InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Republicans seek answers from OCC on bank-fintech partnerships
On October 11, House Financial Services Committee Ranking Member Patrick McHenry (R-NC), joined by Republican members of the Task Force on Financial Technology, sent a letter to acting Comptroller of the Currency Michael J. Hsu asking for clarification on the OCC’s position regarding bank-fintech partnerships. The lawmakers asserted that the OCC previously “worked to provide banks and their customers with a clear understanding of the regulatory and supervisory expectations surrounding emerging products and services,” as well as how to properly assess risk, but contended that leadership under the current administration has not continued to do so. Citing the importance of innovation to the U.S. economy and the impact new financial products and services can have on costs, inclusion, and competition, the letter expressed concerns related to the potential for further uncertainty surrounding these partnerships and the resulting consequences for consumers. “Technological innovation fostered by fintech partnerships has enabled banks to reach segments of the population that may have been left behind and increase customer engagement,” the lawmakers wrote, expressing their belief that the benefits from these partnerships far outweigh the risks. “Much of this innovation has been driven by industry newcomers that have developed a novel product or business model. When properly regulated, these partnerships can provide greater financial inclusion, spur technological innovation, and foster competition that ultimately benefits consumers.”
Referring to an action taken by President Biden in June 2021, which repealed the OCC’s “true lender” rule pursuant to the Congressional Review Act (covered by InfoBytes here), the lawmakers asked the OCC whether it anticipates fintech partnerships ending as a result of potential regulatory changes, and questioned how the agency plans to “ensure that examiners do not discourage innovation through fintech partnerships” or “impose unreasonable burdens on banks and fintechs.” The letter also asked the OCC to respond to a series of questions, including, among other things, how it plans to determine the acceptable terms for bank-fintech partnerships, how it intends to analyze fintechs that are helping to bring the banking business into the digital era, and how examiners will evaluate a bank’s assessments of third parties’ cybersecurity risk management and resilience capabilities and whether such evaluations will “be carefully tailored to the actual risk posed by the particular bank-fintech partnership.”
OCC announces updated FFIEC cyber resource guide
On October 6, the OCC announced that the Federal Financial Institutions Examination Council (FFIEC) issued an update to the FFIEC Cybersecurity Resource Guide for Financial Institutions. According to the OCC, the 2022 FFIEC Cybersecurity Resource Guide for Financial Institutions provides a list of voluntary programs and actionable initiatives that are intended to help financial institutions meet their security control objectives and respond to cyber incidents. The 2022 guide rescinds and replaces the 2018 guide, and applies to a wide range of financial institutions including community banks. Highlights of the guidance include: (i) updated resource links for the Assessment, Exercise, Information Sharing, and Response and Reporting categories; and (ii) new ransomware specific resources.
OCC orders bank to improve oversight of fintech partnerships
Recently, a national bank disclosed an agreement reached with the OCC that requires the bank to improve its oversight and management of third-party fintech partnerships. According to an SEC filing, the OCC found unsafe or unsound practices related to the bank’s third-party risk management, Bank Secrecy Act (BSA)/anti-money laundering risk management, suspicious activity reporting, and information technology control and risk governance. Under the terms of the agreement, the bank must, within 10 days of the agreement, appoint a compliance committee comprised mostly of members from outside the bank to meet at least quarterly and provide progress reports outlining the results and status of the mandated corrective actions. Within 60 days of the agreement, the bank must also adopt and implement guidelines for assessing risks posed by third-party fintech partnerships and address how the bank “identifies and assesses the inherent risks of the products, services, and activities performed by the third-parties, including but not limited to BSA, compliance, operational, liquidity, counterparty and credit risk as applicable.” Additionally, the bank must establish criteria for their board of directors' review and approval of third-party fintech relationship partners, as well as how it will assess “BSA risk for each third-party fintech relationship partner, including risk associated with money laundering, terrorist financing, and sanctions risk as well as the third-party’s processes for mitigating such risks and complying with applicable laws and regulations.” The agreement also requires due diligence, monitoring, and contingency plan measures.
