On April 11, the Treasury Department submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) FinCEN’s long-awaited proposed rule to establish customer due diligence requirements for financial institutions. Under executive order, each agency is required to submit for regulatory review rules resulting from “significant regulatory actions,” and OIRA has 90 days to complete or waive the review. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
Eleventh Circuit Holds Custodian Bank Has No Duty To Police Securities Transactions By Customer’s Investment Advisor
On April 14, the U.S. Court of Appeals for the Eleventh Circuit held that a custodian bank had no duty under New York or Florida law to identify or alert a customer to fraudulent transactions directed by the customer’s investment advisor. Lamm v. State Street Bank & Trust, No. 12-15061, 2014 WL 1410172 (11th Cir. Apr. 14, 2014). A bank customer sued his bank for breach of contract, breach of fiduciary duty, negligence, and several other common law claims, alleging the bank had a duty to notify him that the securities held by the bank were worthless. The court determined that, although the bank held the assets and could execute certain administrative transactions without prior authorization, transactions beyond these administrative roles were carried out at the direction of the customer’s investment advisor. Accordingly the bank had no responsibility for supervising investments and assumed no liability for losses except those it caused through negligence or willful misconduct. The court held that the customer’s breach of contract and negligence claims failed because (i) the custody agreement provided the bank no decisionmaking role in investments; (ii) the bank had contractual authority to rely on the investment advisor’s instructions; and (iii) the customer failed to demonstrate that the bank had a duty to ensure the investment instruments were valid or to verify their market value. The court further held with regard to the customer’s other claims that (i) the fact that certain securities had facial defects does not raise a plausible inference that the bank knew of the investment advisor’s wrongdoing, and cannot support a claim for aiding and abetting fraud; (ii) the custody terms established an arm’s length agreement with limited obligations and did not establish special circumstances on which a fiduciary duty claim can be made; and (iii) the customer’s negligent misrepresentation claim failed because the customer did not establish that the bank intended to induce him to rely on its alleged representations as to the validity of his securities.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On April 7, the Federal Reserve Board issued a statement that it intends to exercise its authority to give banking entities two additional one-year extensions to conform their ownership interests in, and sponsorship of, certain collateralized loan obligations (CLOs) covered by federal regulations implementing Section 619 of the Dodd-Frank Act, the so-called Volcker Rule. Section 619 generally prohibits insured depository institutions and their affiliates from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The Board previously adopted rules for the conformance period for covered funds—including CLOs—and at that time extended the conformance period for all activities and investments by one year, to July 21, 2015. But to ensure effective compliance, the Board plans to grant banking entities two additional one-year extensions, until July 21, 2017. These extensions only apply to CLOs that were in place as of December 31, 2013 and do not qualify for the exclusion in the final rule for loan securitizations. The Board’s decision was challenged during a House Financial Services Committee hearing the following day, in which several lawmakers argued that Congress never intended for the Volcker Rule to cover securitizations, including CLOs. The lawmakers urged the Federal Reserve to address the issue by amending the rule to exclude or grandfather in CLOs, rather than by extending the conformance period.
On April 8, the Federal Reserve Board, the FDIC, and the OCC adopted a final rule, effective January 1, 2018, requiring certain top-tier U.S. bank holding companies (BHCs) to maintain a minimum supplementary leverage ratio buffer of 2% above the minimum supplementary leverage ratio requirement of 3%. The final rule applies to BHCs with more than $700 billion in total consolidated assets or more than $10 trillion in assets under custody (Covered BHCs), and to insured depository institution subsidiaries of those BHCs (Covered Subsidiaries). A Covered BHC that fails to maintain the supplemental leverage buffer would be subject to restrictions on capital distributions and discretionary bonus payments. Covered Subsidiaries must also maintain a supplementary leverage ratio of at least 6% to be considered “well capitalized” under the agencies’ prompt corrective action framework. The final rule is substantially similar to the rule the agencies proposed in July 2013. Concurrent with the final rule, the agencies also (i) proposed a rule that would modify the denominator calculation for the supplementary leverage ratio in a manner consistent with recent changes agreed to by the Basel Committee, which would apply to all internationally active banking organizations, including those subject to the enhanced supplementary leverage ratio final rule; and (ii) proposed a technical correction to the definition of “eligible guarantee” in the agencies’ risk-based capital rules. The agencies are accepting comments on both proposals through June 13, 2014. Separately, the FDIC Board adopted as final its Basel III interim final rule, which is substantively identical to the final rules adopted by the Federal Reserve Board and the OCC in July 2013.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 27, the U.S. Court of Appeals for the Ninth Circuit reversed the district court’s remand for lack of diversity, holding that a national bank is a citizen only of the state where it is headquartered. Rouse v. Wachovia Mortg., FSB, No. 12-55278, 2014 WL 1243869 (9th Cir. Mar. 27, 2014). In this case, a federal district court in California remanded to state court a suit brought by two California mortgage borrowers alleging state law violations against a national bank, holding that a national bank is a citizen of both the state where its principle place of business is located and where the bank is headquartered—in this case California and South Dakota, respectively—and that because the borrowers are California citizens, the district court lacked jurisdiction. The Ninth Circuit disagreed, finding that the statutory scheme governing nationally chartered banks, which the court described as sparse and ambiguous, deemed national banks citizens of the state where their main offices are located. Unlike the district court, the Ninth Circuit found no congressional intention to provide for jurisdictional parity between nationally chartered and state-chartered banks. The Ninth Circuit thus reversed the district court, finding perfect diversity between the plaintiffs, citizens of California, and the defendant national bank, a citizen of South Dakota.
