On November 16, FinCEN Director Jennifer Calvery and Treasury’s Acting Under Secretary Adam Szubin delivered remarks at the American Bankers Association and American Bar Association Money Laundering Enforcement Conference on continued AML enforcement efforts. Szubin focused on the topic of “de-risking,” which he described as “instances in which a financial institution seeks to avoid perceived regulatory risk by indiscriminately terminating, restricting, or denying services to broad classes of clients, without case-by-case analysis or consideration of mitigating options,” and addressed Treasury’s efforts to curtail the negative effects attributed to de-risking, such as preventing access to the dollar and pushing people out of the regulated financial system. Szubin emphasized, however, that the Treasury would not “dilute or roll back [its] AML/CFT standards,” but expects financial institutions to be vigilant when identifying potential risks and to implement AML/CFT programs that effectively address risks associated with illicit financing on a client-by-client basis. In a separate speech, Director Calvery addressed FinCEN’s reliance on Bank Secrecy Act (BSA) data to “uncover risks, vulnerabilities, and gaps in each financial sector,” noting that BSA data supports FinCEN’s ongoing AML enforcement efforts.
On November 16, the FDIC issued FIL-52-2015 to advise financial institutions that it revised its 2005 guidance on payday lending, which established the FDIC’s expectations for prudent risk-management practices in the payday loan industry. The letter emphasizes that the 2005 payday lending guidance, as issued in FIL-14-2005, does not apply to depository institutions offering certain products and services, such as deposit accounts and extensions of credit, to non-bank payday lenders. Specifically, the letter states, “[f]inancial institutions that can properly manage customer relationships and effectively mitigate risks are neither prohibited nor discouraged from providing services to any category of business customers or individual customers operating in compliance with applicable state and federal laws.”
On November 10, the FFIEC issued a revised Management booklet, which outlines the principles of overall sound governance and, more specifically, IT governance. The booklet is one of 11 that makes up the FFIEC’s Information Technology Examination Handbook, and explains how risk management, including IT risk management, is a component of governance. The handbook emphasizes that the board of directors sets the tone and the direction of an institution’s IT program. Specifically, the board’s responsibilities include (i) reviewing and approving an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to protect the institution from ongoing and emerging threats, including those related to cybersecurity; (ii) overseeing an institution’s process for approving third-party vendors; (iii) approving policies to report significant security issues to the board, steering committee, government agencies, and law enforcement, as necessary; (iv) holding management accountable for identifying, measuring, and mitigating IT risks; and (v) providing independent, comprehensive, and effective audit coverage of IT controls. The revised handbook incorporates cybersecurity concepts as an integral part of maintaining effective IT policies and procedures, noting that, “[a]lthough an institution is not required to have a separate cybersecurity program, its information security program should identify, measure, mitigate, monitor, and report on the heightened risks associated with cybersecurity.”
On November 13, the OCC, the FDIC, and the Federal Reserve announced that the final outreach meeting to review regulations under the Economic Growth and Regulatory Paperwork Reduction Act will be held on December 2 at the FDIC’s headquarters in Arlington, VA. In addition to panel presentations by bankers, consumer groups and community groups, the following persons are scheduled to attend the meeting: FDIC Chairman Martin J. Gruenberg; OCC Comptroller Thomas J. Curry; Federal Reserve Governor Daniel K. Tarullo; DC Department of Insurance, Securities and Banking’s Acting Commissioner, Stephen C. Taylor; and the Virginia Bureau of Financial Institution’s Commissioner, E. Joseph Face, Jr.
On November 10, CFPB Director Richard Cordray delivered remarks at the annual American Bankers Association convention. Cordray addressed efforts by the CFPB and financial institutions to collaborate in strengthening financial education, identifying the following areas of focus: (i) working with schools and teachers to provide young people with the knowledge and skills necessary to become financially successful adults; (ii) encouraging workplace financial education; and (iii) educating older Americans and those who care for them on how to avoid financial scams. Cordray called on community banks to implement financial education programs in school systems, urging bank leaders to “set the goal of making sure that financial education is required learning in all 50 states.” Cordray encouraged banks to lead by example in promoting financial education in the workplace, and to “make it a priority to educate their own employees and help them develop and use sound financial strategies, including savings for both emergencies and retirement.” Finally, Cordray applauded banks for launching the “Safe Banking for Seniors” campaign and urged them to do more to protect older consumers from financial exploitation, noting that bankers are often the first to spot red flags and should act quickly to report any suspected abuse.
