InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Agencies seek comment on renewing FFIEC’s cybersecurity assessment tool
On August 8, the OCC, the Federal Reserve Board, the FDIC, and the NCUA (collectively, “Agencies”) issued a notice in the Federal Register soliciting comments on the renewal of the Federal Financial Institutions Examination Council’s cybersecurity assessment tool. According to the notice, the Agencies are seeking comment on, among other things: (i) “[w]hether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility”; (ii) “[t]he accuracy of the Agencies’ estimates of the burden of the collection of information; (iii) how to “enhance the quality, utility, and clarity of the information to be collected”; and (vi) “minimize[ing] the burden of the collection on respondents.” Comments are due 30 days after publication in the Federal Register.
OCC reports on cybersecurity and financial system resilience
Recently, the OCC released its annual report on cybersecurity and financial system resilience, which describes its cybersecurity policies and procedures, including those adopted in accordance with the Federal Information Security Modernization Act. According to the report, cybersecurity and operational resilience are “top issues for the federal banking system.” The OCC also noted that it has implemented regulations and standards requiring banks to implement information security programs and protect confidential information. For example, the Interagency Guidelines Establishing Standards for Safety and Soundness Standards “require insured banks to have internal controls and information systems appropriate for the size of the institution and for the nature, scope, and risk of its activities and that provide for, among other requirements, effective risk assessment and adequate procedures to safeguard and manage assets.” OCC regulations also, among other things, require banks to file Suspicious Activity Reports when a known or suspected violation of federal law or a suspicious transaction related to illegal activity, or a violation of the Bank Secrecy Act is detected. In regard to examination manuals, the OCC also noted that it uses a risk-based supervision process to evaluate banks’ risk management, identify material and emerging concerns, and require banks to take corrective action when warranted. The report also discussed current and emerging cybersecurity and resilience threats to the banking sector, which include ransomware, account takeover, supply chain risks, and geopolitical threats. Additionally, the OCC noted that it “monitor[s] longer-term technology developments, which may affect cybersecurity and resilience in the future.” The use of artificial intelligence, including machine learning, is one such development that may impact cybersecurity, according to the OCC.
OCC seeks comments on BSA/AML risk assessment
On June 8, the OCC issued a notice in the Federal Register seeking comments concerning its information collection titled, ‘‘Bank Secrecy Act/Money Laundering Risk Assessment,’’ also known as the Money Laundering Risk (MLR) System. According to the notice, the MLR System “enhances the ability of examiners and bank management to identify and evaluate Bank Secrecy Act/Money Laundering and Office of Foreign Asset Control (OFAC) sanctions risks associated with banks’ products, services, customers, and locations.” The notice stated that the agency will collect MLR information for OCC supervised community and trust banks, and explained that the annual Risk Summary Form (RSF), which collects data about different products, services, customers, and geographies (PSCs), will include three significant changes in 2022. The changes in the 2022 RSF are: (i) the addition of six new PSCs; (ii) the addition of three new customer types under the money transmitters category; and (iii) the deletion of four existing PSCs. Comments close on August 8.
Acting FDIC Chairman Gruenberg outlines CRA NPRM
On June 13, acting FDIC Chairman Martin J. Gruenberg provided remarks before the National Community Reinvestment Coalition (NCRC) regarding the Community Reinvestment Act (CRA). In his remarks, Gruenberg discussed “ten important provisions” in the rule proposed by the Federal Reserve Board, FDIC, and OCC in May. As previously covered by InfoBtytes, the notice of proposed rulemaking (NPRM) updates how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. Calling the CRA “the foundation of responsible finance for low- and moderate-income communities in the United States,” Gruenberg noted that the “NPRM would significantly expand the scope and rigor of CRA and assure its continued relevance for the next generation.” To expand the scope of the CRA, he explained that the NPRM would “establish new retail lending assessment areas to allow for CRA evaluation in communities where a bank may be engaging in significant lending activity but where the bank does not have a branch.” He also noted that the NPRM would “raise the bar for CRA performance on the retail lending test in order for a bank to earn an outstanding or high satisfactory rating.” With respect to greater clarity for CRA evaluations, Gruenberg said that the NPRM would “clearly define community development activities by establishing eleven proposed categories of community development.” Regarding minority depository institutions, Gruenberg said that the NPRM “creates a specific community development definition for eligible activities, such as investments, loan participations, and other ventures conducted by all banks with these institutions.” Additionally, he noted that the NPRM would address credit or banking deserts, including rural areas, native lands, and areas of persistent poverty, and would encourage the retention or establishment of branches in low-to-moderate-income communities and low-cost transaction accounts.