On March 31 the CFPB published its Consumer Response Annual Report, providing a review of the CFPB’s complaint process and a description of complaints received during January 1 through December 31, 2013. According to the report the Bureau received approximately 163,700 complaints in 2013. Mortgage complaints outpaced all others (37%), followed by complaints regarding debt collection (19%), bank accounts (12%), and credit cards (10%). Complaints related to consumer loans, student loans, payday loans, money transfers, and “other” each comprised 3% or less of the total. The report also breaks down the types of complaints for each category and summarizes companies’ responses. The majority of closed complaints for all categories were resolved with an explanation by the company, i.e. without monetary or other relief, and companies responded to complaints in a timely fashion 99% of the time, or better. The report also stated that the CFPB “continues to evaluate, among other things, the release of consumer narratives, the potential for normalization of the data to make comparisons easier, and the expansion of functionality to improve user experience.”
On April 1, Comptroller Thomas Curry delivered remarks in which he urged banks to offer alternatives to “high cost payday loans.” The Comptroller defended his agency’s guidance on deposit advance products and stated that “properly managed small-dollar loan programs do not exhibit the same level of risks [the OCC] identified with deposit advance products, and that such loans can be made available to consumers.” He added that many of the risks identified with regard to deposit advance guidance, including the product’s short-term balloon payment feature, were specific to that product. He encouraged banks to offer “responsible” small-dollar loan programs comprised of products with reasonable terms, and to report payment information for such products to credit bureaus. In addition to helping consumers, the comptroller believes such programs (i) can be offered at an incremental cost to banks; (ii) can help build banks’ reputations and expand existing customer relationships; and (iii) can potentially be eligible for positive CRA consideration. The remarks did not provide specific guidance on the pricing and other small dollar loan terms that the OCC would consider appropriate.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
On April 1, the OCC issued a booklet titled “Garnishment of Accounts Containing Federal Benefit Payments.” The booklet, a new addition to the Comptroller’s Handbook, includes interagency guidance and examination procedures and reflects a June 2013 interim rule that amended federal regulations governing the garnishment of certain federal benefit payments that are directly deposited to accounts at financial institutions. The booklet (i) establishes procedures that financial institutions must follow when they receive a garnishment order against an account holder who receives certain types of federal benefit payments by direct deposit; and (ii) requires financial institutions that receive such a garnishment order to determine the sum of such federal benefit payments deposited to the account during a two-month period and ensure that the account holder has access to an amount equal to that sum or to the current balance of the account, whichever is lower.
On April 1, the Federal Reserve Board’s Office of Inspector General (OIG), which also is responsible for auditing the CFPB, issued a report that is critical of the CFPB’s supervisory activities and recommends that the CFPB take specific actions to strengthen its supervision program. The report shares concerns raised by entities having been through the examination process.
The report covers the CFPB’s supervisory activities from July 2011 through July 2013, including 82 completed examinations (excluding baseline reviews), which yielded 35 reports of examination and 47 supervisory letters. Of those 82 completed examinations, 63 were of depository institutions, and 19 were of nondepository institutions.
Among the findings, the OIG concludes that: Read more…
On March 27, the OCC issued the Asset-Based Lending (ABL) booklet, which is new to the Comptroller’s Handbook. The booklet provides guidance to examiners and bankers on ABL activities and risks, prudent credit risk management and underwriting expectations, credit administration, and credit risk rating. It also provides risk-based expanded examination procedures related to structures, credit analysis, evaluating borrower liquidity, establishing a borrowing base and prudent advance rates, collateral controls and monitoring systems, and credit risk rating considerations. The booklet further includes transaction examples to assist with the assessment of credit risk.