As previously covered in InfoBytes, on June 30, the FFIEC released a Cybersecurity Assessment Tool (Assessment) to provide a “repeatable and measurable process” for financial institutions to measure their cybersecurity readiness. The Assessment aims to help financial institutions determine their cybersecurity preparedness and make informed decisions regarding their risk management practices. In addition to the Assessment, the FFIEC also released an executive overview, a user’s guide, a pre-recorded webinar, a glossary of terms, and appendices to assist financial institutions in understanding supervisory expectations, increasing awareness of cybersecurity risks, and assessing and mitigating the threats facing their institutions. As an interagency body representing the Fed, FDIC, OCC, CFPB, and the NCUA, the FFIEC prescribes uniform principles, standards, and reporting forms for the federal examination of financial institutions, and makes recommendations to promote uniformity in the supervision of financial institutions.
On July 16, 2015, the Consumer Financial Protection Bureau (“CFPB” or “Bureau”) launched the first in a new series of monthly complaint reports highlighting key trends from consumer complaints submitted to the CFPB. Importantly, its monthly report provides significant detail on the complaints the CFPB has received, including the names of the companies that received the largest number of complaints.
Currently, the most-complained-about companies are also the largest bank and nonbank financial institutions in the country. Since these institutions have the highest numbers of customers, it is only natural that they have received the highest number of complaints. On the same day as the monthly report’s release, CFPB Director Richard Cordray provided remarks at an Americans for Financial Reform event in Washington, D.C. Director Cordray noted that in future monthly reports, the CFPB hopes to “normalize” its consumer complaint data by accounting for financial institutions’ respective size and volume. To that end, the CFPB issued a Request for Information seeking input on ways to enable the public to more easily understand company-level complaint information and make comparisons. The comment period closes August 31, 2015. Read more…
OCC Releases Semiannual Report Highlighting Key Risks Facing National Banks and Federal Savings Associations
Today, the OCC announced the release of its semiannual report, Semiannual Risk Perspective for Spring 2015, highlighting key risk areas affecting national banks and federal savings associations. Based on 2014 year-end data, the report identifies issues that pose a potential threat to the safety and soundness of banks and thrifts. It also sets forth the OCC’s supervisory priorities for the next 12 months, including, among others, (i) cybersecurity awareness and preventative controls, (ii) Bank Secrecy Act/Anti-Money Laundering compliance, (iii) fair access to credit, and (iv) underwriting practices, particularly with respect to leveraged loans, indirect auto lending, HELOCs, and credit related to the oil and gas sector. The report also notes declining revenues and profitability overall in OCC-supervised institutions.
On June 23, the Board of Governors announced the execution of an enforcement action against a California-based community bank over BSA/AML deficiencies. According to the Cease and Desist Order, the deficiencies were identified by the Federal Reserve Bank of San Francisco and the California Department of Business Oversight, and directs the Bank to submit written plans outlining their efforts to strengthen their BSA/AML risk management program, including customer due-diligence and suspicious activity monitoring and reporting policies and procedures. In addition, the Bank must retain an independent third party to conduct a review of account and transaction activity affiliated with any high-risk customer and foreign branch accounts conducted at, by, or through the Bank from July 2014 through December 2014. No civil money penalty was imposed on the Bank.
Recently, the Federal Reserve submitted to Congress its 2015 Annual Performance Plan, which sets forth the Board’s planned projects, initiatives, and activities for the upcoming year. The Plan, which complements the Federal Reserve’s Strategic Framework 2012-15, outlines planned activities in the following six areas aimed at assisting the Board in meeting its strategic framework’s long-term objectives: (i) supervision, regulation, and monitoring risks to financial stability; (ii) data governance; (iii) facilities infrastructure; (iv) human capital; (v) management process; and (vi) cost reduction and budgetary growth. Among its initiatives, the Board aims to continue building an interdisciplinary infrastructure for supervision, regulation, and monitoring of risks to financial stability. In addition, the Board’s staff plans to develop “analytical tools” that enhance the Board’s understanding of evolving market structures and practices, including changes in risk-management practices and incentives for financial institutions to appropriately manage risk exposures. With respect to the supervision of individual institutions, the report highlights the Board’s intent to develop supervisory approaches for community and regional banks, as well as for savings and loan holding companies, that “identify and support taking action against early warning indicators of outlier risk.”
