On December 2, Fed Governor Brainard delivered remarks at the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) Outreach Meeting in California. Governor Brainard noted the significance of safety and soundness in the banking system, but noted that some Dodd-Frank regulations should target only larger institutions so that undue burdens are not placed on community banks: “Applying a one-size-fits-all approach to regulations may produce a small benefit at a disproportionately large compliance cost to smaller institutions.” The EGRPRA review, conducted every 10 years, provides an opportunity for federal financial regulators to consider whether current regulations are outdated, unnecessary, or unduly burdensome.
On December 24, a Maryland-based bank entered into an FDIC consent order involving alleged deficiencies in its BSA/AML compliance program. The consent order requires that the bank’s board of directors increase its oversight of the bank’s BSA compliance program. In addition, under the consent order, the bank must (i) appoint a qualified BSA officer and (ii) conduct a retrospective review of currency transaction reports beginning in May 2013 until the effective date of the consent order to determine whether transactions were properly identified and reported.
On November 12, the FCA announced that it was fining five banks for their foreign exchange practices. Specifically, ineffective controls at the banks allegedly allowed traders to strategize and manipulate exchange rates for their benefit. Additionally, confidential bank information was compromised in online chat rooms, including “the disclosure of information regarding customer order flows and proprietary Bank information, such as [foreign exchange] rate spreads.” The combined amount of civil money penalties against the banks is $1.7 billion.
Eleventh Circuit Vacates Dismissal, Rules Bank Officers Subject To Negligence Claims Under Georgia Law
On October 24, based on the Georgia Supreme Court’s response to the federal appellate court’s certified questions, the United States Court of Appeals for the Eleventh Circuit issueda per curiam opinion overturning a district court’s order to dismiss a lawsuit under Georgia’s business judgment rule. In this case, the court addressed whether bank directors and officers of failed banking institutions could be held liable under the state’s law for claims of ordinary negligence and breach of fiduciary duty based on ordinary negligence. In light of the responses from the Georgia Supreme Court, the Eleventh Circuit noted, “a bank director or officer may violate the standard of care established by O.C.G.A. § 7–1–490, even where he acts in good faith, where, with respect to the process by which he makes decisions, he fails to exercise the diligence, care, and skill of ‘ordinarily prudent men [acting] under similar circumstances in like positions.’” The case was remanded back to the district court for further proceedings. FDIC v. Skow, No. 12-15878, WL 5394321 (11th Cir. Oct. 24, 2014)
On May 8, the New York Court of Appeals held that in certain circumstances a bank and its customer may agree to shorten the statutory time period under the state’s Uniform Commercial Code within which a customer must notify its bank of an improperly paid item in order to recover the payment. Clemente Bros. Contracting Corp. v. Hafner-Milazzo, No. 64, 2014 WL 1806924 (N.Y. May 8, 2014). The court explained that New York’s version of the UCC imposes strict liability on a bank that charges against its customer’s account any “item” that is not “properly payable”, but bars a customer’s claim for recovery on a wrongfully paid item when the customer fails to report the irregularity within one year after the bank provides the statement and item, regardless of either party’s failure to exercise reasonable care. In this case, the customer’s account agreement reduced the one-year reporting period to 14 days. The court held that the parties are permitted to vary the one-year period by agreement, and that the 14-day period is not manifestly unreasonable where the customer is a “corporate entity that either is financially sophisticated or has the resources to acquire professional guidance.” The court stressed that the same would not hold true where the customer is an unsophisticated small business or individual.