Agencies overhaul CRA requirements
On May 5, the Federal Reserve Board, FDIC, and OCC (collectively, “agencies”) issued a joint notice of proposed rulemaking (NPRM) on new regulations implementing the Community Reinvestment Act (CRA) to update how CRA activities qualify for consideration, where CRA activities are considered, and how CRA activities are evaluated. According to the NPRM, the “CRA encourages banks to help meet the credit needs of the local communities in which they are chartered, consistent with a bank’s safe and sound operations, by requiring the Federal banking regulatory agencies to examine banks’ records of meeting the credit needs of their entire community, including low- and moderate-income neighborhoods.” The agencies are, among other things, proposing to:
- Expand access to credit, investment, and banking services in low- and moderate-income (LMI) communities to promote community engagement and financial inclusion. The proposal would also evaluate bank lending to small businesses and farms with gross annual revenues of $250,000 or less to maintain focus on the borrowers with the greatest need;
- Adapt changes to update CRA assessment areas to include activities associated with online and mobile banking, branchless banking, and hybrid models;
- Use a retail lending volume screen and metric-based performance ranges to evaluate a bank’s retail lending volumes. CRA evaluations of retail lending and community development financing will include public benchmarks for greater clarity and consistency. The proposal would also clarify eligible CRA activities, such as affordable housing, that are focused on LMI, underserved, and rural communities;
- Tailor CRA evaluations and data collection to recognize differences in bank size and business models. Smaller banks would continue to be evaluated under the existing CRA framework with the option of being evaluated under aspects of the proposed framework; and
- Maintain a unified approach across agencies and incorporate stakeholder feedback.
The agencies also released a Fact Sheet describing key elements of the proposal. Acting Comptroller of the Currency, Michael J. Hsu, called the issuance of the joint NPRM an “important milestone” in bringing the three federal banking agencies back together to develop a uniform approach for addressing inequalities in credit access and other financial services. Fed Governor Lael Brainard pointed out that “[t]he last major revisions to the CRA regulations were made in 1995.” “The CRA is one of our most important tools to improve financial inclusion in communities across America, so it is critical to get reform right,” she stressed. CFPB Director Rohit Chopra, who voted in favor of the NPRM as an FDIC board member, said the proposal “better effectuates Congressional directives intended to ensure that the needs of historically underserved individuals and communities are adequately met,” but reminded policymakers that it is also important “to consider whether nonbank mortgage lenders should also be required to better meet the needs of the communities they serve.” Treasury Secretary Janet Yellen similarly applauded the release of the NPRM. Comments on the NPRM are due August 5.
A Buckley Special Alert is forthcoming.
OCC updates Large Bank Supervision booklet
On March 8, the OCC updated the Large Bank Supervision booklet of the Comptroller’s Handbook, which is used by OCC examiners during the examination and supervision of midsize and large national banks and federal savings associations, foreign-owned U.S. branches and agencies, and international operations of midsize and large banks. The updated booklet rescinds the 2019 version and includes a revised core assessment, “which will be effective for core assessment summaries using financial information as of March 31, 2022.” Among other things, the revised booklet (i) clarifies expectations related to the preparation and documentation of a bank’s core assessment summary; (ii) combines core assessment and risk assessment system information into the “Core Assessment” section; (iii) updates core assessment factors and subfactors; (iv) clarifies the difference between an annual core assessment summary and quarterly supervision updates; (v) updates supervisory activity types to include “focused review,” consistent with OCC current practices; and (vi) includes additional consistency and clarity updates.
OCC’s Hsu discusses climate financial risk management, diversity and inclusion
On March 7, acting Comptroller of the Currency Michael J. Hsu spoke before the Institute of International Bankers Annual Washington Conference to discuss climate-related financial risk and diversity and inclusion in the banking industry. In his remarks, Hsu described the agency as “laser-focused on the safety and soundness aspects of climate change risks.” Specifically, he noted that the OCC is concentrating on “large banks’ climate risk management capabilities: identifying, measuring, monitoring and mitigating climate-related exposures and risks.” He stated that “[w]eaknesses in risk management could adversely affect a bank’s safety and soundness, as well as the overall financial system.” Hsu also stressed the importance of cyber defense, saying “[h]eightened vigilance is clearly warranted.”
