On April 16, Comptroller of the Currency Thomas Curry spoke to attendees of the Consumer Electronics Show Government Conference, taking his concerns about banks’ vendor relationships and cybersecurity risks to potential third-party technology service providers. Comptroller Curry explained the banking system’s vulnerability to cyberattacks given its significant reliance on technology and telecommunications, and expressed particular concern about potential attacks on community banks. He reiterated several of the specific risk issues he recently discussed with community bankers. Comptroller Curry (i) outlined risks related to the consolidation of bank vendors; (ii) identified as a “special problem” banks’ reliance on foreign vendors, and cautioned banks to consider the legal and regulatory implications of where their data is stored or transmitted; and (iii) expressed concern about vendors’ access to important and confidential bank and customer data. He assured attendees that the OCC is not trying to discourage the use of third-party vendors, but in explaining the OCC’s particular focus on controls and risk management practices employed by vendors that provide services to banks and thrifts, Comptroller Curry advised vendors of the OCC’s authority under the Bank Service Company Act to issue enforcement actions and its authority to examine vendors designated as Technology Service Providers. He reported that banks have asked the OCC to more actively supervise critical service providers and stated that in working to protect the banking system the OCC will have to “look beyond individual financial institutions to the range of vendors and customers that have access to some part of its infrastructure and systems.”
On April 17, the CFPB issued a guide to completing the disclosure forms required by its November 2013 TILA-RESPA integrated disclosures rule, which generally applies to transactions for which a creditor or broker receives an application on or after August 1, 2015. The guide provides instructions for completing the Loan Estimate and Closing Disclosure and highlights common situations that may arise when completing the forms. The CFPB states in addition to serving as a resource to creditors, the guide also may assist settlement service providers, software providers, and other service providers. The disclosure forms guide follows the release last month of a small entity compliance guide, which summarizes the rule and highlights issues that small creditors, and their partners or service providers, might find helpful to consider when implementing the rule.
On April 15, the SEC’s Office of Compliance Inspections and Examinations announced that it will be conducting cybersecurity examinations of more than 50 registered broker-dealers and registered investment advisers. The examinations will assess each firm’s cybersecurity preparedness and collect information about the industry’s recent experiences with certain types of cyber threats. Specifically, examiners will focus on (i) cybersecurity governance; (ii) identification and assessment of cybersecurity risks; (iii) protection of networks and information; (iv) risks associated with remote customer access and funds transfer requests; (v) risks associated with vendors and other third parties; (vi) detection of unauthorized activity; and (vii) and experiences with certain cybersecurity threats. The SEC included with the announcement a sample document and information request it plans to use in this examination initiative.
On April 11, the Treasury Department submitted to the OMB’s Office of Information and Regulatory Affairs (OIRA) FinCEN’s long-awaited proposed rule to establish customer due diligence requirements for financial institutions. Under executive order, each agency is required to submit for regulatory review rules resulting from “significant regulatory actions,” and OIRA has 90 days to complete or waive the review. The public portion of the FinCEN rulemaking has been ongoing since February 2012 when FinCEN released an advance notice of proposed rulemaking to solicit comment on potential requirements for financial institutions to (i) conduct initial due diligence and verify customer identities at the time of account opening; (ii) understand the purpose and intended nature of the account; (iii) identify and verify all customers’ beneficial owners; and (iv) monitor the customer relationship and conduct additional due diligence as needed. FinCEN subsequently held a series of roundtable meetings, summaries of which it later published.
On April 15, Fannie Mae issued Selling Guide Announcement SEL 2014-03, which includes numerous selling policy updates. Based on a comprehensive review of its current requirements, the announcement provides a series of new or updated property eligibility and appraisal requirements, which must be implemented no later than August 1, 2014. The announcement also states that Fannie Mae is retiring its two-step ARM mortgage, as well as standard ARM plans 1030 and 1031. For mortgage loans with notes dated on or after October 15, 2014 where the lender is registered with MERS, Fannie Mae will also require the use of a new rider to modify the standard security instruments in Montana, Oregon, and Washington. The announcement includes numerous additional miscellaneous policy updates, and notes again the recent publication of the Selling Guide on Fannie Mae’s corporate website.
On April 17, the FTC announced it is seeking additional public comments on issues explored during a 2013 forum on mobile security. The announcement includes a series of specific questions within the following categories: (i) secure platform design; (ii) secure distribution channels; (iii) secure development practices; and (iv) security lifecycle and updates. The announcement indicates that the FTC is planning a report based on the forum and this subsequent information request. Comments are due by May 30, 2014.
