On November 4, Federal Reserve Chair Janet Yellen testified before the House Committee on Financial Services. The topic of Chair Yellen’s testimony was “the lessons of the financial crisis and how we have transformed our regulatory and supervisory approach.” She explained that, prior to the crisis, the Fed’s “primary goal was to ensure the safety and soundness of individual financial institutions” and that, since the crisis, the Fed’s aim has been to regulate and supervise “in a manner that promotes the stability of the financial system as a whole.” Yellen went on to explain that the regulatory approaches adopted to address both large financial institutions and companies and community banks have been different. According to Yellen, with respect to the large financial institutions, the Fed’s approach is “oriented toward both the safety and soundness of the individual firms, and the stability of the financial system as a whole.” With respect to community banks, Chair Yellen noted that the Fed’s supervisory approach is risk based: “[i]n supervising these institutions, we follow a risk-focused approach that aims to target examination resources to higher-risk areas of each bank’s operations and to ensure that banks maintain risk-management capabilities appropriate to their size and complexity.”
On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.
U.S. House of Representatives Passes Several Financial Regulatory Relief Bills, Including TRID Safe Harbor
On October 7, the U.S. House of Representatives (U.S. House) passed several pieces of bipartisan legislation aimed at providing regulatory relief to lenders and strengthening consumer protection. This legislation included H.R. 3192, the Homebuyers Assistance Act, which was approved by a 303-121 vote, which seeks to provide a formal four-month safe harbor for lenders who in “good faith” work to comply with the CFPB’s new TRID Rule, which went into effect on October 3. The U.S. House also unanimously approved H.R. 1553, the Small Bank Exam Cycle Reform Act, and H.R. 1839, the Reforming Access for Investments in Startup Enterprises (RAISE) Act. The Small Bank Exam Cycle Reform Act would allow well-managed banks with assets under $1 billion to qualify for an 18-month examination cycle, rather than the current 12-month cycle. The RAISE Act is intended to promote a liquid secondary market for shareholders seeking to sell private securities and encourage startups and private companies to raise capital to grow their businesses. This legislation will now go to the U.S. Senate for consideration.
On September 28, the Federal Reserve, the FDIC, and the OCC announced that the latest outreach meeting under the Economic Growth and Regulatory Paperwork Reduction Act (EGRPRA) will be held on October 10 in Chicago, Illinois. The meeting will feature panel presentations from industry insiders and consumer advocates. Senior officials from the Federal Reserve, OCC, and FDIC are also scheduled to attend. This meeting will be the fifth of six outreach meetings focused on identifying outdated or burdensome regulatory requirements imposed on financial institutions. The sixth and final meeting is expected to take place on December 2 in Washington, D.C. Previous InfoBytes coverage on EGRPRA can be found here.
On July 16, 2015, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) launched the first in a new series of monthly complaint reports highlighting key trends from consumer complaints submitted to the CFPB. Importantly, its monthly report provides significant detail on the complaints the CFPB has received, including the names of the companies that received the largest number of complaints.
Currently, the most-complained-about companies are also the largest bank and nonbank financial institutions in the country. Since these institutions have the highest numbers of customers, it is only natural that they have received the highest number of complaints. On the same day as the monthly report’s release, CFPB Director Richard Cordray provided remarks at an Americans for Financial Reform event in Washington, D.C. Director Cordray noted that in future monthly reports, the CFPB hopes to “normalize” its consumer complaint data by accounting for financial institutions’ respective size and volume. To that end, the CFPB issued a Request for Information seeking input on ways to enable the public to more easily understand company-level complaint information and make comparisons. The comment period closes August 31, 2015. Read more…
As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
On June 23, the Board of Governors announced the execution of an enforcement action against a California-based community bank over BSA/AML deficiencies. According to the Cease and Desist Order, the deficiencies were identified by the Federal Reserve Bank of San Francisco and the California Department of Business Oversight, and directs the Bank to submit written plans outlining their efforts to strengthen their BSA/AML risk management program, including customer due-diligence and suspicious activity monitoring and reporting policies and procedures. In addition, the Bank must retain an independent third party to conduct a review of account and transaction activity affiliated with any high-risk customer and foreign branch accounts conducted at, by, or through the Bank from July 2014 through December 2014. No civil money penalty was imposed on the Bank.
Recently, the Federal Reserve submitted to Congress its 2015 Annual Performance Plan, which sets forth the Board’s planned projects, initiatives, and activities for the upcoming year. The Plan, which complements the Federal Reserve’s Strategic Framework 2012-15, outlines planned activities in the following six areas aimed at assisting the Board in meeting its strategic framework’s long-term objectives: (i) supervision, regulation, and monitoring risks to financial stability; (ii) data governance; (iii) facilities infrastructure; (iv) human capital; (v) management process; and (vi) cost reduction and budgetary growth. Among its initiatives, the Board aims to continue building an interdisciplinary infrastructure for supervision, regulation, and monitoring of risks to financial stability. In addition, the Board’s staff plans to develop “analytical tools” that enhance the Board’s understanding of evolving market structures and practices, including changes in risk-management practices and incentives for financial institutions to appropriately manage risk exposures. With respect to the supervision of individual institutions, the report highlights the Board’s intent to develop supervisory approaches for community and regional banks, as well as for savings and loan holding companies, that “identify and support taking action against early warning indicators of outlier risk.”