Eleventh Circuit Holds Custodian Bank Has No Duty To Police Securities Transactions By Customer’s Investment Advisor
On April 14, the U.S. Court of Appeals for the Eleventh Circuit held that a custodian bank had no duty under New York or Florida law to identify or alert a customer to fraudulent transactions directed by the customer’s investment advisor. Lamm v. State Street Bank & Trust, No. 12-15061, 2014 WL 1410172 (11th Cir. Apr. 14, 2014). A bank customer sued his bank for breach of contract, breach of fiduciary duty, negligence, and several other common law claims, alleging the bank had a duty to notify him that the securities held by the bank were worthless. The court determined that, although the bank held the assets and could execute certain administrative transactions without prior authorization, transactions beyond these administrative roles were carried out at the direction of the customer’s investment advisor. Accordingly the bank had no responsibility for supervising investments and assumed no liability for losses except those it caused through negligence or willful misconduct. The court held that the customer’s breach of contract and negligence claims failed because (i) the custody agreement provided the bank no decisionmaking role in investments; (ii) the bank had contractual authority to rely on the investment advisor’s instructions; and (iii) the customer failed to demonstrate that the bank had a duty to ensure the investment instruments were valid or to verify their market value. The court further held with regard to the customer’s other claims that (i) the fact that certain securities had facial defects does not raise a plausible inference that the bank knew of the investment advisor’s wrongdoing, and cannot support a claim for aiding and abetting fraud; (ii) the custody terms established an arm’s length agreement with limited obligations and did not establish special circumstances on which a fiduciary duty claim can be made; and (iii) the customer’s negligent misrepresentation claim failed because the customer did not establish that the bank intended to induce him to rely on its alleged representations as to the validity of his securities.
Comptroller Curry Addresses Senior Management’s AML Compliance Responsibilities, Criticizes “De-Risking”
On March 17, Comptroller of the Currency Thomas Curry reaffirmed his agency’s views with regard to BSA/AML compliance and the responsibilities of senior bank managers and boards of directors. Mr. Curry asserted that BSA infractions “can almost always be traced back to decisions and actions of the institution’s Board and senior management” and that the deficiencies underlying those infractions tend to involve failures in four areas: (i) the culture of compliance at the organization; (ii) the resources committed to BSA compliance; (iii) the strength of information technology and monitoring process; and (iv) the quality of risk management. Mr. Curry reported a recent positive trend, particularly at OCC-regulated large banks, which have increased spending and added BSA/AML compliance staff. He stated that such actions are one aspect of banks’ efforts to align “good compliance practices and the bank’s system of compensation and incentives.” The Comptroller criticized a separate trend of “de-risking”, in which banks avoid or end relationships with types of businesses deemed too risky. He warned that any business can be used for illicit purposes and “de-risking” is not a shortcut to circumvent a bank’s obligation to evaluate risk on an individual basis. He encouraged banks not to avoid high-risk businesses, but rather to apply stronger risk management and controls as necessary.
Federal Reserve Plans Regular Reporting On Bank Applications, Outlines Common Issues Resulting In Application Withdrawals
On February 24, the Federal Reserve Board announced in SR 14-2 that it will start publishing a semi-annual report to provide certain information on bank applications and notices filed with the Federal Reserve. The Board stated that the report will include statistics on the length of time taken to process various applications and notices and the overall volume of approvals, denials, and withdrawals. The report also will provide the primary reasons for withdrawals. The first report will be released in the second half of 2014 and will include filings acted on from January through June 2014. The letter also describes common issues identified by the Federal Reserve that have led to recent withdrawal of applications, including (i) less-than-satisfactory supervisory rating(s) for safety and soundness, consumer compliance, or CRA; (ii) inadequate compliance with the Bank Secrecy Act; and (iii) concerns regarding the financial condition or management of the proposed organization.
On January 30, in remarks to SIFMA’s AML and Financial Crimes Conference, FinCEN Director Jennifer Shasky Calvery stressed the importance of establishing a “culture of compliance” at financial institutions to support effective AML safeguards. The Director’s comments reinforce similar remarks made in recent months by both the Deputy U.S. Attorney General and Comptroller Curry. And like Comptroller Curry, Ms. Shasky Calvery highlighted the need for better information sharing not only within institutions but between institutions. FinCEN agrees with industry feedback that the agency needs to improve its own ability to share information. Also part of a broader theme among enforcement authorities, the Director explained that financial institutions should take responsibility when their actions violate the BSA, not only by admitting to the facts alleged by FinCEN but also by acknowledging a violation of the law. She highlighted specific risks in the securities sector including those related to the use of cash, and explained that securities firms that provide bank-like services need to consider the vulnerabilities associated with engaging in such services and must ensure that their compliance programs are commensurate with those risks.
