On December 16, the Conference of State Bank Supervisors (CSBS) announced its draft regulatory framework and requested public comment on specific questions intended to aid state regulators on the regulation of virtual currencies. The regulation of virtual currency activities currently varies from state to state. The draft framework is intended to create uniform state regulation. Comments are due by February 16, 2015.
On December 17, the OCC announced the release of its semiannual report on key risk areas affecting the federal banking system. Specifically regarding community and midsize banks, the report identifies areas where the OCC intends to heighten its supervisory attention including, but not limited to, corporate governance, operational risk, cyber risk, and compliance risk, specifically related to fair lending and BSA/AML. Other notable takeaways from the report include continued improvement in the overall financial condition of community and midsize banks. However, the report also indicated that smaller banks, due to increased competition for loan demand and low investment yields, continue to experience pressure on earnings.
On December 10, NY DFS Superintendent Benjamin Lawsky issued a bulletin to all New York state-chartered or licensed banking institutions regarding an updated IT examination process. Effective immediately, cybersecurity examinations will be included within the overall IT examination process. The DFS cybersecurity examinations will incorporate a number of new topics, including: (i) corporate governance; (ii) protections against intrusion, such as multi-factor or adaptive authentication, along with server and database configuration; (iii) information security testing and monitoring; and (iv) cybersecurity insurance coverage, along with other third-party protections. Ultimately, the new examination process will assess a bank’s cybersecurity protections, in addition to how it manages potential cyber risks and handles a cybersecurity attack.
On December 2, the FFIEC announced the release of its revised BSA/AML examination manual. The updated revisions address supervisory expectations and include regulatory changes since the manual’s last publication in 2010. Significantly modified sections of the examination include (i) Suspicious Activity Reporting, (ii) Currency Transaction Reporting, (iii) Foreign Bank and Financial Accounts Reporting, and (iv) Third-Party Payment Processors. The manual is available on the FFIEC BSA/AML InfoBase.
On July 24, Illinois Governor Pat Quinn signed HB 5342, which amends numerous provisions of state law applicable to state banks and credit unions, including requiring the Illinois Secretary of Financial and Professional Regulation to adopt formal rules that guarantee consistency and due process during the examination process of state-chartered banks. The bill also allows the Secretary to establish guidelines “that (i) define the scope of the examination process and (ii) clarify examination items to be resolved.” In addition, the bill provides that an existing loan secured by an interest in real estate shall not, under certain circumstances, require a new appraisal of the collateral during renewal, refinancing, or restructuring. The changes became effective immediately.
On July 23, the FDIC proposed a rule to revise its assessments regulation. Specifically, the FDIC proposes changing the ratios and ratio thresholds for capital evaluations used in its risk-based deposit insurance assessment system to conform the assessments to the prompt corrective action capital ratios and ratio thresholds adopted by the prudential regulators. The proposal also would (i) revise the assessment base calculation for custodial banks to conform to the asset risk weights adopted by the prudential regulations; and (ii) require all highly complex institutions to measure counterparty exposure for deposit insurance assessment purposes using the Basel III standardized approach credit equivalent amount for derivatives and the Basel III standardized approach exposure amount for other securities financing transactions. The FDIC explains the changes are intended to accommodate recent changes to the federal banking agencies’ capital rules that are referenced in portions of the assessments regulation.Comments are due by September 22, 2014.
On June 10, Comptroller Thomas Curry announced that the OCC’s Senior Deputy Comptroller for Bank Supervision Policy and Chief National Examiner John Lyons will retire from the agency on August 1 and will be succeeded by Jennifer Kelly. Ms. Kelly joined the OCC in 1979 and currently serves as Senior Deputy Comptroller for Midsize and Community Bank Supervision. Toney Bland will transition from Deputy Comptroller for the Northeastern District to replace Ms. Kelly as Senior Deputy Comptroller. Mr. Curry also announced the OCC will loan Senior Deputy Comptroller for Management and Chief Financial Officer Tom Bloom to NeighborWorks America to serve as its acting Chief Financial Officer, and described numerous additional staff changes related to Mr. Bloom’s temporary departure.
On May 28, the OCC announced “significant” changes to its large bank supervisory process and its large bank examination force. The OCC plans to “expand the organization, functions, and responsibilities of its large bank lead expert program to improve horizontal perspective and analysis, systemic risk identification, quality control and assurance, and resource prioritization.” The OCC also will establish a formal program under which large bank examiners will rotate to another large bank every five years in cities with multiple large banks. The changes come in response to an international peer review initiated by the OCC. The OCC released a summary of the supervision peer review recommendations and the OCC’s responses, which describe a number of other supervisory changes including, among others: (i) formalizing an enterprise risk management framework that will involve “developing a risk appetite statement, creating a decision-tree process, and enhancing the OCC’s existing National Risk Committee framework and processes”; and (ii) expanding an ongoing review of Matters Requiring Attention “to enhance and standardize MRA definitions, methods for communication, resolution processes, establish consistent tracking mechanisms, and develop a consistent examiner reference guide.” The OCC declined to implement other recommended changes, including, for example, creating more flexibility within the CAMELS rating system or developing potential alternatives to CAMELS.