On June 1, a Boston-based international financial services holding company and its banking subsidiary agreed to address deficiencies in how they manage compliance risks with respect to their BSA/AML compliance program. The Agreement, entered into with the Federal Reserve Bank of Boston and the Massachusetts Division of Banks, requires both entities to submit a written plan outlining their efforts to improve their compliance with OFAC and internal controls, customer due-diligence procedures, and suspicious activity monitoring and reporting, among other things. In addition, the banking subsidiary must hire an independent third-party to review account and transaction activity during a specified period to ensure suspicious activity was properly identified and reported.
In a separate enforcement action, the Federal Reserve Bank of Chicago entered into an agreement on May 26 with an Illinois-based financial services company, requiring the parent company and its banking subsidiary to, among other things, submit written plans to (i) strengthen its BSA/AML compliance risk management program; and (ii) “ensure the identification and timely, accurate, and complete reporting” of suspicious transactions to the appropriate law enforcement and supervisory [banking] authorities.” No civil money penalties were imposed in either enforcement action.
On April 27, the Conference of State Bank Supervisors (CSBS) announced that three working groups of state regulators – the State Coordinating Committee (SCC), the Multi-State Mortgage Committee (MMC), and the Multi-State MSB Examination Task Force (MMET) – issued annual reports to state regulators regarding their 2014 operations and progress. Responsible for information sharing and examination work with the CFPB, the SSC report outlines the two agencies’ 9 joint examinations. The MMC – established as the “oversight body for multi-state mortgage supervision” in 2008 – is responsible for coordinated, multi-state mortgage exams, and its report covers the 6 joint mortgage examinations conducted with the CFPB in 2014. Finally, the MMET supervises the money services businesses; its report highlights 57 examinations conducted jointly with the CFPB in 2014.
On April 14, the OCC issued the “Real Estate Settlement Procedures Act” booklet as part of the Comptroller’s Handbook, which is prepared for use by OCC examiners in connection with their examination and supervision of national banks and federal savings associations (collectively, “banks”). The revised booklet, which replaces a similarly titled booklet issued in October 2011, reflects updated guidance relating to mortgage servicing and loss mitigation procedures resulting from the multiple amendments made to Regulation X over the past several years. Notable revisions reflected in the revised booklet include: (i) the transfer of rulemaking authority for Regulation X from HUD to the CFPB; (ii) new requirements relating to mortgage servicing; (iii) new loss mitigation procedures; (iv) prohibitions against certain acts and practices by servicers of federally related mortgage loans with regard to responding to borrower assertions of error and requests for information; and (v) updated examination procedures for determining compliance with the new servicing and loss mitigation rules. The OCC notified its applicable supervised financial institutions of the changes affecting all banks that engage in residential mortgage lending activities by distributing OCC Bulletin 2015-25.
On March 23, OCC Comptroller Curry delivered remarks at the ABA Mutual Community Bank Conference regarding the agency’s supervision of mutual savings associations and community banks. Curry focused on the agency’s ongoing efforts to assist smaller financial institutions, specifically by reducing some of the unnecessary burden placed on them. Curry outlined three areas in which the agency is urging Congress to take action to reduce burdensome regulation: (i) raising the asset threshold requirement for the 18-month examination cycle from $500 million to $750 million; (ii) exempting community banks from the Volcker Rule requirement; and (iii) making it “easier for thrifts to expand their business model without changing their governance structure.” In addition to recommending actions to Congress, the OCC continues to hold OCC Mutual Savings Association Advisory Committee meetings and support collaboration among community banks to further ensure that smaller institutions can continue to serve their communities.
On March 23, the Federal Reserve and the Office of the Comptroller of the Currency – both non-parties in the suit – filed briefs requesting that a district court reject a motion to compel discovery of over 30,000 documents held by a large bank. Arguing that the documents contain confidential supervisory information, the regulators asserted the bank examination privilege – “a qualified privilege that protects communications between banks and their examiners in order to preserve absolute candor essential to the effective supervision of banks.” As for scope, the regulators argued that the privilege covers the documents because they provide agency opinion, not merely fact, and that any factual information was nonetheless “inextricably linked” with their opinions. Additionally, they contended that the privilege is not strictly limited to communications from the regulator to the bank – instead, it may also cover communications made from the bank to the regulator and communications within the bank. As for procedure, the regulators claimed that a plaintiff is required to request the disclosure of privileged documents through administrative processes before seeking judicial relief, a requirement they contend exists even where a defendant bank also holds copies of the documents. Finally, the regulators argued in the alternative that the lead plaintiff has not shown good cause to override the qualified privilege, as the interests of the government in protecting the supervisory information outweighs the interest of the plaintiffs in production.