On April 15, the CFPB issued a proposed rule and request for comment to extend a temporary exception to Regulation E’s requirement that remittance transfer providers disclose certain fees and exchange rates to consumers. Pursuant to Regulation E, as amended to implement section 1073 of the Dodd-Frank Act, insured depository institutions are permitted to estimate certain third-party fees and exchange rates in connection with a remittance transfer until July 21, 2015, provided the transfer is sent from the sender’s account with the institution, and the institution is unable to determine the exact amount of the fees and rates due to circumstances outside of the institution’s control. The CFPB is proposing to exercise its statutory authority to extend this exception for an additional five years, until July 21, 2020. The agency explained that, based on its outreach to insured institutions and consumer groups, allowing the initial temporary exception to lapse would negatively affect the ability of insured institutions to send remittance transfers. Comments on the proposed rule are due within 30 days of its publication in the Federal Register. Read more…
On April 10, the FFIEC issued an alert advising financial institutions of risks associated with “Heartbleed”, a recently discovered material security vulnerability in a commonly used encryption method known as the OpenSSL cryptographic library, which has existed since December 31, 2011. The alert states that the vulnerability could allow an attacker to access a server’s private cryptographic keys, thereby compromising the security of the server and its users, and potentially allowing attackers to impersonate bank services or users, steal login credentials, access sensitive email, or gain access to internal networks. Due to OpenSSL’s popularity, this vulnerability affects websites, e-mail servers, web servers, virtual private networks (VPN), instant messaging, and other applications. The FFIEC advises financial institutions to (i) ensure that third party vendors that use OpenSSL on their systems are aware of the vulnerability and take appropriate risk mitigation steps; (ii) monitor the status of their vendors’ efforts; (iii) identify and upgrade vulnerable internal systems and services; and (iv) follow appropriate patch management practices and test to ensure a secure configuration. Patch management, software maintenance, and security update practices are covered by a number of FFIEC IT Examination Handbooks. Finally the FFIEC states that institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the patch.
On April 8 the House Financial Services Committee held a hearing with the general counsels of the federal banking agencies regarding, among other things, Operation Choke Point, the federal enforcement operation reportedly intended to cut off from the banking system certain lenders and merchants allegedly engaged in unlawful activities. Numerous committee members from both sides of the aisle raised concerns about Operation Choke Point, as well as the federal government’s broader pressure on banks over their relationships with nonbank financial service providers, including money service businesses, nonbank lenders, and check cashers. Committee members asserted that the operation is impacting lawful nonbank financial service providers, who are losing access to the banking system and, in turn, are unable to offer needed services to the members’ constituents. The FDIC’s Richard Osterman repeatedly stated that Operation Choke Point is a DOJ operation and the FDIC’s participation is limited to providing certain information and resources upon request. Mr. Osterman also asserted that the FDIC is not attempting to, and does not intend to, prohibit banks from offering products or services to nonbank financial service providers operating within the law, and that the FDIC’s guidance is clear that banks are neither prohibited from nor encouraged to provide services to certain businesses, provided they properly manage their risk. Similarly, the OCC’s Amy Friend stated that the OCC wants to ensure that banks conduct due diligence and implement appropriate controls, but that the OCC is not prohibiting banks from offering services to lawful businesses. She stated the OCC has found that some banks have made a business decision to terminate relationships with some nonbank providers rather than implement additional controls.
On April 7, the Federal Reserve Board issued a statement that it intends to exercise its authority to give banking entities two additional one-year extensions to conform their ownership interests in, and sponsorship of, certain collateralized loan obligations (CLOs) covered by federal regulations implementing Section 619 of the Dodd-Frank Act, the so-called Volcker Rule. Section 619 generally prohibits insured depository institutions and their affiliates from engaging in proprietary trading and from acquiring or retaining ownership interests in, sponsoring, or having certain relationships with a hedge fund or private equity fund. The Board previously adopted rules for the conformance period for covered funds—including CLOs—and at that time extended the conformance period for all activities and investments by one year, to July 21, 2015. But to ensure effective compliance, the Board plans to grant banking entities two additional one-year extensions, until July 21, 2017. These extensions only apply to CLOs that were in place as of December 31, 2013 and do not qualify for the exclusion in the final rule for loan securitizations. The Board’s decision was challenged during a House Financial Services Committee hearing the following day, in which several lawmakers argued that Congress never intended for the Volcker Rule to cover securitizations, including CLOs. The lawmakers urged the Federal Reserve to address the issue by amending the rule to exclude or grandfather in CLOs, rather than by extending the conformance period.
