On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 7, the Federal Reserve Board issued a statement that it intends to exercise its authority to give banking entities two additional one-year extensions to conform their ownership interests in, and sponsorship of, certain collateralized loan obligations (CLOs) covered by federal regulations implementing Section 619 of the Dodd-Frank Act, the so-called Volcker Rule. Section 619 generally prohibits insured depository institutions and their affiliates from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The Board previously adopted rules for the conformance period for covered funds—including CLOs—and at that time extended the conformance period for all activities and investments by one year, to July 21, 2015. But to ensure effective compliance, the Board plans to grant banking entities two additional one-year extensions, until July 21, 2017. These extensions only apply to CLOs that were in place as of December 31, 2013 and do not qualify for the exclusion in the final rule for loan securitizations. The Board’s decision was challenged during a House Financial Services Committee hearing the following day, in which several lawmakers argued that Congress never intended for the Volcker Rule to cover securitizations, including CLOs. The lawmakers urged the Federal Reserve to address the issue by amending the rule to exclude or grandfather in CLOs, rather than by extending the conformance period.
On April 8, the Federal Reserve Board, the FDIC, and the OCC adopted a final rule, effective January 1, 2018, requiring certain top-tier U.S. bank holding companies (BHCs) to maintain a minimum supplementary leverage ratio buffer of 2% above the minimum supplementary leverage ratio requirement of 3%. The final rule applies to BHCs with more than $700 billion in total consolidated assets or more than $10 trillion in assets under custody (Covered BHCs), and to insured depository institution subsidiaries of those BHCs (Covered Subsidiaries). A Covered BHC that fails to maintain the supplemental leverage buffer would be subject to restrictions on capital distributions and discretionary bonus payments. Covered Subsidiaries must also maintain a supplementary leverage ratio of at least 6% to be considered “well capitalized” under the agencies’ prompt corrective action framework. The final rule is substantially similar to the rule the agencies proposed in July 2013. Concurrent with the final rule, the agencies also (i) proposed a rule that would modify the denominator calculation for the supplementary leverage ratio in a manner consistent with recent changes agreed to by the Basel Committee, which would apply to all internationally active banking organizations, including those subject to the enhanced supplementary leverage ratio final rule; and (ii) proposed a technical correction to the definition of “eligible guarantee” in the agencies’ risk-based capital rules. The agencies are accepting comments on both proposals through June 13, 2014. Separately, the FDIC Board adopted as final its Basel III interim final rule, which is substantively identical to the final rules adopted by the Federal Reserve Board and the OCC in July 2013.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 28, Fannie Mae issued Servicing Guide Announcement SVC-2014-05, which provides, as recently promised, updated guidance regarding standard and streamlined modification programs. The announcement informs servicers that, by July 1, 2014, for mortgage loans with a pre-modified mark-to-market loan-to-value ratio less than 80%, servicers must ensure that borrowers satisfy all eligibility requirements for a Fannie Mae standard or streamlined modification. The announcement details the specific steps servicers must take to calculate the terms of the trial period plan. It also provides information for servicers to use in determining the appropriate information to include in an evaluation notice or solicitation letter, and informs servicers that if a borrower is eligible for a trial period plan with more than one amortization term, the borrower may choose an amortization term but the trial period plan notice must inform the borrower that he or she will not be able to change the amortization term after the first payment is received. The announcement states that if a mortgage loan becomes 60 or more days delinquent within 12 months of the modification effective date, the servicer must not approve another modification. Finally, Fannie Mae states that if the first trial period plan payment submitted by a borrower does not correspond to an amortization term payment offered in the plan, the servicer must use the shortest amortization term provided in the plan that is covered by the borrower’s actual payment to determine the amortization term and monthly payment obligation.
