FFIEC Revises Information Security Booklet

On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”


FDIC Advises Bank Management to Maintain Ongoing Communication with Examination Staff

On July 29, the FDIC issued FIL-51-2016 to remind and encourage bank management to maintain open communications with FDIC personnel regarding supervisory findings. FIL-51-2016 is a re-issuance of and update to the March 1, 2011 FIL-13-2011, and emphasizes that “open dialogue with bank management is critical to ensuring the supervisory process is effective in promoting an institution’s strong financial condition and safe-and-sound operation.” If an institution has concerns about FDIC examination findings, the letter advises the institution to (i) discuss the issues with the FDIC examiner-in-charge, or contact the field or regional office representative; (ii) utilize the FDIC’s formal appeals process for material supervisory determinations; or (iii) contact the FDIC Office of the Ombudsman for “confidential, neutral, and independent” information and assistance if disagreements were not resolved informally at the Division-level. According to the letter, FDIC policy prohibits any retaliation, abuse, or retribution by any FDIC examiner or other personnel against an institution. The letter further emphasizes that “[s]uch behavior against an institution constitutes unprofessional conduct and will subject the examiner or other personnel to appropriate disciplinary or remedial action.”

COMMENTS: Comments Off
POSTED IN: Banking, Federal Issues

OCC Updates Comptroller’s Handbook to Include New Corporate and Risk Governance Booklet

On July 29, the OCC released the “Corporate and Risk Governance” booklet to update, consolidate, and rescind various booklets in the Comptroller’s Handbook. The new booklet is intended to provide examiners with a summary of corporate and risk governance, related risks, the board’s and management’s respective roles and responsibilities in corporate and risk governance, and examination procedures. The new booklet identifies the following as the primary risk categories associated with corporate and risk governance: (i) strategic; (ii) reputation; (iii) compliance; and (iv) operational. The booklet advises banks to maintain corporate and risk governance structures and practices that align with their changes in size, risk profile, and complexity. According to the booklet, an effective corporate and risk governance framework is key to the safe and sound operation of a financial institution and stimulates public confidence in the financial system.


CFPB’s Summer Edition of Supervisory Highlights Discloses Issues across Various Financial Markets

On June 30, the CFPB released its twelfth edition of Supervisory Highlights providing supervisory observations from its examiners in the areas of auto origination, debt collection, mortgage origination, small-dollar lending, and fair lending. In the area of auto origination, examiners determined that one or more institutions engaged in deceptive advertising practices related to the benefits of gap coverage products and the effects of payment deferrals, and failed to implement adequate compliance management systems. In the area of debt collection, examiners found that debt sellers sold thousands of debts that were unsuitable for sale because: (i) the accounts were in bankruptcy; (ii) the debts were the product of fraud; or (iii) the accounts had been paid in full. CFPB examiners further observed violations of the Fair Debt Collection Practices Act (FDCPA), determining that at least one collector falsely represented to consumers that a down payment was necessary in order to establish a repayment arrangement, when no such down payment was required by the collectors’ policies and procedures. For mortgage origination, CFPB examiners focused on compliance with provisions of CFPB’s Title XIV rules, the Truth in Lending Act (TILA), as implemented by Regulation Z, and the Real Estate Settlement Procedures Act (RESPA), as implemented by Regulation X, disclosure provisions, and other applicable consumer financial laws. Read more…


CFPB Releases Special Edition Supervisory Highlights with Focus on Mortgage Servicing

On June 22, the CFPB released its eleventh issue of Supervisory Highlights specifically to address recent supervisory examination observations of the mortgage servicing industry. According to the report, mortgage servicers continue to face compliance challenges, particularly in the areas of loss mitigation and servicing transfers. The report attributes compliance weaknesses to outdated and deficient servicing technology, as well as the lack of proper training, testing, and auditing of technology-driven processes. Notable findings outlined in the report include the following: (i) multiple violations related to servicing rules that require loss mitigation acknowledgment notices, observing deficiencies with timeliness and content of acknowledgement notices; (ii) violations regarding servicer loss mitigation offer letters and other related communications, including unreasonable delay in sending letters; (iii) failure to state the correct reason(s) in letters to borrowers for denying a trial or permanent loan modification option; (iv) failure to implement effective servicing policies, procedures, and requirements; and (v) heightened risks to consumers when transferring loans during the loss mitigation process. Although the report focuses largely on mortgage servicers’ continued violations, it acknowledged that certain servicers have significantly improved over the past several years by, in part, “enhancing and monitoring their servicing platforms, staff training, coding accuracy, auditing, and allowing for great flexibility in operations.”

In addition to outlining Supervision’s examination observations of the mortgage servicing industry, the report also notes that the CFPB’s Supervision and Examination Manual was recently updated to reflect regulatory changes, technical corrections, and updated examination priorities in the mortgage servicing chapter.