conditions imposed during the approval process for the bank to become a member of the Federal Reserve System and subsequent application for acquisition. Namely, the order provides that, among other conditions and limitations, the bank was required to provide advance notice of any change in its business plan, and was found to have changed the business plan without the requisite prior written approval. As part of the order, the bank will wind down its operations as part of a purchase agreement where it will sell its assets to a third-party bank and it will ensure the conservation of capital, preservation of cash assets, and will limit its business activities to only those necessary to consummate the purchase agreement.
Agencies announce guidance regarding institutions affected by Hawaiian wildfires.
On August 17, the Federal Reserve Board, the FDIC, the Hawaii Department of Commerce and Consumer Affairs’ Division of Financial Institutions, the NCUA, and the OCC issued a joint interagency statement covering supervisory practices for financial institutions affected by the Hawaiian wildfires. The agencies announced that, among other things, the regulators would expedite requests made by institutions for temporary operating facilities. The regulators noted that in most cases, “telephone notice to the primary federal and/or state regulator will suffice” for such requests. The agencies also encouraged financial institutions to work with borrowers in affected communities, explaining that “prudent efforts” to adjust terms on existing loans should not be subject to examiner criticism, in light of the unusual circumstances faced by the financial institutions.
Further, the agencies announced that they understood that damage caused by the wildfires may affect the ability of institutions to comply with publishing requirements for branch closings, relocations, or temporary locations, and instructed institutions experiencing such difficulties to contact their primary federal and/or state regulator. The agencies additionally instructed institutions that face difficulty meeting reporting requirements due to the wildfires to contact their primary federal and/or state regulator, explaining that the agencies “do not expect to assess penalties or take other supervisory action” against institutions that take reasonable steps to comply with reporting requirements. The agencies also announced that financial institutions may receive CRA consideration for loans, investments, or services that revitalize or stabilize federally designated disaster areas. Finally, the agencies encouraged financial institutions to monitor any municipal securities and loans affected by the Hawaii wildfires.
GAO calls for enhanced oversight of blockchain, alternative data
On August 8, the U.S. Government Accountability Office (GAO) released letters sent to the OCC, SEC, FDIC and the Fed to provide an update on GAO’s “priority open recommendations” for each regulator. Priority open recommendations refer to suggestions from GAO to bank regulators that have the potential for cost savings, elimination of mismanagement, fraud, and abuse, or addressing high-risk or duplication issues. GAO suggested that all four agencies follow its recommendation to coordinate oversight of blockchain technology. GAO referenced recent “volatility, bankruptcies, and instances of fraud in the crypto asset markets” and underscored the dangers to consumers and investors without safeguards. GAO suggests regulators jointly establish a formal coordination method to promptly identify and address risks tied to blockchain.
For the three banking regulators in particular—the OCC, FDIC, and Fed—GAO noted that in 2011 it recommended that the three banking regulators implement noncapital triggers for early regulatory intervention tied to risky banking practices, but that such triggers had not yet been implemented. GAO also suggested that banking regulators and the “communicate the appropriate use of alternative data in the underwriting process with banks that engage in third-party relationships with fintech lenders.”
GAO’s letter to the Fed restated GAO’s 2016 recommendation that the Fed design “a process to communicate information about the uncertainty surrounding post-stress capital ratio estimates” and “articulate tolerance levels for key risks identified through sensitivity testing and for the degree of uncertainty in the projected capital ratios.” GAO also recommended that the Fed revisit its “prompt corrective action framework” by “adopting noncapital triggers that would require early and forceful regulatory actions tied to unsafe banking practices.”
Governor Hochul unveils statewide cybersecurity strategy for New York
On August 9, Governor Hochul announced New York’s first-ever statewide cybersecurity strategy to protect the state’s digital infrastructure from cyber threats. The cybersecurity strategy articulates a set of high-level objectives and agency roles and responsibilities, as well as outlines how existing and planned initiatives will be weaved together in a unified approach. The central principles of the strategy are unification, resilience, and preparedness, with a focus on state agencies working together with local governments to strengthen the entire state’s defenses. Included in the plan was a $600 million commitment to improve cybersecurity, including (i) a $90 million investment for cybersecurity in Fiscal Year 2024; (ii) $500 million to enhance healthcare information technology; and (iii) $7.4 million for law enforcement entities to expand their cybercrime capabilities.
Senators call for stronger Fed oversight over bank mergers
On August 9, Senators Sherrod Brown (D-OH), Elizabeth Warren (D-MA), Jack Reed (D-RI), and John Fetterman (D-PA) wrote a letter to the Chair and Vice Chair of Supervision for the Board of Governors of the Federal Reserve System urging the Fed to “review and reconsider” its procedures for approving bank mergers. The letter cites the Dodd-Frank Act’s amendment to the Bank Merger Act, which mandates that federal banking regulators consider whether a proposed merger “would result in greater or more concentrated risks” to the stability of the banking or financial system. The senators also voiced concern that the Fed has “not issued any rules or guidance indicating the types of bank mergers that would implicate financial stability concerns” and criticized the process around the Fed’s approval of recent acquisitions.
