InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Banking Agencies Urge Financial Institutions to Conduct Diversity Self-Assessments
On August 2, the Federal Reserve, OCC, and FDIC released FAQs regarding their standards for assessing the diversity policies and practices of regulated entities. Following the June 10, 2015 Federal Register publication titled “Final Interagency Policy Statement Establishing Joint Standards for Assessing the Diversity Policies and Practices of Entities Regulated by the Agencies” (Policy Statement), the FAQs seek to clarify the agencies’ standards for entities conducting self-assessments of their diversity policies. Although self-assessments are voluntary, the banking agencies strongly encourage financial institutions to disclose their diversity policies, diversity practices, and self-assessment information on their websites and provide the same to their primary federal financial regulator.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Due to the potential financial loss and compliance risk associated with the unauthorized transactions, the statement reminds financial institutions to consider the following steps to ensure compliance with regulatory requirements and FFIEC guidance: (i) establish and maintain an information security risk assessment program that “considers new and evolving threat intelligence related to online accounts and adjust customer authentication, layered security, and other controls in response to identified risks”; (ii) implement and maintain protection and detection systems, including antivirus protection and intrusion detection systems, and properly monitor system alerts; (iii) protect against unauthorized access to critical systems by, among other things, “limiting the number or credentials with elevated privileges across institutions” and establishing authentication rules; (iv) implement and regularly test controls around critical systems, and report test results to senior management, as well as the board of directors, if appropriate; (v) validate business continuity planning and ensure that the institution is able to “quickly recover and maintain payment processing operations”; (vi) strengthen information security awareness by conducting regular and mandatory training; and (vii) participate in industry information-sharing forums, such as the Financial Services Information Sharing and Analysis Center.
In light of the FFIEC’s statement, the OCC simultaneously released Bulletin 2016-08, cautioning financial institutions that use interbank messaging and wholesale payment networks to take the aforementioned risk mitigation steps.
OCC Updates Civil Money Penalties Policies and Procedures
On February 26, the OCC published Bulletin 2016-5 to revise its Policies and Procedures Manual (PPM) to establish new guidance on the agency’s policies and procedures for assessing civil money penalties (CMP) against national banks, thrifts, service providers, and institution-affiliated parties. The newly issued PPM 5000-7 (REV), “Civil Money Penalties,” replaces the following documents: (i) the June 16, 1993 Banking Circular 273, “Civil Money Penalties”; (ii) the May 21, 1993 PPM 5000-27 (REV), “Civil Money Penalty Assessment for Delinquent or Inaccurate Call Reports,” as well as the similarly titled and dated Banking Circular 270 issue; and (iii) the December 3, 2009 OTS Regulatory Bulletin 18-3b, “Enforcement Policy Statement on Civil Money Penalties.” In addition to detailing the agency’s procedural process for determining CMP amounts under 12 USC 1818(i) and for determining the level of action against an institution, the bulletin includes matrices that outline 14 different factors the OCC considers when assessing the severity of a violation against institutions and institution-affiliated parties.
OCC and FinCEN Assess Civil Money Penalties against Florida-Based Wealth Management Firm for BSA Violations
On February 25, the OCC, in coordination with FinCEN, announced that it took action against a Florida-based wealth management firm and private bank for allegedly violating the Bank Secrecy Act (BSA). According to the OCC, the bank failed to maintain an effective BSA/AML compliance program, thus violating its 2010 agreement with the OCC to “revise its policies, procedures, and systems related to the BSA/AML laws and regulations (‘BSA/AML Compliance Program’), and, among other things, address weaknesses with the Bank’s BSA/AML Compliance programs, including a lack of internal controls necessary to ensure effective and timely customer identification, risk assessment, monitoring, validation, and suspicious activity reports (‘SARs’).” Without admitting or denying any wrongdoing, the bank agreed to pay a total of $4 million in civil penalties, with $2.5 million to be paid directly to the OCC and, pursuant to FinCEN’s separately announced civil money penalty, $1.5 to be paid to the U.S. Department of the Treasury.
Vendor Management in 2015 and Beyond
With evolving regulatory expectations and increased enforcement exposure, financial institutions are under more scrutiny than ever. Nowhere is this more evident than in the management and oversight of service providers. When service providers are part of an institution’s business practice, understanding the expectations of regulators, investors, and counterparties for compliance with consumer financial laws is critical.
CFPB GuidanceIn 2012, the CFPB issued Bulletin 2012-03, which outlines the CFPB’s expectations regarding supervised institutions’ use of third party service providers. Banks and nonbanks alike are expected to maintain effective processes for managing the risks presented by service providers, including taking the following steps:
- Conducting thorough due diligence of the service provider to ensure that the service provider understands and is capable of complying with federal consumer financial law
- Reviewing the service provider’s policies, procedures, internal controls, and training materials
- Including clear expectations in written contracts
- Establishing internal controls and on-going monitoring procedures
- Taking immediate action to address compliance issues
Implementing consistent risk-based procedures for monitoring third party service provider relationships is an extremely important aspect of meeting the CFPB’s expectations and mitigating risk to the institution.
