On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the Federal Reserve Board issued a statement that it intends to exercise its authority to give banking entities two additional one-year extensions to conform their ownership interests in, and sponsorship of, certain collateralized loan obligations (CLOs) covered by federal regulations implementing Section 619 of the Dodd-Frank Act, the so-called Volcker Rule. Section 619 generally prohibits insured depository institutions and their affiliates from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The Board previously adopted rules for the conformance period for covered funds—including CLOs—and at that time extended the conformance period for all activities and investments by one year, to July 21, 2015. But to ensure effective compliance, the Board plans to grant banking entities two additional one-year extensions, until July 21, 2017. These extensions only apply to CLOs that were in place as of December 31, 2013 and do not qualify for the exclusion in the final rule for loan securitizations. The Board’s decision was challenged during a House Financial Services Committee hearing the following day, in which several lawmakers argued that Congress never intended for the Volcker Rule to cover securitizations, including CLOs. The lawmakers urged the Federal Reserve to address the issue by amending the rule to exclude or grandfather in CLOs, rather than by extending the conformance period.
On April 8, the Federal Reserve Board, the FDIC, and the OCC adopted a final rule, effective January 1, 2018, requiring certain top-tier U.S. bank holding companies (BHCs) to maintain a minimum supplementary leverage ratio buffer of 2% above the minimum supplementary leverage ratio requirement of 3%. The final rule applies to BHCs with more than $700 billion in total consolidated assets or more than $10 trillion in assets under custody (Covered BHCs), and to insured depository institution subsidiaries of those BHCs (Covered Subsidiaries). A Covered BHC that fails to maintain the supplemental leverage buffer would be subject to restrictions on capital distributions and discretionary bonus payments. Covered Subsidiaries must also maintain a supplementary leverage ratio of at least 6% to be considered “well capitalized” under the agencies’ prompt corrective action framework. The final rule is substantially similar to the rule the agencies proposed in July 2013. Concurrent with the final rule, the agencies also (i) proposed a rule that would modify the denominator calculation for the supplementary leverage ratio in a manner consistent with recent changes agreed to by the Basel Committee, which would apply to all internationally active banking organizations, including those subject to the enhanced supplementary leverage ratio final rule; and (ii) proposed a technical correction to the definition of “eligible guarantee” in the agencies’ risk-based capital rules. The agencies are accepting comments on both proposals through June 13, 2014. Separately, the FDIC Board adopted as final its Basel III interim final rule, which is substantively identical to the final rules adopted by the Federal Reserve Board and the OCC in July 2013.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 27, the U.S. Court of Appeals for the Ninth Circuit reversed the district court’s remand for lack of diversity, holding that a national bank is a citizen only of the state where it is headquartered. Rouse v. Wachovia Mortg., FSB, No. 12-55278, 2014 WL 1243869 (9th Cir. Mar. 27, 2014). In this case, a federal district court in California remanded to state court a suit brought by two California mortgage borrowers alleging state law violations against a national bank, holding that a national bank is a citizen of both the state where its principle place of business is located and where the bank is headquartered—in this case California and South Dakota, respectively—and that because the borrowers are California citizens, the district court lacked jurisdiction. The Ninth Circuit disagreed, finding that the statutory scheme governing nationally chartered banks, which the court described as sparse and ambiguous, deemed national banks citizens of the state where their main offices are located. Unlike the district court, the Ninth Circuit found no congressional intention to provide for jurisdictional parity between nationally chartered and state-chartered banks. The Ninth Circuit thus reversed the district court, finding perfect diversity between the plaintiffs, citizens of California, and the defendant national bank, a citizen of South Dakota.
On March 31 the CFPB published its Consumer Response Annual Report, providing a review of the CFPB’s complaint process and a description of complaints received during January 1 through December 31, 2013. According to the report the Bureau received approximately 163,700 complaints in 2013. Mortgage complaints outpaced all others (37%), followed by complaints regarding debt collection (19%), bank accounts (12%), and credit cards (10%). Complaints related to consumer loans, student loans, payday loans, money transfers, and “other” each comprised 3% or less of the total. The report also breaks down the types of complaints for each category and summarizes companies’ responses. The majority of closed complaints for all categories were resolved with an explanation by the company, i.e. without monetary or other relief, and companies responded to complaints in a timely fashion 99% of the time, or better. The report also stated that the CFPB “continues to evaluate, among other things, the release of consumer narratives, the potential for normalization of the data to make comparisons easier, and the expansion of functionality to improve user experience.”