On May 22, House Financial Services Committee Chairman Jeb Hensarling (R-TX) sent letters to the Federal Reserve Board, the OCC, the FDIC, and the NCUA asking the regulators to explain their use of “reputational risk,” and citing Operation Choke Point as an example of the potential for “reputation risk” to become “a pretext for the advancement of political objectives, which can potentially subvert both safety and soundness and the rule of law.” Congressman Hensarling asked each regulator to explain (i) whether it consider reputation risk in its supervision of depositories, and, if so, to explain the legal basis for such consideration and why it is appropriate; (ii) what data are used to analyze reputational risk and why such data are not already accounted for under CAMELS; and (iii) whether a poor reputation risk rating could be sufficient to warrant recommending a change in a depository’s business practices notwithstanding strong ratings under CAMELS.
On May 16, the OCC issued a final rule to integrate its interagency rules, which would combine, without any substantive amendments, rules related to consumer protection in insurance sales, BSA compliance, management interlocks, appraisals, disclosure and reporting of CRA-related agreements, and the FCRA. On May 21, the OCC issued a notice of proposed rulemaking to integrate the OCC’s licensing rules. The OCC states that for many of the licensing rules, the proposal incorporates the licensing provisions for federal savings associations into the existing national bank rule, but in other cases, the proposal includes separate rules for national banks and federal savings associations because the rules do not apply to both charters, are better organized as separate rules, or are difficult to integrate because of their differences and complexity. Some rules that would continue to apply only to national banks are revised to be consistent with the changes proposed for federal savings associations. The OCC also proposes substantive changes to certain licensing rules to “eliminate unnecessary requirements, promote fairness in supervision, and further the safe and sound operation of the institutions the OCC supervises.”
On May 22, the CFPB published its Spring 2014 Supervisory Highlights report, its fourth such report to date. In addition to reviewing recent guidance, rulemakings, and public enforcement actions, the report states that the CFPB’s nonpublic supervisory actions related to deposit products, consumer reporting, credit cards, and mortgage origination and servicing have yielded more than $70 million in remediation to over 775,000 consumers. The report also reiterates CFPB supervisory guidance with regard to oversight of third-party service providers and implementation of compliance management systems (CMS) to mitigate risk.
The report specifically highlights fair lending aspects of CMS, based on CFPB examiners’ observations that “financial institutions lack adequate policies and procedures for managing the fair lending risk that may arise when a lender makes exceptions to its established credit standards.” The CFPB acknowledges that credit exceptions are appropriate when based on a legitimate justification. In addition to reviewing fair lending aspects of CMS, the CFPB states lenders should also maintain adequate documentation and oversight to avoid increasing fair lending risk.
Nonbank Supervisory Findings
The majority of the report summarizes supervisory findings at nonbanks, particularly with regard to consumer reporting, debt collection, and short-term, small-dollar lending: Read more…
On May 14, Comptroller of the Currency Thomas Curry spoke to the Conference of State Bank Supervisors, urging state regulators to, among other things, avoid regulatory capture and ensure balanced supervision of nonbanks and banks. Mr. Curry stated that “[r]egulatory capture is a real threat” to federal and state banking agencies and the system more broadly, and that regulators should never employ chartering authority to compete for “market share.” He also cautioned about the potential rise of the “shadow banking system”—the shift of assets from regulated depository institutions to less-regulated, non-depository institutions—as bank regulators become more rigorous in pursuing enhanced safety and soundness and consumer protection at depository institutions. He specifically identified the transfer of mortgage servicing rights as an example of that shift of assets, which “could carry with it the seeds for the next financial crisis.” He called on state regulators to make nonbank supervision, including with regard to mortgage servicing, a top priority.
On May 6, New York Governor Andrew Cuomo released a report on bank cybersecurity preparedness and directed the New York State Department of Financial Services (DFS) to conduct targeted cybersecurity preparedness assessments of the DFS-regulated banks. The DFS is revising its examination procedures to add questions to assess IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery. DFS plans to release additional details about the timing and content of these examination procedures in the coming weeks. The report follows a year-long survey of 154 DFS-regulated banks, which revealed that “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.” The review revealed that third-party payment processor breaches were reported by 18% and 15% of small and large institutions, respectively, and that large institutions also cited mobile banking exploitation, ATM skimming/point-of-sale schemes), and insider access breaches. Last year, the DFS announced a similar inquiry into cyber preparedness at insurance companies it regulates.
On May 8, the Federal Reserve Board released a proposed rule that would prohibit certain financial companies from combining with another company if the resulting financial company’s liabilities would exceed 10% of the aggregate consolidated liabilities of all financial companies. The rule is required by section 622 of the Dodd-Frank Act and would apply to insured depository institutions, bank holding companies, savings and loan holding companies, foreign banking organizations, companies that control insured depository institutions, and nonbank financial companies subject to Federal Reserve Board supervision pursuant to FSOC designation. The proposal generally defines liabilities of a financial institution as the difference between its risk-weighted assets, as adjusted to reflect exposures deducted from regulatory capital, and its total regulatory capital, though firms not subject to consolidated risk-based capital rules would measure liabilities using generally accepted accounting standards. Under the proposal, the Board would measure and disclose the aggregate liabilities of financial companies annually, and would calculate aggregate liabilities as a two-year average. Comments on the proposal are due by July 8, 2014.
On May 1, the Conference of State Bank Supervisors (CSBS) published its 2013 annual report, which aggregates and reviews the organization’s activities in the prior year, identifies future goals for the organization, and outlines specific priorities for 2014. Those priorities include, among others, continuing to coordinate with federal regulators on cybersecurity and with the CFPB on complaint sharing. The report also includes more detailed reports on past and future activities by various CSBS divisions and boards, including a report from the Policy and Supervision Division that reviews the CSBS’s legislative and regulatory policy positions, and its bank supervision and consumer protection and non-bank supervision activities.