On April 8, the Federal Reserve Board, the FDIC, and the OCC adopted a final rule, effective January 1, 2018, requiring certain top-tier U.S. bank holding companies (BHCs) to maintain a minimum supplementary leverage ratio buffer of 2% above the minimum supplementary leverage ratio requirement of 3%. The final rule applies to BHCs with more than $700 billion in total consolidated assets or more than $10 trillion in assets under custody (Covered BHCs), and to insured depository institution subsidiaries of those BHCs (Covered Subsidiaries). A Covered BHC that fails to maintain the supplemental leverage buffer would be subject to restrictions on capital distributions and discretionary bonus payments. Covered Subsidiaries must also maintain a supplementary leverage ratio of at least 6% to be considered “well capitalized” under the agencies’ prompt corrective action framework. The final rule is substantially similar to the rule the agencies proposed in July 2013. Concurrent with the final rule, the agencies also (i) proposed a rule that would modify the denominator calculation for the supplementary leverage ratio in a manner consistent with recent changes agreed to by the Basel Committee, which would apply to all internationally active banking organizations, including those subject to the enhanced supplementary leverage ratio final rule; and (ii) proposed a technical correction to the definition of “eligible guarantee” in the agencies’ risk-based capital rules. The agencies are accepting comments on both proposals through June 13, 2014. Separately, the FDIC Board adopted as final its Basel III interim final rule, which is substantively identical to the final rules adopted by the Federal Reserve Board and the OCC in July 2013.
On April 7, the FDIC reissued, as attachments to FIL-13-2014, three technology outsourcing resources. The documents, which the FDIC describes as containing “practical ideas for banks to consider when they engage in technology outsourcing” are titled: (i) Effective Practices for Selecting a Service Provider; (ii) Tools to Manage Technology Providers’ Performance Risk: Service Level Agreements; and (iii) Techniques for Managing Multiple Service Providers. The FDIC advises that the resources are informational only and do not substitute for official examination guidance. On April 10, the FDIC urged financial institutions to utilize existing resources to identify and help mitigate potential cyber-related risks. The FDIC advised institutions to ensure that their information security staff are aware of and subscribe to reliable and recognized resources that can help quickly identify emerging cyber risks, including the following governmental resources: (i) the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT); (ii) U.S. Secret Service Electronic Crimes Task Force (ECTF); (iii) FBI InfraGard; (iv) financial services sector regional coalitions; and (v) Information Sharing and Analysis Centers (ISACs).
On March 28, Fannie Mae issued Servicing Guide Announcement SVC-2014-05, which provides, as recently promised, updated guidance regarding standard and streamlined modification programs. The announcement informs servicers that, by July 1, 2014, for mortgage loans with a pre-modified mark-to-market loan-to-value ratio less than 80%, servicers must ensure that borrowers satisfy all eligibility requirements for a Fannie Mae standard or streamlined modification. The announcement details the specific steps servicers must take to calculate the terms of the trial period plan. It also provides information for servicers to use in determining the appropriate information to include in an evaluation notice or solicitation letter, and informs servicers that if a borrower is eligible for a trial period plan with more than one amortization term, the borrower may choose an amortization term but the trial period plan notice must inform the borrower that he or she will not be able to change the amortization term after the first payment is received. The announcement states that if a mortgage loan becomes 60 or more days delinquent within 12 months of the modification effective date, the servicer must not approve another modification. Finally, Fannie Mae states that if the first trial period plan payment submitted by a borrower does not correspond to an amortization term payment offered in the plan, the servicer must use the shortest amortization term provided in the plan that is covered by the borrower’s actual payment to determine the amortization term and monthly payment obligation.
On March 28, Fannie Mae notified servicers that, effective May 1, 2014, it will begin issuing warning letters and assessing compensatory fees to servicers that fail to submit Fannie Mae investor reporting system reports on a timely basis or that fail to use the correct data and formats. Alternatively, Fannie Mae reserves the right to issue an indemnification demand to any servicer that breaches these servicing requirements. Currently, Fannie Mae sends a Failed Business Rules report to servicers who fail to meet these requirements. After May 1, a servicer may be assessed: (i) greater of $250 or $50 per mortgage loan, up to a maximum of $5,000, for the first instance of late or inaccurate reporting; (ii) greater of $500 or $50 per mortgage loan, up to a maximum of $10,000, for the second instance of late or inaccurate reporting, if it occurs within one year of the first instance; and (iii) greater of $1000 or $50 per mortgage loan, up to a maximum of $15,000, for each subsequent instance of late or inaccurate reporting within one year of the most recent previous instance.
The CFPB announced today that it will hold a forum on the mortgage closing process. The event will take place at the CFPB’s headquarters in Washington, DC at 1:30 p.m. on April 23, 2014. It will be open to members of the public who RSVP and also will be available through a live stream on the CFPB’s website. Consistent with its past practice, the CFPB has not provided advance details about the specific topics to be addressed or the participants. The event is likely to review the feedback the CFPB received in response to a January 2014 request for information about consumer “pain points” associated with the mortgage closing process, an initiative the CFPB first revealed in November 2013 in conjunction with the release of the final rule combining mortgage disclosures under TILA and RESPA. We plan to attend the event and will provide an update later this month.