Federal Reserve and New York DFS Take Action Against Canadian Bank for Deficiencies Relating to AML Compliance
On November 10, the Federal Reserve and the New York DFS announced an enforcement action against a Canadian bank for alleged deficiencies relating to its BSA/AML compliance program. In order to resolve the allegations, the bank agreed to prepare various written policies and procedures, including (i) a written plan that provides for a sustainable governance framework, including improving the management information systems reporting of compliance with BSA/AML requirements, OFAC regulations, and State Regulations; (ii) a revised written BSA/AML compliance program; (iii) a revised written program for conducting customer due diligence; (iv) a written program that ensures that any suspicious activity is timely reported; and (v) a written plan to improve compliance with OFAC regulations. All policies must be submitted for approval within 60 days of the agreement’s issuance date.
On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
On November 6, FinCEN issued a final assessment of civil money penalty against a Las Vegas-based casino and its branch offices for violating the BSA by failing to develop and implement a sufficient AML program and report suspicious activity in connection with its private gaming areas. As FinCEN previously announced on September 8, the terms of the assessment require the casino to pay an $8 million civil monetary penalty, hire an independent auditor to test its BSA/AML compliance program, and conduct a look-back review of all transactions through branch offices in Asia and California for recordkeeping and reporting compliance. FinCEN’s final assessment follows approval on October 19 of the settlement from the Bankruptcy Court for the Northern District of Illinois, as the casino remains a debtor in its bankruptcy case.
On November 5, the CFPB published a report titled “Mobile Financial Services” to summarize the results of its June 2014 Request for Information on the opportunities and challenges associated with the use of mobile financial services (MFS) by traditionally underserved consumers. With 44% of unbanked individuals owning a smartphone, the report notes that MFS has the potential to be a promising tool for underbanked and unbanked consumers to manage their finances. According to the report, consumers using MFS save time and money because they can check their balances any time and have access to certain tools that help them manage their money. The report highlights mobile Remote Deposit Capture as particularly attractive to unbanked consumers because it allows them to take a picture of and deposit checks remotely, reducing the limitations of branch hours and locations. Additional key takeaways from the report include: (i) MFS would likely be most effective for underserved consumers if paired with consultative or assistance services; (ii) privacy and security concerns remain a significant risk; and (iii) digital access and digital financial literacy need improvement, such as enhancing affordable access to technology and educating consumers and intermediaries about safe and effective use of the technology.
On November 4, Federal Reserve Chair Janet Yellen testified before the House Committee on Financial Services. The topic of Chair Yellen’s testimony was “the lessons of the financial crisis and how we have transformed our regulatory and supervisory approach.” She explained that, prior to the crisis, the Fed’s “primary goal was to ensure the safety and soundness of individual financial institutions” and that, since the crisis, the Fed’s aim has been to regulate and supervise “in a manner that promotes the stability of the financial system as a whole.” Yellen went on to explain that the regulatory approaches adopted to address both large financial institutions and companies and community banks have been different. According to Yellen, with respect to the large financial institutions, the Fed’s approach is “oriented toward both the safety and soundness of the individual firms, and the stability of the financial system as a whole.” With respect to community banks, Chair Yellen noted that the Fed’s supervisory approach is risk based: “[i]n supervising these institutions, we follow a risk-focused approach that aims to target examination resources to higher-risk areas of each bank’s operations and to ensure that banks maintain risk-management capabilities appropriate to their size and complexity.”