On March 17, the FFIEC released a summary of its cybersecurity priorities for the remainder of 2015. The FFIEC intends to enhance its cybersecurity preparedness in seven main ways: (i) issuing a cybersecurity self-assessment tool that will help institutions to evaluate cybersecurity risk and risk management capabilities; (ii) improving council members’ process for “gathering, analyzing, and sharing information with each other during cyber incidents;” (iii) ensuring that test emergency protocols are set to respond to all cyber incidents in coordination with public-private partnerships; (iv) establishing training programs on developing cyber threats and vulnerabilities; (v) updating the Information Technology Examination Handbook; (vi) increasing focus on technology service providers’ ability to respond to cyber threats; and (vii) collaborating and sharing information with law enforcement and intelligence agencies. The seven action items derive from the FFIEC’s 2014 pilot assessment of cybersecurity readiness at over 500 financial institutions.
On March 16, the Federal Reserve Board issued a proposal seeking public comment that would require all banking organizations with existing Legal Entity Identifiers (LEIs) to report their respective LEIs on regulatory reporting forms beginning June 30, 2015. Because an LEI is unique to a single legal entity, requiring disclosure of the LEI would enable regulators to facilitate information sharing and coordination on domestic financial policy, rulemaking, examination, reporting requirements, and enforcement actions
CFPB Releases Winter Issue of Supervisory Highlights, Schedules Date for Field Hearing on Payday Lending
On March 11, the CFPB released its seventh issuance of Supervisory Highlights, which highlights the CFPB’s supervision work completed between July 2014 and December 2014, detailing examination findings and observations in consumer reporting, debt collection, deposits, mortgage origination, and fair lending examinations. The winter issue also reveals recent supervisory resolutions reached in the areas of payday lending, mortgage servicing, and mortgage origination have resulted in remediation of approximately $19.4 million to more than 92,000 consumers during the time reported. Other notable information included within the report is the addition of Credit Card Account Management examination procedures to the CFPB’s Supervision and Examination Manual. In a separate announcement, the CFPB also announced it will host a field hearing on payday lending, scheduled for Thursday, March 26 in Richmond, VA.
Special Alert Update: OCC Revises Guidance Regarding Consumer Protection Requirements to Overdraft Lines and Protection Services
On March 6, 2015, the OCC issued its revised “Deposit-Related Credit” booklet (“DRC booklet”) of the Comptroller’s Handbook, which replaced the “Deposit-Related Consumer Credit” booklet issued on February 11, 2015 (previously covered in this Special Alert). While the new booklet covers the same products – check credit (overdraft lines of credit, cash reserves, and special drafts), overdraft protection services, and deposit advances – the OCC made significant amendments to scale back the provisions of the prior version. Specifically, the new DRC booklet no longer contains supervisory principles that could be read to require that banks provide substantive consumer protections that are not currently required by the applicable consumer protection regulations. For example, the DRC booklet no longer requires that banks:
- only enroll customers into an overdraft protection service if they have affirmatively requested that product;
- ensure the ability to repay for all applicants enrolled in an overdraft protection service; and
- ensure that any fees charged in connection with an overdraft protection service are reasonably related to the program’s costs and associated risks.
In making these changes, the OCC requires supervisors to assess DRC products more in line with existing consumer protection laws. The OCC states as much in OCC Bulletin 2015-17, which announced the DRC booklet. There, the OCC acknowledges that the DRC booklet “is intended as a summary restatement of existing laws, regulations, and policies [and] … [n]othing in this booklet should be interpreted as changing existing OCC policy.”
On March 3, Federal Reserve Chair Janet Yellen delivered remarks to the Citizens Budget Commission regarding actions that the Federal Reserve has taken to strengthen its supervision of large financial institutions in the wake of the recent financial crisis. In her remarks, Chairwoman Yellen highlighted five regulatory changes, including (i) higher capital standards, (ii) higher liquidity requirements, (iii) implementation of stress tests, (iv) required submission of living wills, and (v) in cooperation with the FSOC, the Fed’s enhanced authority to promote the resiliency and stability of the financial system in addition to the safety and soundness of individual institutions.