InfoBytes Blog

FinCEN Fines Community Bank Over BSA Violations

On February 27, FinCEN announced a $1.5 million civil money penalty against a Pennsylvania-based community bank for violating the BSA. Of that amount, $500,000 will go to the OCC, the bank’s primary regulator, for BSA violations. According to FinCEN, the bank admitted failing to file suspicious activity reports on transactions involving a former state judge who received over $2.6 million in personal payments in connection with a judicial scheme involving the construction, operation, and expansion of juvenile detention centers.

OCC FinCEN Bank Secrecy Act SARs Enforcement

OCC Proposes Large Bank Assessment Increase

On April 28, the OCC published a proposed rule that would increase assessments on national banks and federal savings associations with total assets over $40 billion. The OCC proposes to increase the marginal assessment rate for such institutions by 14.5% beginning September 30, 2014; specific assessments would range from 0.32% to 14%, depending on the total assets of the institution as reflected on its June 30, 2014 call report. The average increase in assessments for covered institutions would be 12%. The OCC attributes the increased assessments to new supervisory and regulatory initiatives that require additional resources, with most of those resources allotted for large bank supervision and regulation. The OCC notes it did not raise marginal rates on the assets of these institutions between 1995 and 2013, and lowered marginal rates for these institutions in 2008 when it added a new asset bracket for assets in excess of $250 billion. Comments on the proposed rule are due June 12, 2014.

OCC Bank Supervision

Banking Agencies Issue Revised CRA Exam Procedures

On April 18, the OCC, FDIC, and Federal Reserve Board released revised Community Reinvestment Act (CRA) examination procedures applicable to institutions with total assets greater than $1.202 billion as of December 31 of either of the previous two calendar years. The procedures incorporate revisions to the CRA interagency questions and answers issued in November 2013. Those revisions generally were intended to: (i) clarify how the agencies consider community development activities that benefit a broader statewide or regional area that includes an institution’s assessment area; (ii) provide guidance related to CRA consideration of, and documentation associated with, investments in nationwide funds; (iii) clarify the consideration of certain community development services, such as service on a community development organization’s board of directors; (iv) address the treatment of loans or investments to organizations that, in turn, invest those funds and use only a portion of the income from their investment to support a community development purpose; and (v) clarify that community development lending performance is always a factor considered in a large institution’s lending test rating.

FDIC Examination Federal Reserve OCC CRA Bank Supervision

OCC Issues Asset-Based Lending Booklet

On March 27, the OCC issued the Asset-Based Lending (ABL) booklet, which is new to the Comptroller’s Handbook. The booklet provides guidance to examiners and bankers on ABL activities and risks, prudent credit risk management and underwriting expectations, credit administration, and credit risk rating. It also provides risk-based expanded examination procedures related to structures, credit analysis, evaluating borrower liquidity, establishing a borrowing base and prudent advance rates, collateral controls and monitoring systems, and credit risk rating considerations. The booklet further includes transaction examples to assist with the assessment of credit risk.

OCC Asset-Based Lending

OCC, FDIC Enforcement Action Targets Vendors' Risk Management

On January 17, the OCC released a cease and desist order entered jointly by the OCC and the FDIC with two affiliated technology service providers that offer payment and other technology solutions for banks. Without describing the specific circumstances leading to the action, the order states that the regulators had reason to believe the service providers were operating without (i) an internal auditor or an integrated risk-focused audit program; (ii) a comprehensive due diligence program or formal policies to evaluate vendor risk; (iii) an enterprise-wide risk assessment; (iv) effective business continuity or disaster recovery planning; (v) procedures to identify software vulnerabilities; and (vi) an effective log review program to identify threats. The regulators did not assess a penalty, but will require the vendors to implement numerous risk management enhancements. Under the order, the technology service providers or their board must, among other things, (i) fill specific management positions; (ii) implement an audit program; (iii) conduct a security risk assessment; (iv) develop a vendor management program; (v) implement business continuity/disaster recovery plans; and (vi) submit quarterly progress reports to regulators and client banks.