On March 28, Fannie Mae notified servicers that, effective May 1, 2014, it will begin issuing warning letters and assessing compensatory fees to servicers that fail to submit Fannie Mae investor reporting system reports on a timely basis or that fail to use the correct data and formats. Alternatively, Fannie Mae reserves the right to issue an indemnification demand to any servicer that breaches these servicing requirements. Currently, Fannie Mae sends a Failed Business Rules report to servicers who fail to meet these requirements. After May 1, a servicer may be assessed: (i) greater of $250 or $50 per mortgage loan, up to a maximum of $5,000, for the first instance of late or inaccurate reporting; (ii) greater of $500 or $50 per mortgage loan, up to a maximum of $10,000, for the second instance of late or inaccurate reporting, if it occurs within one year of the first instance; and (iii) greater of $1000 or $50 per mortgage loan, up to a maximum of $15,000, for each subsequent instance of late or inaccurate reporting within one year of the most recent previous instance.
The CFPB announced today that it will hold a forum on the mortgage closing process. The event will take place at the CFPB’s headquarters in Washington, DC at 1:30 p.m. on April 23, 2014. It will be open to members of the public who RSVP and also will be available through a live stream on the CFPB’s website. Consistent with its past practice, the CFPB has not provided advance details about the specific topics to be addressed or the participants. The event is likely to review the feedback the CFPB received in response to a January 2014 request for information about consumer “pain points” associated with the mortgage closing process, an initiative the CFPB first revealed in November 2013 in conjunction with the release of the final rule combining mortgage disclosures under TILA and RESPA. We plan to attend the event and will provide an update later this month.
On March 31 the CFPB published its Consumer Response Annual Report, providing a review of the CFPB’s complaint process and a description of complaints received during January 1 through December 31, 2013. According to the report the Bureau received approximately 163,700 complaints in 2013. Mortgage complaints outpaced all others (37%), followed by complaints regarding debt collection (19%), bank accounts (12%), and credit cards (10%). Complaints related to consumer loans, student loans, payday loans, money transfers, and “other” each comprised 3% or less of the total. The report also breaks down the types of complaints for each category and summarizes companies’ responses. The majority of closed complaints for all categories were resolved with an explanation by the company, i.e. without monetary or other relief, and companies responded to complaints in a timely fashion 99% of the time, or better. The report also stated that the CFPB “continues to evaluate, among other things, the release of consumer narratives, the potential for normalization of the data to make comparisons easier, and the expansion of functionality to improve user experience.”
On April 1, Comptroller Thomas Curry delivered remarks in which he urged banks to offer alternatives to “high cost payday loans.” The Comptroller defended his agency’s guidance on deposit advance products and stated that “properly managed small-dollar loan programs do not exhibit the same level of risks [the OCC] identified with deposit advance products, and that such loans can be made available to consumers.” He added that many of the risks identified with regard to deposit advance guidance, including the product’s short-term balloon payment feature, were specific to that product. He encouraged banks to offer “responsible” small-dollar loan programs comprised of products with reasonable terms, and to report payment information for such products to credit bureaus. In addition to helping consumers, the comptroller believes such programs (i) can be offered at an incremental cost to banks; (ii) can help build banks’ reputations and expand existing customer relationships; and (iii) can potentially be eligible for positive CRA consideration. The remarks did not provide specific guidance on the pricing and other small dollar loan terms that the OCC would consider appropriate.
On April 2, the FFIEC advised financial institutions that distributed denial-of-service (DDoS) attacks on a financial institution’s public websites present operational and reputation risks. If coupled with attempted fraud, a financial institution may also experience fraud losses and face liquidity and capital risks. The FFIEC members expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans and to, among other things, (i) maintain an ongoing program to assess information security risk; (ii) monitor Internet traffic to the institution’s website to detect attacks; (iii) activate incident response plans and notify service providers, including Internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring; (iv) ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow; and (v) evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
In a second statement, the FFIEC advised financial institutions of a type of large dollar value ATM cash-out fraud by which cyber attackers gain access to, and alter the settings on, ATM web-based control panels used by small- to medium-sized financial institutions. The FFIEC states that institutions that issue debit, prepaid, or ATM cards may face operational risks, fraud losses, liquidity and capital risks, and reputation risks, and that institutions that outsource their card issuing function to a card processor may initially be liable for losses even if the compromise occurs at the processor. To mitigate these risks, the FFIEC expects member financial institutions to, among other things, (i) conduct ongoing information security risk assessments; (ii) perform security monitoring, prevention, and risk mitigation; (iii) take specific steps to protect against unauthorized access; (iv) implement and test controls around critical systems regularly; and (v) conduct information security awareness and training programs.