The agreement further stipulates that the bank’s board and management shall, within 90 days, (i) set up written BSA risk assessment guidelines; (ii) adopt an independent audit program; (iii) implement expanded risk-based policies, procedures, and processes to obtain and analyze appropriate customer due diligence, enhanced due diligence, and beneficial ownership information, including for fintech businesses; (iv) develop and adhere to a set of standards to ensure timely suspicious activity monitoring and reporting; and (v) establish a program to assess and manage the bank’s information technology activities, including those conducted by third-party partners. The bank must also conduct a suspicious activity review lookback within 30 days.
Hsu discusses challenges facing community banks
On September 1, acting Comptroller of the Currency Michael J. Hsu delivered remarks before the Texas Bankers Association in Dallas focusing on the importance of community banks and the challenges and opportunities of digitalization. In his remarks, Hsu emphasized the OCC’s commitment to community banks, noting that more than 85 percent of the charters that the OCC supervises are community banks, which total nearly 900 individual institutions. He said that the OCC seeks to support community banks in five areas: (i) assessments; (ii) de novo licensing; (iii) risk-based supervision; (iv) local presence and national perspective; and (v) regulation. In particular, Hsu said the OCC is working to provide increased support for community banks by streamlining the licensing process for de novo banks and updating its approach to risk-based supervision. Hsu noted that the recent reduction in assessments is part of an effort by regulators to encourage community banks to invest in digital technologies. He stated that his “experiences in the 2008 financial crisis taught [him] about the disastrous consequences that can result from an unlevel playing field where regulatory arbitrage and races to the bottom are allowed to fester.” He added that while he has been at the OCC, the agency has been “requiring fintechs seeking a bank charter to be subject to the same requirements as all national banks and we are engaging with our peer agencies to limit regulatory arbitrage.” Hsu also noted that in order to “level the playing field,” the OCC will make a 40 percent reduction in assessment fees on a bank's first $200 million in assets and a 20 percent reduction on bank assets between $200 million and $20 billion. Hsu said that the cuts will result in a $41.3 million reduction in assessments for community banks in 2023. Hsu explained that “[t]he purpose of this adjustment is to level the playing field with the cost of supervision compared to state community bank charters, and that “[t]he recalibration will not reduce the quality of OCC supervision or the resources available to community banks.” Hsu mentioned that he is “hopeful” that the reduction gives community banks “extra breathing space and capacity to invest and seize opportunities related to digitalization, compliance, cybersecurity, and personnel.”
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
OCC seeks comments on BSA/AML risk assessment
On June 8, the OCC issued a notice in the Federal Register seeking comments concerning its information collection titled, ‘‘Bank Secrecy Act/Money Laundering Risk Assessment,’’ also known as the Money Laundering Risk (MLR) System. According to the notice, the MLR System “enhances the ability of examiners and bank management to identify and evaluate Bank Secrecy Act/Money Laundering and Office of Foreign Asset Control (OFAC) sanctions risks associated with banks’ products, services, customers, and locations.” The notice stated that the agency will collect MLR information for OCC supervised community and trust banks, and explained that the annual Risk Summary Form (RSF), which collects data about different products, services, customers, and geographies (PSCs), will include three significant changes in 2022. The changes in the 2022 RSF are: (i) the addition of six new PSCs; (ii) the addition of three new customer types under the money transmitters category; and (iii) the deletion of four existing PSCs. Comments close on August 8.