FDIC OCC Vendors Enforcement

OCC Announces Workshops For National Community Bank Directors

On January 15, the OCC announced its 2014 schedule of workshops for directors of national community banks and federal savings associations. The workshops, which are led by OCC examiners and are meant to provide practical training and guidance to directors, include (i) Mastering the Basics: A Director’s Challenge; (ii) Risk Assessment for Directors: Where is the Risk in Your Institution?; (iii) Compliance Risk: What Directors Need to Know; and (iv) Credit Risk: A Director’s Focus.

OCC Directors & Officers

Federal Authorities Announce Major BSA/AML Action Related To Madoff Scheme

On January 7, the U.S. Attorney for the Southern District of New York, the OCC, and FinCEN announced the resolution of criminal and civil BSA/AML violations by a major financial institution in connection with the bank’s relationship with Bernard L. Madoff Investment Securities and Madoff Securities’ Ponzi scheme. The bank entered into a deferred prosecution agreement (DPA) to resolve two felony violations of the Bank Secrecy Act: (i) that the bank failed to enact adequate policies, procedures, and controls to ensure that information about the bank’s clients obtained through other lines of business – or outside the United States – was shared with compliance and AML personnel; and (ii) that the bank violated the BSA by failing to file a Suspicious Activity Report on Madoff Securities in October 2008. According to the U.S. Attorney, pursuant to the DPA the bank (i) agreed to waive indictment and to the filing of a Criminal Information; (ii) acknowledged responsibility for its conduct by, among other things, stipulating to the accuracy of a detailed Statement of Facts; (iii) agreed to pay a $1.7 billion non-tax deductible penalty in the form of a civil forfeiture (the largest ever financial penalty imposed by the DOJ for BSA violations); and (iv) agreed to various cooperation obligations and to continue reforming its BSA/AML compliance programs and procedures. In a separate action, the OCC levied a $350 million civil money penalty to resolve parallel BSA/AML allegations included in a January 2013 cease and desist order. Finally, the bank consented to a FinCEN assessment pursuant to which it must pay an additional $461 million.

OCC Anti-Money Laundering FinCEN Bank Secrecy Act DOJ

OCC Releases Annual Assessment Schedule

On December 12, the OCC issued Bulletin 2013-37, which informs all national banks, federal savings associations, and federal branches and agencies of foreign banks of fees and assessments charged by the OCC for calendar year 2014. The Bulletin states that, given its increased supervisory responsibilities associated with the Dodd-Frank Act, the OCC has removed the $20 billion asset cap on inflation indexing for all asset brackets and raised the asset cap from $20 billion to $40 billion for application of the surcharge related to lower-rated institutions. Marginal rates of the OCC’s general assessment schedule continue to be indexed based on changes in the Gross Domestic Product Implicit Price Deflator for the previous June-to-June period. The 2014 adjustment will be 1.4 percent, and, given the removal of the asset cap, will apply to all assets. The Bulletin further explains that the assessment schedule continues to include a surcharge for institutions that require increased supervisory resources, and that the OCC will continue to provide a 12 percent reduction on the assessment for nonlead national banks, federal savings associations, or federal branches or agencies of a foreign bank. The new assessments are effective January 1, 2014 and are due March 31, 2014 and September 30, 2014, based on call report information as of December 31, 2013 and June 30, 2014, respectively.

OCC

Banking Regulators Finalize Social Media Guidance

On December 11, the FFIEC, on behalf of the CFPB, the FDIC, the OCC, the Federal Reserve Board, the NCUA, and the State Liaison Committee, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions and nonbanks supervised by the CFPB. The guidance was finalized largely as proposed. However, in response to stakeholder comments, the regulators clarified certain provisions. For example, the final guidance clarifies that traditional emails and text messages, on their own, are not social media. The final guidance also explains that to the extent consistent with other applicable legal requirements, a financial institution may establish one or more specified channels that customers must use for submitting communications directly to the institution, and that a financial institution is not expected to monitor all Internet communications for complaints and inquiries, but should take into account the results of its own risk assessment in determining the appropriate approach regarding monitoring and responding to communications. The regulators also clarified that the guidance is not intended to provide a “one-size-fits-all” approach; rather financial institutions are expected to assess and manage the risks particular to the individual institution, taking into account factors such as the institution’s size, complexity, activities, and third party relationships. The final guidance also contains further discussion regarding the application of certain laws and regulations to social media activities, such as the Community Reinvestment Act. Finally, consistent with other recent regulatory initiatives, the final guidance clarifies that prior to engaging with a prospective third party an institution should evaluate and perform due diligence appropriate to the risks posed.