The Risk Management Lifecycle and Best Practices
The CFPB is but one of many agencies that have circulated vendor management guidance. Other federal prudential regulators—most notably the Office of the Comptroller of the Currency—have developed regulatory guidance describing a “lifecycle” for oversight of third parties that supervised institutions are expected to follow. The risk management lifecycle of a service provider relationship consists of:
- Planning/risk assessment
- Due diligence and service provider selection
- Contract negotiation and implementation
- Ongoing relationship monitoring
- Relationship termination/contingency plans
Supplemented by enhanced risk management processes, including meaningful involvement by the Board of Directors and extensive monitoring of performance and condition, the new framework for oversight of third parties can present both cost and operational challenges for all institutions. Financial institutions would be prudent to implement the following best practices into their vendor management procedures, among others:
- Staffing sufficiently to ensure that service providers are properly monitored
- Incorporating Board and senior executive involvement throughout the process
- Documenting its efforts at every stage of the lifecycle
OCC Updates Risk Assessment Guidance
On December 3, the OCC revised its Comptroller’s Handbook to include updated guidance regarding its risk assessment system (RAS). The RAS guidance clarifies the relationship between RAS and the Uniform Financial Institutions Rating System known as CAMELS. In addition, the guidance revises the definition of banking risk and applies a single definition – “the potential that events will have an adverse effect on a bank’s current or projected financial condition and resilience” – to all categories. Finally, the guidance expands the quality of risk management assessment to include a category of “insufficient,” between the already existing categories of “satisfactory” and “weak,” and also expands the assessment of strategic and reputation risk to consider both quantity of risk and quality of risk management.
FFIEC Issues Joint Statement Regarding Cyber Attacks Involving Extortion
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
SCRA Compliance, Cybersecurity, and Responsible Innovation Remain Top Priorities at OCC
On August 31, Grovetta Gardineer, the OCC’s Deputy Comptroller for Compliance Operations and Policy, delivered remarks at the Association of Military Bankers of America annual workshop in Leesburg, VA. Throughout her presentation, Gardineer highlighted issues affecting financial institutions focused primarily on lending to servicemembers. Gardineer discussed the OCC’s ongoing efforts to identify and correct deficiencies within bank and thrift compliance practices and noted improved Servicemembers Civil Relief Act (“SCRA”) compliance by regulated institutions. Specifically, Gardineer observed that in 2014, the OCC cited sixty-five SCRA violations among large, midsized, and community institutions. For the first quarter of 2015, however, Gardineer reported that OCC examiners cited only seven SCRA violations. Gardineer also referenced recent amendments to the Military Lending Act (“MLA”) which expanded consumer protections to both open-end and closed-end consumer credit for servicemembers; she emphasized that banks should be proactive in updating their internal policies and procedures to reflect the MLA’s changes. Reiterating the OCC’s commitment to cybersecurity, Gardineer advised that OCC examiners intend to use the cybersecurity assessment tool “to supplement exam work to gain a more complete understanding of an institution’s inherent risk, risk management practices, and controls related to cybersecurity.” Finally, Gardineer discussed innovation within the industry, such as the emergence of various mobile payments transfer systems and peer-to-peer lending. She stressed that the OCC intends to facilitate a responsible regulatory environment that will encourage innovative financial products and services while also implementing regulations to ensure adequate consumer protections.
Comptroller Talks Interest Rate, Compliance, and Cybersecurity Risks Facing Financial Institutions
On July 24, OCC Comptroller Curry delivered remarks before the New England Council in Boston, MA regarding the risks that financial institutions face today. Rising interest rates and regulatory compliance were two of the three risks discussed. Curry emphasized that the inevitable rise in interest rates could greatly affect loan quality, particularly loans that were not carefully underwritten to begin with, and that ”[l]oans that are typically refinanced, such as leveraged loans,” would be particularly severely affected. Recognizing the impact that Dodd-Frank continues to have on banks, Curry said that financial institutions face two categories of risk from new regulations: (i) “banks run afoul of the new regulations, possibly damaging their reputations and subjecting themselves to regulatory penalties”; and (ii) banks devote their time and money to regulatory compliance, rather than putting those resources toward serving their customers and communities. The final and “perhaps the foremost risk facing banks today,” according to Curry, is cyber threats. Curry outlined the agency’s efforts to curtail cyber intrusion in the banking industry, highlighting the June 30 release of its Semiannual Risk Assessment and the creation of a Cybersecurity and Critical Infrastructure Working Group, which was designed to (i) increase cybersecurity awareness; (ii) promote best practices; and (iii) strengthen regulatory oversight of cybersecurity readiness. Curry noted, however, that information-sharing is just as important as self-assessment and supervisory oversight: “We strongly recommend … that financial institutions of all sizes participate in the Financial Services Information Sharing and Analysis Center, a non-profit information-sharing forum established by financial services industry participants to facilitate the sharing of physical and cyber threat and vulnerability information.” Collaboration among banks of all sizes and non-bank providers, Curry stated, can be a “game-changer” in more ways than one: “By promoting the discovery of common interests and common responses to the risks that you face in your businesses and we all face together, you provide an invaluable service to New England and to the United States.”
OCC Comptroller Discusses Emerging Payment Systems Technology and Cybersecurity, FFIEC Set to Release Cybersecurity Assessment Tool
On June 3, in prepared remarks delivered at the BITS Emerging Payments Forum, OCC Comptroller Thomas Curry advised that as financial institutions continue to develop payment systems, banks need better preparation for potential cyber-risks. Curry warned that “[c]yber criminals will also probe emerging payment systems for vulnerabilities that they can exploit to engage in money laundering[.]” In addition, Curry advocated for more regulatory oversight of digital currencies and non-bank mobile payment providers, such as ApplePay and Google Wallet. Addressing cybersecurity concerns, Curry called for increased information-sharing to promote best practices and strengthen cybersecurity readiness among the banking industry. In particular, he urged financial institutions – of all sizes – to participate in the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a non-profit founded by the banking industry to facilitate the sharing and dissemination of cybersecurity threat information. Moreover, Curry confirmed that the FFIEC will soon be releasing a Cybersecurity Assessment Tool for financial institutions to use when evaluating their cybersecurity risks and risk management capabilities, observing that the tool will be particularly helpful to community banks as cybersecurity threats continue to increase.