Fed suggests enhancing supervision of “novel activities” by banks
On August 8, the Federal Reserve Board announced the issuance of two supervision letters that elaborate on the its program to supervise “novel activities” such as fintech partnerships, crypto-related activities, and activities using distributed ledger or “blockchain” technology. The first letter, SR 23-7, announces the establishment of the “Novel Activities Supervision Program,” a program designed to “ensure that the risks associated with innovation” supported by new technologies are managed appropriately by the bank. The program will focus on (i) technology-driven partnerships with non-banks; (ii) crypto-asset related activities such as asset custody, crypto-collateralized lending, asset trading, and crypto issuance and distribution; (iii) exploration or use of distributed ledger technology; and (iv) concentration of banking services to crypto-asset related entities and fintech companies. Supervisory teams will be tasked with monitoring and examining these novel activities within the existing supervisory portfolios and will take a risk-based approach on the level and intensity of supervision. The letter concludes that “the Program will also operate in keeping with the principle that banking organizations are neither prohibited nor discouraged from providing banking services to customers or any specific class or type” as permitted by law.
In the second supervisory letter, SR 23-8, the Fed announced a “nonobjection process” for banks seeking to engage in certain dollar token activities. Previously, the OCC issued an interpretive letter permitting national banks to use distributed ledger technology (or similar) to conduct payments using dollar tokens, as long as the bank could demonstrate adequate controls. (Covered by InfoBytes here). The letter clarifies that any bank supervised by the Fed that wishes to engage in those same activities must first obtain a written notice of supervisory nonobjection from the Fed. In order to do so, the bank must be able to demonstrate it has implemented adequate risk management practices, taking into account operational, cybersecurity, liquidity, illicit finance, and consumer compliance risks, among others. The bank must also demonstrate that it is aware of and can comply with laws applicable to the activities.
FFIEC updates BSA/AML examination manual
On August 2, the Federal Financial Institutions Examination Council (FFIEC) updated its Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual, which provides examiners with instructions for assessing a bank or credit union’s BSA/AML compliance program and adherence to BSA regulatory requirements. The revisions include updates to the following sections:
- Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activity
- Due Diligence Programs for Correspondent Accounts for Foreign Financial Institutions
- Due Diligence Programs for Private Banking Accounts
- Prohibition on Correspondent Accounts for Foreign Shell Banks; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Summons or Subpoena of Foreign Bank Records; Termination of Correspondent Relationship; Records Concerning Owners of Foreign Banks and Agents for Service of Legal Process
- Reporting Obligations on Foreign Bank Relationships with Iranian-Linked Financial Institutions
The FFIEC noted that the “updates should not be interpreted as new instructions or as a new or increased focus on certain areas,” but rather are intended to “provide information and considerations related to certain customers that may indicate the need for bank policies, procedures, and processes to address potential money laundering, terrorist financing, and other illicit financial activity risks.” In addition, the Manual itself does not establish requirements for financial institutions, which are found in applicable statutes and regulations but rather reinforce the agency’s risk-focused approach to BSA/AML examinations.
Fed’s annual report: cybersecurity risk management & emerging threats
On August 1, the Fed released its 2023 Cybersecurity and Financial System Resilience Report. Required annually by the Consolidated Appropriations Act, 2021, the report describes the measures the Fed has taken to strengthen cybersecurity within the financial services sector and its supervision and regulation of financial institutions and service providers across the past year. The report details the Fed’s activities in the space, including issuing regulations and guidance for supervised institutions, examining and monitoring supervised institutions’ risk management, and collecting data on relevant cybersecurity incidents. Recent actions highlighted in the report include the publication of an updated Cybersecurity Resource Guide for Financial Institutions, a proposal to update the operational risk management requirements in Regulation HH for systematically important financial market utilities, and final joint guidance issued in conjunction with the FDIC and OCC regarding banking organizations’ risk management of third-party relationships. The Fed also describes the steps it is taking to protect its own operations and assets from cybersecurity threats.
With respect to supervisory activities, the Fed notes that it “has observed improvement in cybersecurity practices over the past several years resulting from supervised institutions’ efforts to address supervisory findings as well as proactive steps taken by the institutions.” The report notes that the Fed is taking measures to address OIG recommendations relating to the effectiveness of its cybersecurity incident response process, including updating the cybersecurity incident response process’s mission and governance structure and enhancing guidance and training. The report describes the Fed’s close coordination with other participants in the global financial system in addressing cybersecurity risk, including domestic and international agencies, governance bodies, financial regulators, and industry.
Finally, the report describes current and emerging threats to the financial system, including (i) geopolitical tensions and accompanying cyberattacks; (ii) cyber-criminal activity involving ransomware as a service, targeting of authentication mechanism weaknesses, and collaboration among cyberthreat actors; (iii) increasing potential of a supply chain or third-party attack; (iv) cyber risks associated with third-party providers; (v) insider threats; and (vi) other emerging technology-related threats, such as risks inherent to machine learning and quantum computing capabilities.