FDIC CFPB Federal Reserve OCC NCUA FFIEC Social Media Agency Rule-Making & Guidance

Special Alert: Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance

On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk  (FRB Guidance).  The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.

The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.

While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents.  Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities.  It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.

The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following:

• Risk assessments: Institutions should evaluate the implications of performing an activity in-house versus having the activity performed by a service provider and also consider whether outsourcing an activity is consistent with the strategic direction and overall business strategy of the organization. This section of the FRB Guidance closely aligns with the section titled “Planning” in OCC Bulletin 2013-29.

• Due diligence and selection of service providers: Institutions should address the depth and formality of due diligence of prospective service providers consistent with the scope, complexity, and importance of the planned outsourcing arrangement. The Fed emphasizes processes designed to diligence a potential service provider’s (i) business background, reputation, and strategy; (ii) financial performance and condition; and (iii) operations and internal controls. This section is less detailed, but nonetheless consistent with the section titled “Due Diligence and Third-Party Selection” in OCC Bulletin 2013-29.

• Contract provisions and considerations: Service provider contracts should cover certain topics, including, but not limited to: (i) the scope of services covered; (ii) cost and compensation; (iii) right to audit; (iv) performance standards; (v) confidentiality and security of information; (vi) indemnification; (vii) default and termination; (viii) limits on liability; (ix) customer complaints; (x) business resumption and contingency plan of the service provider; and (xi) use of subcontractors. The key provisions noted generally mirror the “Contract Negotiation” section of OCC Bulletin 2013-29.

• Incentive compensation review: Institutions should establish an effective process to review and approve any incentive compensation arrangements that may be embedded in service provider contracts to avoid encouraging “imprudent” risk-taking. While OCC Bulletin 2013-29 does not break out incentive compensation as a separate program feature (it is included among factors to be considered in due diligence and selection), it does identify the need for banks to review whether fee structure and incentives would create burdensome upfront fees or result in inappropriate risk-taking by the third party or the bank.

• Oversight and monitoring of service providers: Institutions should set forth the processes for measuring performance against contractually-required service levels and key the frequency of performance reviews to the risk profile of the service provider. This section of the FRB Guidance, consistent with the “Ongoing Monitoring” section of OCC Bulletin 2013-29, also recommends the creation of escalation protocols for underperforming service providers and monitoring of service provider financial condition and internal controls, which may also trigger escalation if the service provider’s financial viability or adequacy of its control environment are compromised during the course of the relationship.

• Business continuity and contingency plans: Institutions should develop plans that focus on critical services and consider alternative arrangements in the event of an interruption. The Fed specifically notes that financial institutions should: (i) ensure that a disaster recovery and business continuity plan exists with regard to the contracted services and products; (ii) assess the adequacy and effectiveness of a service provider’s disaster recovery and business continuity plan and its alignment to their own plan; (iii) document the roles and responsibilities for maintaining and testing the service provider’s business continuity and contingency plans; (iv) test the service provider’s business continuity and contingency plans on a periodic basis to ensure adequacy and effectiveness; and (v) maintain an exit strategy, including a pool of comparable service providers. Notably, OCC Bulletin 2013-29 addresses business continuity and contingency plans under third-party risk management, rather than as separate program features.

Finally, the FRB Guidance notes a number of “additional risk considerations” not singled out by OCC Bulletin 2013-29, which cover: (i) confidentiality of Suspicious Activity Report (SAR) reporting functions; (ii) compliance by foreign-based service providers with U.S. laws, regulations, and regulatory guidance; (iii) prohibitions against outsourcing internal audit functions in violation of Sarbanes-Oxley; and (iv) alignment of outsourced model risk management with existing Fed Guidance on Model Risk Management (SR 11-7).

Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

• Jeffrey P. Naimon, (202) 349-8030
• Christopher M. Witeck, (202) 349-8051
• Elizabeth E. McGinn, (212) 600-2370
• Jon David Langlois, (202) 349-8045

Federal Reserve OCC Bank Compliance Vendors Bank Supervision