Hsu further discussed draft principles, which were released in December 2021, and are intended to support the identification and management of climate-related financial risks at OCC-regulated institutions with over $100 billion in total consolidated assets. (Covered by InfoBytes here). He noted that the principles will be finalized later this year when more detailed guidance will be developed in collaboration with the Federal Reserve Board and FDIC. After “an appropriate transition period,” Hsu noted that an assessment of large banks’ climate risk management capabilities would begin. He also noted that for midsize and community banks, it will be a number of years before OCC examiners conduct climate risk management examinations and suggested to bankers to use time “wisely.”
At the end of his remarks, Hsu compared “diversity and inclusion” to “safety and soundness,” in that it should be treated as a single idea, and without it, “diversity over time becomes a box to be checked, not a state to strive for or a value to be upheld.”
OCC issues CRA FAQs
On February 22, the OCC issued Bulletin 2022-4 announcing responses to frequently asked questions (FAQs) regarding the December 2021 final rule rescinding the OCC’s Community Reinvestment Act (CRA) rule issued in June 2020. (The December 2021 final rule was covered by InfoBytes here.) According to the OCC, highlights of the FAQs include providing general information regarding the final rule, and addressing inquires related to, among other things: (i) the impact of the final rule on CRA bank type; (ii) qualifying activities and the qualifying activity confirmation request system; (iii) the transition period; (vi) examination administration; and (v) assessment areas.
OCC announces SASS deputy comptroller
On January 25, the OCC announced that Mark Pocock will serve as the Deputy Comptroller for Supervisory Systems & Analytical Support (SSAS) staring in February. Previously, Mr. Pocock was a Lead Expert in Systemic Risk Identification Support & Specialty Supervision, where he was an advisor to the Deputy Comptroller for special projects. According to the OCC, as Deputy Comptroller for SSAS, “Mr. Pocock will oversee a team that identifies, monitors, develops, and presents reports on existing and emerging risks and serves as a centralized risk analysis unit,” in addition to “oversee[ing] supervision data and information systems, business intelligence and reporting, and analysis teams who perform assessments of supervision and systemic risk.”
OCC formally rescinds CRA rule
On December 14, the OCC issued a final rule rescinding its 2020 Community Reinvestment Act Rule (2020 Rule) and replacing it with a rule based largely on the prior rules adopted jointly by the federal banking agencies in 1995, as amended (1995 Rules). (See also OCC Bulletin 2021-16.) According to the OCC, the “action is intended to facilitate the ongoing interagency work to modernize the CRA regulatory framework and promote consistency for all insured depository institutions.” As previously covered by a Buckley Special Alert, the 2020 Rule was intended to modernize the regulatory framework implementing the CRA and provided for at least a 27-month transition period for compliance based on a bank’s size and business model, among other things.
In September, the OCC solicited comments on a proposal to rescind the 2020 Rule (NPRM) and issued a series of frequently asked questions discussing the rulemaking process and providing a general timeline on the transition from the 2020 Rule (covered by InfoBytes here and here). The FAQs addressed questions including concerns related to the transition period for tracking activities that qualify under the 2020 Rule but would not qualify should the 1995 Rules be reinstated. The OCC announced that after reviewing transition issue comments received on the NPRM, the final rule had been adopted largely without modification. The final rule carries a compliance date of January 1, 2022, for all national banks and federal and state savings associations, with the exception of the final rule’s public file and public notice provisions, which have a delayed compliance date of April 1, 2022. According to the OCC, transitioning back to the 1995 Rules should carry a limited burden as the June 2020 Rule had only been partially implemented.
The OCC further noted that “strategic plans approved under the June 2020 Rule may remain in effect” but that “these plans must comply with the provisions of the final rule, as applicable.” Also, since the final rule stipulates that a bank’s record of helping to meet the credit needs of its assessment area(s) will be taken into consideration, “provisions in strategic plans that include goals for activities outside a bank’s assessment area(s) will no longer be applicable, and the OCC will no longer evaluate these activities when assessing the bank’s performance.” Additionally, the OCC stated that the new rule is intended to limit the CRA burden on banks, bank communities, and examiners while ensuring that insured depository institutions can “meet the credit needs of their entire communities, including low- and moderate-income [] neighborhoods,” consistent with safe and sound operations.