On June 1, a Boston-based international financial services holding company and its banking subsidiary agreed to address deficiencies in how they manage compliance risks with respect to their BSA/AML compliance program. The Agreement, entered into with the Federal Reserve Bank of Boston and the Massachusetts Division of Banks, requires both entities to submit a written plan outlining their efforts to improve their compliance with OFAC and internal controls, customer due-diligence procedures, and suspicious activity monitoring and reporting, among other things. In addition, the banking subsidiary must hire an independent third-party to review account and transaction activity during a specified period to ensure suspicious activity was properly identified and reported.
In a separate enforcement action, the Federal Reserve Bank of Chicago entered into an agreement on May 26 with an Illinois-based financial services company, requiring the parent company and its banking subsidiary to, among other things, submit written plans to (i) strengthen its BSA/AML compliance risk management program; and (ii) “ensure the identification and timely, accurate, and complete reporting” of suspicious transactions to the appropriate law enforcement and supervisory [banking] authorities.” No civil money penalties were imposed in either enforcement action.
On April 27, the Conference of State Bank Supervisors (CSBS) announced that three working groups of state regulators – the State Coordinating Committee (SCC), the Multi-State Mortgage Committee (MMC), and the Multi-State MSB Examination Task Force (MMET) – issued annual reports to state regulators regarding their 2014 operations and progress. Responsible for information sharing and examination work with the CFPB, the SSC report outlines the two agencies’ 9 joint examinations. The MMC – established as the “oversight body for multi-state mortgage supervision” in 2008 – is responsible for coordinated, multi-state mortgage exams, and its report covers the 6 joint mortgage examinations conducted with the CFPB in 2014. Finally, the MMET supervises the money services businesses; its report highlights 57 examinations conducted jointly with the CFPB in 2014.
On April 14, the OCC issued the “Real Estate Settlement Procedures Act” booklet as part of the Comptroller’s Handbook, which is prepared for use by OCC examiners in connection with their examination and supervision of national banks and federal savings associations (collectively, “banks”). The revised booklet, which replaces a similarly titled booklet issued in October 2011, reflects updated guidance relating to mortgage servicing and loss mitigation procedures resulting from the multiple amendments made to Regulation X over the past several years. Notable revisions reflected in the revised booklet include: (i) the transfer of rulemaking authority for Regulation X from HUD to the CFPB; (ii) new requirements relating to mortgage servicing; (iii) new loss mitigation procedures; (iv) prohibitions against certain acts and practices by servicers of federally related mortgage loans with regard to responding to borrower assertions of error and requests for information; and (v) updated examination procedures for determining compliance with the new servicing and loss mitigation rules. The OCC notified its applicable supervised financial institutions of the changes affecting all banks that engage in residential mortgage lending activities by distributing OCC Bulletin 2015-25.
On March 23, OCC Comptroller Curry delivered remarks at the ABA Mutual Community Bank Conference regarding the agency’s supervision of mutual savings associations and community banks. Curry focused on the agency’s ongoing efforts to assist smaller financial institutions, specifically by reducing some of the unnecessary burden placed on them. Curry outlined three areas in which the agency is urging Congress to take action to reduce burdensome regulation: (i) raising the asset threshold requirement for the 18-month examination cycle from $500 million to $750 million; (ii) exempting community banks from the Volcker Rule requirement; and (iii) making it “easier for thrifts to expand their business model without changing their governance structure.” In addition to recommending actions to Congress, the OCC continues to hold OCC Mutual Savings Association Advisory Committee meetings and support collaboration among community banks to further ensure that smaller institutions can continue to serve their communities.
On March 23, the Federal Reserve and the Office of the Comptroller of the Currency – both non-parties in the suit – filed briefs requesting that a district court reject a motion to compel discovery of over 30,000 documents held by a large bank. Arguing that the documents contain confidential supervisory information, the regulators asserted the bank examination privilege – “a qualified privilege that protects communications between banks and their examiners in order to preserve absolute candor essential to the effective supervision of banks.” As for scope, the regulators argued that the privilege covers the documents because they provide agency opinion, not merely fact, and that any factual information was nonetheless “inextricably linked” with their opinions. Additionally, they contended that the privilege is not strictly limited to communications from the regulator to the bank – instead, it may also cover communications made from the bank to the regulator and communications within the bank. As for procedure, the regulators claimed that a plaintiff is required to request the disclosure of privileged documents through administrative processes before seeking judicial relief, a requirement they contend exists even where a defendant bank also holds copies of the documents. Finally, the regulators argued in the alternative that the lead plaintiff has not shown good cause to override the qualified privilege, as the interests of the government in protecting the supervisory information outweighs the interest of the plaintiffs in production.
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.