On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”
In a press release on November 18, the Fed announced revised post-employment restrictions that more than double the number of senior staff examiners barred from leaving a Federal Reserve Bank and going right to work for a bank they had supervised. By law, senior bank examiners are prohibited for one year from accepting paid work from a financial institution that they had primary responsibility for examining in their last year of Reserve Bank employment. This post-employment restriction has previously applied only to central points of contacts (CPCs) at firms with more than $10 billion in assets. The revised policy expands this post-employment restriction to deputy CPCs, senior supervisory officers (SSOs), deputy SSOs, enterprise risk officers, and supervisory team leaders, which has the effect of more than doubling the number of senior examiners covered. The policy—which takes effect January 2, 2017—does not apply to senior examiners responsible for multiple unaffiliated banks.
In addition, another new Fed policy prohibits former Fed Bank officers from representing financial institutions and other third parties in matters before the Fed for one year after leaving their Federal Reserve position. This policy takes effect on December 5.
On July 29, the FDIC issued FIL-51-2016 to remind and encourage bank management to maintain open communications with FDIC personnel regarding supervisory findings. FIL-51-2016 is a re-issuance of and update to the March 1, 2011 FIL-13-2011, and emphasizes that “open dialogue with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe-and-sound operation.” If an institution has concerns about FDIC examination findings, the letter advises the institution to (i) discuss the issues with the FDIC examiner-in-charge, or contact the field or regional office representative; (ii) utilize the FDIC’s formal appeals process for material supervisory determinations; or (iii) contact the FDIC Office of the Ombudsman for “confidential, neutral, and independent” information and assistance if disagreements were not resolved informally at the Division-level. According to the letter, FDIC policy prohibits any retaliation, abuse, or retribution by any FDIC examiner or other personnel against an institution. The letter further emphasizes that “[s]uch behavior against an institution constitutes unprofessional conduct and will subject the examiner or other personnel to appropriate disciplinary or remedial action.”
On July 29, the OCC released the “Corporate and Risk Governance” booklet to update, consolidate, and rescind various booklets in the Comptroller’s Handbook. The new booklet is intended to provide examiners with a summary of corporate and risk governance, related risks, the board’s and management’s respective roles and responsibilities in corporate and risk governance, and examination procedures. The new booklet identifies the following as the primary risk categories associated with corporate and risk governance: (i) strategic; (ii) reputation; (iii) compliance; and (iv) operational. The booklet advises banks to maintain corporate and risk governance structures and practices that align with their changes in size, risk profile, and complexity. According to the booklet, an effective corporate and risk governance framework is key to the safe and sound operation of a financial institution and stimulates public confidence in the financial system.
On June 30, the CFPB released its twelfth edition of Supervisory Highlights providing supervisory observations from its examiners in the areas of auto origination, debt collection, mortgage origination, small-dollar lending, and fair lending. In the area of auto origination, examiners determined that one or more institutions engaged in deceptive advertising practices related to the benefits of gap coverage products and the effects of payment deferrals, and failed to implement adequate compliance management systems. In the area of debt collection, examiners found that debt sellers sold thousands of debts that were unsuitable for sale because: (i) the accounts were in bankruptcy; (ii) the debts were the product of fraud; or (iii) the accounts had been paid in full. CFPB examiners further observed violations of the Fair Debt Collection Practices Act (FDCPA), determining that at least one collector falsely represented to consumers that a down payment was necessary in order to establish a repayment arrangement, when no such down payment was required by the collectors’ policies and procedures. For mortgage origination, CFPB examiners focused on compliance with provisions of CFPB’s Title XIV rules, the Truth in Lending Act (TILA), as implemented by Regulation Z, and the Real Estate Settlement Procedures Act (RESPA), as implemented by Regulation X, disclosure provisions, and other applicable consumer financial laws. Read more…