On April 1, Comptroller Thomas Curry delivered remarks in which he urged banks to offer alternatives to “high cost payday loans.” The Comptroller defended his agency’s guidance on deposit advance products and stated that “properly managed small-dollar loan programs do not exhibit the same level of risks [the OCC] identified with deposit advance products, and that such loans can be made available to consumers.” He added that many of the risks identified with regard to deposit advance guidance, including the product’s short-term balloon payment feature, were specific to that product. He encouraged banks to offer “responsible” small-dollar loan programs comprised of products with reasonable terms, and to report payment information for such products to credit bureaus. In addition to helping consumers, the comptroller believes such programs (i) can be offered at an incremental cost to banks; (ii) can help build banks’ reputations and expand existing customer relationships; and (iii) can potentially be eligible for positive CRA consideration. The remarks did not provide specific guidance on the pricing and other small dollar loan terms that the OCC would consider appropriate.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
On April 1, the OCC issued a booklet titled “Garnishment of Accounts Containing Federal Benefit Payments.” The booklet, a new addition to the Comptroller’s Handbook, includes interagency guidance and examination procedures and reflects a June 2013 interim rule that amended federal regulations governing the garnishment of certain federal benefit payments that are directly deposited to accounts at financial institutions. The booklet (i) establishes procedures that financial institutions must follow when they receive a garnishment order against an account holder who receives certain types of federal benefit payments by direct deposit; and (ii) requires financial institutions that receive such a garnishment order to determine the sum of such federal benefit payments deposited to the account during a two-month period and ensure that the account holder has access to an amount equal to that sum or to the current balance of the account, whichever is lower.
On April 1, the Federal Reserve Board’s Office of Inspector General (OIG), which also is responsible for auditing the CFPB, issued a report that is critical of the CFPB’s supervisory activities and recommends that the CFPB take specific actions to strengthen its supervision program. The report shares concerns raised by entities having been through the examination process.
The report covers the CFPB’s supervisory activities from July 2011 through July 2013, including 82 completed examinations (excluding baseline reviews), which yielded 35 reports of examination and 47 supervisory letters. Of those 82 completed examinations, 63 were of depository institutions, and 19 were of nondepository institutions.
Among the findings, the OIG concludes that: Read more…
On March 27, the OCC issued the Asset-Based Lending (ABL) booklet, which is new to the Comptroller’s Handbook. The booklet provides guidance to examiners and bankers on ABL activities and risks, prudent credit risk management and underwriting expectations, credit administration, and credit risk rating. It also provides risk-based expanded examination procedures related to structures, credit analysis, evaluating borrower liquidity, establishing a borrowing base and prudent advance rates, collateral controls and monitoring systems, and credit risk rating considerations. The booklet further includes transaction examples to assist with the assessment of credit risk.
On March 25, California Attorney General (AG) Kamala Harris announced that she and four other state AGs—Suthers (CO), Bondi (FL), Cortez Masto (NV), and King (NM)—signed a letter of intent with the President of the National Banking and Securities Commission of Mexico to establish a bi-national working group on money laundering enforcement. The working group will be tasked with (i) establishing the scope of coordination between Mexico and U.S. state AGs on money laundering enforcement issues; (ii) developing a plan for mutual technical assistance and training on combating money laundering; and (iii) sharing best practices on money laundering enforcement techniques and other enforcement issues of mutual concern, including the impact of money laundering on the border region of the U.S. and Mexico.
On March 25, FinCEN issued an advisory notice, FIN-2014-A003, in which it provided guidance to financial institutions for reviewing their obligations and risk-based approaches with respect to certain jurisdictions. The Financial Action Task Force (FATF) recently updated its lists of jurisdictions that appear in two documents: (i) jurisdictions that are subject to the FATF’s call for countermeasures or Enhanced Due Diligence as a result of the jurisdictions’ Anti-Money Laundering/Counter-Terrorist Financing (AML/CFT) deficiencies, or (ii) jurisdictions identified by the FATF as having AML/CFT deficiencies. The advisory notice (i) summarizes the changes made by the FATF; (ii) provides specific guidance regarding jurisdictions listed in each category; and (iii) reiterates that if a financial institution knows, suspects, or has reason to suspect that a transaction involves funds derived from illegal activity or that a customer has otherwise engaged in activities indicative of money laundering, terrorist financing, or other violation of federal law or regulation, the financial institution must file a Suspicious Activity Report.
Recently, the DOJ issued its first opinion release of 2014 regarding application of the FCPA. In this instance, an investment bank and securities issuer who was a majority shareholder of a foreign financial services company sought the DOJ’s opinion with regard to the bank’s purchase of the remaining minority interest from a foreign businessman who now serves as a senior foreign official. The DOJ determined that based on the facts and representations described by the requestor, the only purpose of the payment to the official would be consideration for the minority interest. The DOJ explained that although the FCPA generally prohibits an issuer from corruptly giving or offering anything of value to any “foreign official” in order to assist “in obtaining or retaining business for or with, or directing business to” the issuer, it does not “per se prohibit business relationships with, or payments to, foreign officials.” In this situation, the DOJ determined, based on numerous, fact-intensive considerations, that the transfer of value as proposed would not be prohibited under the FCPA. The DOJ found no indications of corrupt intent, citing, among other things, the proffered purpose to sever the parties’ existing financial relationship to avoid a conflict of interest, and the use of a reasonable alternative valuation model. The DOJ also determined the bank demonstrated that the parties would appropriately and meaningfully disclose their relationships before the sale closed, and that the bank would implement strict recusal and conflict-of-interest-avoidance measures to prevent the shareholder/foreign official from assisting the bank in obtaining or retaining business. As with all Opinion Releases under the FCPA, the DOJ cautioned that the opinion has no binding application to any other party.