Special Alert: Federal Reserve Board Guidance on Managing Outsourcing Risks Mirrors Recent OCC Guidance
On December 5, 2013, the Federal Reserve Board (FRB or the Fed) issued Supervision and Regulation Letter 13-19, which details and attaches the Fed’s Guidance on Managing Outsourcing Risk (FRB Guidance). The FRB Guidance sets forth risks arising out of the use of service providers and the regulatory expectations relating to risk management programs. It is substantially similar to OCC Bulletin 2013-29, which the Office of the Comptroller of the Currency (OCC) issued on October 30, 2013.
The FRB Guidance supplements existing guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions, including, among other things, appraisal management, internal audit, human resources, sales and marketing, loan review, asset and wealth management, procurement, and loan servicing.
While a complete roadmap of the FRB Guidance would be largely duplicative of our recent Special Alert relating to the OCC Bulletin 2013-29, key supervisory and enforcement themes emerge from a comparison of the two guidance documents. Like the OCC, the Fed signals broadly that failure to effectively manage the use of third-party service providers could “expose financial institutions to risks that can result in regulatory action, financial loss, litigation, and loss of reputation.” The Fed also emphasizes the responsibility of the Board of Directors and senior management to provide for the effective management of third-party relationships and activities. It enumerates virtually the same risk categories as the OCC, including compliance, concentration, reputational, operational, country, and legal risks, though its discussion of those risks is slightly less comprehensive.
The FRB Guidance makes clear that service provider risk management programs should focus on outsourced activities that are most impactful to the institution’s financial condition, are critical to ongoing operations, involve sensitive customer information, new products or services, or pose material compliance risk. While the elements comprising the service provider risk management program will vary with the nature of the financial institution’s outsourced activities, the Fed’s view is that effective programs usually will include the following: Read more…
On November 22, the CFPB released findings of a study the Bureau conducted on the impact of certain deposit regulations on the day-to-day operations of banking institutions, focusing on compliance costs related to checking accounts, traditional savings accounts, debit cards, and overdraft programs. The study collected information from seven banks about activities related to compliance with regulations implementing the Truth in Savings Act, the Electronic Fund Transfer Act, the financial privacy requirements of the Gramm-Leach-Bliley Act, and the Fair Credit Reporting Act (Regulations DD, E, P, and V, respectively), as well as FCRA’s adverse action requirements, which are not implemented by regulation. According to the Bureau, compliance costs were concentrated in the Operations, Information Technology, Human Resources, Compliance, and Retail functions, and banks incurred the most substantial costs complying with rules related to authorization rights, error resolution requirements, disclosure mandates, and advertising standards.
The report identifies the compliance-related activities that entailed the highest costs across business functions and suggests that “authorization rights” (i.e., opt-ins and opt-outs) and error-resolution requirements are the most costly to administer. The report also discusses the potential for the study—which the Bureau characterizes as representing “some of the most rigorous information currently available” on compliance costs—to advance research on the cost of compliance, influence the ultimate understanding of regulatory impacts on consumers and markets, and inform the CFPB’s ongoing efforts to avoid unnecessary compliance costs. The Bureau states that estimating the operational effects of consumer financial services regulation alone has “limited value to policymaking” and is mainly helpful in determining the impact of a specific regulation on product pricing and availability or market structure and competition. The Bureau concluded that research on the effects of regulations will remain an ongoing priority, but it will nevertheless continue to address problems observed in the marketplace — “mindful that, whatever the costs of regulation, the costs of not regulating adequately can be even larger.”