House Republicans Urge FHFA Not To Direct GSEs To Start Contributing To Affordable Housing Funds Established By HERA
On April 2, House Financial Services Committee Chairman Jeb Hensarling (R-TX), joined by Congressmen Scott Garrett (R-NJ) and Ed Royce (R-CA), urged FHFA Director Mel Watt to continue the FHFA’s five-year-old policy of suspending contributions to the Affordable Housing Trust Fund and the Capital Magnet Fund. These two funds were established in the Housing and Economic Recovery Act (HERA) to direct a percentage of GSE profits into affordable housing using a mechanism that would be off-budget and thus not subject to the Congressional appropriations process. In January, more than 30 Democratic Senators pressed Mr. Watt to change course and lift the suspension. Given that the federal government owns $189 billion in outstanding senior preferred shares, the Republican House members believe that lifting the suspension would divert money from Fannie Mae and Freddie Mac that could be used to compensate taxpayers. They added that funding the affordable housing programs would violate the “letter and spirit of the Housing and Economic Recovery Act,” and would be premature given ongoing congressional deliberations over broader housing finance reform.
On April 1, the OCC issued a booklet titled “Garnishment of Accounts Containing Federal Benefit Payments.” The booklet, a new addition to the Comptroller’s Handbook, includes interagency guidance and examination procedures and reflects a June 2013 interim rule that amended federal regulations governing the garnishment of certain federal benefit payments that are directly deposited to accounts at financial institutions. The booklet (i) establishes procedures that financial institutions must follow when they receive a garnishment order against an account holder who receives certain types of federal benefit payments by direct deposit; and (ii) requires financial institutions that receive such a garnishment order to determine the sum of such federal benefit payments deposited to the account during a two-month period and ensure that the account holder has access to an amount equal to that sum or to the current balance of the account, whichever is lower.
On April 1, Freddie Mac issued Bulletin 2014-05, and on March 25, Fannie Mae issued Lender Letter LL-2014-02, in response to directives from the FHFA to clarify certain requirements related to appraisals for properties located in rural areas. In the clarifying documents, Fannie Mae and Freddie Mac state that they do not require the use of third-party vendors such as appraisal management companies to order appraisals or to comply with requirements that the mortgage production function and the appraisal ordering and quality assurance functions remain separate. In addition, both Fannie Mae and Freddie Mac provide a small lender exception to the separation requirement. The guidance documents also state that a residential property in a market that contains properties or land uses that are non-residential in nature, is not necessarily ineligible for sale to Fannie Mae or Freddie Mac. Both entities assert that they will purchase a mortgage secured by a property that is unique or may not conform to its neighborhood, provided an appraiser is able to evaluate and report on how the characteristics of the market area and unique property features affect the value and the marketability of the subject property. The guidance documents also advise sellers that in areas with less real estate activity, such as rural market areas, appraisers may, with documented support, use comparable sales that are older than 12 months, or that are a considerable distance from the subject property or not similar to the subject property.
On March 28, Freddie Mac announced in Bulletin 2014-4, that with regard to the processing of standard and streamlined modifications for mortgages with pre-modification mark-to-market loan-to-value ratios less than 80%, servicers must provide eligible borrowers the option to select a 480-month, 360-month, or 240-month term for the modification agreement. Servicers must include in the trial period plan notice each amortization term and its trial period payment only when the associated monthly principal and interest (P&I) payment reduction condition is met. For a 480-month amortization term, the estimated modified P&I payment must be less than or equal to the current contractual P&I payment. For a 360-month or 240-month amortization term, the estimated modified P&I payment must be at least 20% less than the current contractual P&I payment. Additionally, Freddie Mac eliminated the options for a borrower to request a term that is different than those provided in the trial period plan offer or to change the amortization term after the first trial period payment is made. The Bulletin also advises servicers that, effective July 8, 2014, Freddie Mac will evaluate market rates on a monthly basis to determine whether a change to the standard modification interest rate is necessary, and, if so, will post the new rate and its mandatory effective date on the Standard Modification Interest Rate web page by the fifth business day of each month.