Acting FDIC Chairman Gruenberg outlines CRA NPRM
On June 13, acting FDIC Chairman Martin J. Gruenberg provided remarks before the National Community Reinvestment Coalition (NCRC) regarding the Community Reinvestment Act (CRA). In his remarks, Gruenberg discussed “ten important provisions” in the rule proposed by the Federal Reserve Board, FDIC, and OCC in May. As previously covered by InfoBtytes, the notice of proposed rulemaking (NPRM) updates how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Calling the CRA “the foundation of responsible finance for low- and moderate-income communities in the United States,” Gruenberg noted that the “NPRM would significantly expand the scope and rigor of CRA and assure its continued relevance for the next generation.” To expand the scope of the CRA, he explained that the NPRM would “establish new retail lending assessment areas to allow for CRA evaluation in communities where a bank may be engaging in significant lending activity but where the bank does not have a branch.” He also noted that the NPRM would “raise the bar for CRA performance on the retail lending test in order for a bank to earn an outstanding or high satisfactory rating.” With respect to greater clarity for CRA evaluations, Gruenberg said that the NPRM would “clearly define community development activities by establishing eleven proposed categories of community development.” Regarding minority depository institutions, Gruenberg said that the NPRM “creates a specific community development definition for eligible activities, such as investments, loan participations, and other ventures conducted by all banks with these institutions.” Additionally, he noted that the NPRM would address credit or banking deserts, including rural areas, native lands, and areas of persistent poverty, and would encourage the retention or establishment of branches in low-to-moderate-income communities and low-cost transaction accounts.
Agencies overhaul CRA requirements
On May 5, the Federal Reserve Board, FDIC, and OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM) on new regulations implementing the Community Reinvestment Act (CRA) to update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the NPRM, the “CRA encourages banks to help meet the credit needs of the local communities in which they are chartered, consistent with a bank’s safe and sound operations, by requiring the Federal banking regulatory agencies to examine banks’ records of meeting the credit needs of their entire community, including low- and moderate-income neighborhoods.” The agencies are, among other things, proposing to:
- Expand access to credit, investment, and banking services in low- and moderate-income (LMI) communities to promote community engagement and financial inclusion. The proposal would also evaluate bank lending to small businesses and farms with gross annual revenues of $250,000 or less to maintain focus on the borrowers with the greatest need;
- Adapt changes to update CRA assessment areas to include activities associated with online and mobile banking, branchless banking, and hybrid models;
- Use a retail lending volume screen and metric-based performance ranges to evaluate a bank’s retail lending volumes. CRA evaluations of retail lending and community development financing will include public benchmarks for greater clarity and consistency. The proposal would also clarify eligible CRA activities, such as affordable housing, that are focused on LMI, underserved, and rural communities;
- Tailor CRA evaluations and data collection to recognize differences in bank size and business models. Smaller banks would continue to be evaluated under the existing CRA framework with the option of being evaluated under aspects of the proposed framework; and
- Maintain a unified approach across agencies and incorporate stakeholder feedback.
The agencies also released a Fact Sheet describing key elements of the proposal. Acting Comptroller of the Currency, Michael J. Hsu, called the issuance of the joint NPRM an “important milestone” in bringing the three federal banking agencies back together to develop a uniform approach for addressing inequalities in credit access and other financial services. Fed Governor Lael Brainard pointed out that “[t]he last major revisions to the CRA regulations were made in 1995.” “The CRA is one of our most important tools to improve financial inclusion in communities across America, so it is critical to get reform right,” she stressed. CFPB Director Rohit Chopra, who voted in favor of the NPRM as an FDIC board member, said the proposal “better effectuates Congressional directives intended to ensure that the needs of historically underserved individuals and communities are adequately met,” but reminded policymakers that it is also important “to consider whether nonbank mortgage lenders should also be required to better meet the needs of the communities they serve.” Treasury Secretary Janet Yellen similarly applauded the release of the NPRM. Comments on the NPRM are due August 5.
A Buckley Special Alert is forthcoming.
OCC updates Large Bank Supervision booklet
On March 8, the OCC updated the Large Bank Supervision booklet of the Comptroller’s Handbook, which is used by OCC examiners during the examination and supervision of midsize and large national banks and federal savings associations, foreign-owned U.S. branches and agencies, and international operations of midsize and large banks. The updated booklet rescinds the 2019 version and includes a revised core assessment, “which will be effective for core assessment summaries using financial information as of March 31, 2022.” Among other things, the revised booklet (i) clarifies expectations related to the preparation and documentation of a bank’s core assessment summary; (ii) combines core assessment and risk assessment system information into the “Core Assessment” section; (iii) updates core assessment factors and subfactors; (iv) clarifies the difference between an annual core assessment summary and quarterly supervision updates; (v) updates supervisory activity types to include “focused review,” consistent with OCC current practices; and (vi) includes additional consistency and clarity updates.