The full report, Understanding the Effects of Certain Deposit Regulations on Financial Institutions’ Operations: Findings on Relative Costs for Systems, Personnel, and Processes at Seven Institutions, is available here.
On November 18, at an American Bar Association/American Bankers Association conference on the Bank Secrecy Act/Anti-Money Laundering (BSA/AML), Deputy Attorney General (Deputy AG) James Cole challenged financial institutions’ compliance efforts and outlined the DOJ’s financial crimes enforcement approach. Noting that compliance within financial institutions is of particular concern to the DOJ, based in part on recent cases of “serious criminal conduct by bank employees,” the nation’s second highest ranking law enforcement official detailed DOJ’s approach to investigating and deciding in what manner to pursue potential violations. The Deputy AG included among his examples of serious misconduct recent BSA/AML, RMBS, mortgage False Claims Act, and LIBOR cases. He explained that the DOJ is particularly concerned about incentives that encourage excessive risk taking, and stated that “too many bank employees and supervisors value coming as close to the line as possible, or even crossing the line, as being ‘competitive’ or ‘aggressive.’” Read more…
On November 17, the Comptroller of the Currency, Thomas Curry, delivered remarks at the American Bar Association/American Bankers Association BSA/AML conference in which he identified common BSA/AML compliance risks and failures, and identified steps industry participants and regulators should take to improve compliance. The Comptroller explained that successful BSA/AML compliance is dependent not only on “the strength of the institution’s technology and monitoring processes, and the effectiveness of its risk management,” but also on strong corporate governance processes and management’s willingness to commit adequate resources. Comptroller Curry called on banks to commit sufficient resources and take a “holistic approach” toward BSA/AML compliance, for example, by dispersing accountability throughout the organization instead of concentrating compliance in a single unit. Noting that this is particularly important in the M&A context, the Comptroller stated that it is vital that due diligence go beyond a target’s credit portfolio to include a review of the target’s BSA/AML program. In addition to lack of compliance resources, the Comptroller identified as risk trends: (i) poor management of international activities—foreign correspondent banking, cross-border funds transfers, bulk cash repatriation, and embassy banking; (ii) third-party relationships and payment processors; and (iii) emerging payment technologies, including virtual currencies. He stressed the importance of information sharing among institutions and between institutions and their regulators, and called for (i) legislation that would encourage the filing of SARs by strengthening the statutory safe harbor from civil liability for filing financial institutions, (ii) broadening the Patriot Act safe harbor for institutions that share information with each other about potential crimes and suspicious transactions, and (iii) exploring ways government can provide more robust and granular information about money laundering schemes and typologies to institutions in a more timely way.
On November 20, the OCC announced in Bulletin 2013-34 that as part of its ongoing implementation of the Dodd-Frank Act’s mandate that the OCC integrate Office of Thrift Supervision (OTS) policies with existing OCC policies, the OCC is rescinding the OTS compliance documents listed in an appendix provided with the announcement. A second appendix lists OCC policy guidance that the OCC is applying to federal savings associations in cases where policy guidance did not already exist. The announcement does not cover OTS policies and guidance related to the FCRA, the CRA, UDAP, or mortgage regulations, which the OCC plans to address at a later date.
On November 12, the FDIC released the economic scenarios that will be used by certain financial institutions with total consolidated assets of more than $10 billion for stress tests required under the Dodd-Frank Act. Each scenario includes key variables that reflect economic activity, including unemployment, exchange rates, prices, income, interest rates, and other salient aspects of the economy and financial markets. The baseline scenario represents expectations of private sector economic forecasters; the adverse and severely adverse are hypothetical scenarios designed to assess the strength and resilience of financial institutions and their ability to continue to meet the credit needs of households and businesses under stressed economic conditions. The FDIC release follows the recent release of stress test scenarios by the Federal Reserve Board and the OCC. The Federal Reserve Board also recently issued a final policy statement that describes the process by which it will develop future stress test scenarios.