On November 4, the Federal Reserve and the New York DFS announced a combined $258 million penalty against a global bank for “violations in connection with transactions on behalf of countries and entities subject to U.S. sanctions.” According to the Fed’s cease and desist order, the bank failed to implement adequate risk management and compliance policies and procedures to “ensure that activities conducted at offices outside the United States complied with applicable OFAC Regulations and were timely reported in response to inquiries by the Federal Reserve Bank of New York.” Specifically, the Fed alleged that, from November 2001 to January 2006, foreign offices of the bank processed funds transfers with parties subject to OFAC Regulations through the bank’s New York-based subsidiary and other unaffiliated U.S. financial institutions without having the information necessary to determine that the transactions were consistent with U.S. law. The Fed’s order requires the bank to develop a compliance program that establishes (i) policies and procedures to ensure compliance with applicable OFAC regulations; (ii) an OFAC compliance reporting system; and (iii) requirements for employee training in OFAC-related issues. Under the terms of the DFS consent order, the bank agreed to hire an independent monitor to conduct a comprehensive review of its BSA/AML and OFAC sanctions compliance program, policies, and procedures.
On November 3, the FFIEC issued a statement notifying financial institutions of the increasing frequency and severity of cyber attacks involving extortion. The joint statement urges financial institutions to take steps to ensure effective risk management programs, including but not limited to the following: (i) conducting ongoing information security risk assessments; (ii) performing security monitoring, prevention, and risk mitigation; (iii) implementing and regularly testing controls around critical systems; and (iv) participating in industry information-sharing forums. The statement identifies resources financial institutions can refer to for assistance in mitigating cyber attacks involving extortion.
The OCC also published a bulletin alerting all OCC-supervised institutions of the FFIEC’s joint statement.
Maryland Court of Special Appeals Holds MCSBA Applies to Loan Broker Working with Federally Insured Out-of-State Banks
On October 27, the Maryland Court of Special Appeals held that a loan broker who originates loans in Maryland for a federally insured out-of-state bank and then repurchases those loans days later qualifies as a “credit service business” under the Maryland Credit Services Business Act (MCSBA) and must be licensed accordingly. Md. Comm’r of Financial Reg. v. CashCall, No. 1477, 2015 WL 6472270 (Md. Ct. Spec. App. Oct. 27, 2015). The loan broker argued, citing Gomez v. Jackson Hewitt, Inc., 427 MD. 128 (2012), that it was not a “credit service business” within the meaning of the MCSBA because the MCSBA did not apply to the out-of-state federally insured bank that made the loans and because the loan broker did not receive a direct payment from the consumer. The Commissioner and the court disagreed. In affirming the Commissioner’s decision and in overturning the decision of the Circuit Court for Baltimore, the Court of Special Appeals reasoned that the MCSBA applied because (i) the loan broker was engaged in the very business the MCSBA was intended to apply to (i.e. it was exclusively engaged in assisting Maryland consumers to obtain small loans); and (ii) after repurchasing the loan, the loan broker had the right to receive direct payment from consumers. The Court of Special Appeals remanded the case to the Circuit Court for Baltimore.
On October 28, the New York DFS resolved an enforcement action with a New York State-charted bank for alleged violations of state banking law. The DFS alleged that the bank hired a former New York Federal Reserve Bank examiner and permitted him to work on matters for an entity that the employee had examined while at the New York Fed, in violation of a notice of post-employment restrictions from the New York Fed. The DFS also alleged that the employee obtained confidential regulatory or supervisory information from a now former New York Fed employee and distributed the information to a Managing Director at the bank for the purpose of advising the entity. In addition to the bank’s alleged failure to screen the employee from working on matters related to the entity he had examined, the DFS’s order alleges that the bank failed to “provide training to personnel regarding what constituted confidential supervisory information and how it should be safeguarded.” Under the settlement terms, the bank will (i) pay a civil money penalty of $50 million to the DFS; (ii) reform its policies and procedures to ensure the proper handling of confidential supervisory information and the monitoring of assignments of former government employees; and (iii) not re-hire the bank employee and Managing Director, who had been terminated as result of the matter.
On October 27, the OCC issued an updated Floor Plan Lending booklet of the Comptroller’s Handbook. The revised booklet (i) summarizes the basics of floor plan lending for examiners, including a description of indirect dealer lending and the regulatory and legal foundation for floor plan lending; (ii) provides banks with sound risk management practices and describes regulatory risk rating guidelines; and (iii) includes an expanded examination procedures section with examples of risk rating cases and factors for determining the quantity of credit risk and the quality of credit risk management. The updated booklet replaces a similarly titled booklet issued in March 1990, as well as section 216 of “Floor Plan and Indirect Lending” issued in January 1994 as part of the former Office of Thrift Supervision’s Examination Handbook.