On April 19, the Federal Reserve issued a letter announcing a new off-site loan file review program available to banking institutions with less than $50 billion in total assets. According to the letter, recent technological advancements, i.e. secure data transmission and electronic file imaging, allow the Federal Reserve to collect and review loan file information off-site “without compromising the effectiveness of the examination process.” To determine if the off-site loan review program is appropriate for an institution, the Federal Reserve will consider the following: (i) if the institution uses a secure transmission method to submit the loan file data; (ii) if the institution can provide loan data and imaged documents that are legible, easily viewable, and properly organized; and (iii) if the loan files are sufficiently comprehensive, allowing examiners to reach a conclusion regarding the appropriate rating of a credit without requesting additional information. Regarding adjustments to the examination process of an off-site loan review, the letter cautions that examiners will need to allocate sufficient time before an examination begins to ensure loan file data was successfully transmitted to the Reserve Bank, and communicate with institutional management throughout the examination process. Finally, the letter discusses the scope of the off-site examination process verses that of an on-site examination process, noting that (i) certain portions of examination work will remain off-site regardless of whether the institution is participating in the new off-site program; and (ii) at examiners’ discretion, Reserve Banks “may hold either off-site or on-site discussions with the institution’s management regarding preliminary loan review findings such as the appropriateness of individual credit ratings assigned by [a state member bank or foreign banking organization] and the completeness of credit file documentation.”
On April 29, the FFIEC updated its IT Examination Handbook, revising its Retail Payment Systems booklet to include an Appendix E, Mobile Financial Services. The Retail Payment Systems booklet consists of guidance intended to help examiners evaluate financial institutions’ and third-party providers’ management of risks associated with retail payment systems. Appendix E is designed to address risk management associated with mobile financial services (MFS): “Appendix E contains guidance pertaining to [MFS] risks that supplements existing booklet guidance on other retail payment topics, such as electronic payments related to credit cards and debit cards, remote deposit capture and changes in technology or retail payment systems.” Appendix E outlines risk management practices for the following MFS technologies: (i) short message service/text messaging; (ii) mobile-enabled web sites and browsers; (iii) mobile applications; and (iv) wireless payment technologies. In addition to MFS technologies, Appendix E also addresses management strategies related to (i) risk identification; (ii) risk measurement; (iii) risk mitigation; and (iv) monitoring and reporting.
On March 8, the SEC announced a change in senior leadership, naming Robert M. Fisher the Managing Executive of the Office of Compliance Inspections and Examinations (OCIE). Succeeding Peter B. Driscoll, Fisher will be responsible for overseeing the OCIE’s business operations, technology servicers, examiner training, and Tips, Complaints and Referrals programs. The SEC also announced a new Office of Risk and Strategy within its Office of Compliance and Inspections and Examinations, naming Driscoll as its Chief Risk and Strategy Officer. The new office is intended to “consolidate and streamline the OCIE’s risk assessment, market surveillance, and quantitative analysis teams and provide operational risk management and organizational strategy for OCIE.” In his new role as Chief Risk and Strategy Officer, Driscoll will lead the Washington, D.C.-based Investment Adviser/Investment Company examination staff.
In a separate March 10 announcement, the SEC named Anthony S. Kelly Co-Chief of the Enforcement Division’s Asset Management Unit (Unit). Succeeding Julie Riewe, Kelly joins Marshall Sprung to lead the Unit, which focuses on misconduct by investment advisers, investment companies, and private funds.
Recently, the Massachusetts Division of Banks released examination procedures that incorporate cybersecurity as a module in all of its examinations of banks and non-bank licensees. The procedures contain two separate workbooks. The first, NDIS IT/Information Security Examination Work-program, contains questions related to a Licensee’s (i) risk assessment and management oversight; (ii) written information security program; (iii) data security operations; (iv) business continuity and disaster recovery; (v) cybersecurity; and (vi) IT audit. Section VII of the workbook provides space for an examination summary, and Section VIII of the first workbook contains various links to examination resources, including, but not limited to, the FFIEC Interagency Guidelines Establishing Information Security Standards, and a copy of 201 CMR 17.00 – Standards for the Protection of Personal Information of Residents of the Commonwealth. The second, Non-Depository Institution Supervision Information Technology Officer’s Questionnaire, “contains questions covering significant areas of the Licensee’s [IT] function.”
Last year, the Division sent a communique to CEOs of regulated institutions encouraging them to do a cybersecurity assessment using the FFIEC tool and noted that it would be looking at those assessments in future examinations.
On February 3, the SEC named Jane Jarcho Deputy Director of its Office of Compliance Inspections and Examinations (OCIE). Jarcho will continue to serve as the National Director of the OCIE’s Investment Adviser/Investment Company examination program, a role she assumed in 2013. As the head of the Investment Adviser/Investment Company examination program, Jarcho increased company examinations more than 27% and “targeted areas such as cybersecurity, never before examined investment advisers and investment companies, alternative mutual funds, fixed incomes, and retirement accounts.” Jarcho’s SEC career began in 1990 in the Division of Enforcement, where she held various positions, including Branch Chief, Senior Trial Counsel, and Assistant Regional Director. In 2008, Jarcho joined the OCIE; prior to being named National Director of the office, she served as Associate Director of the Investment Adviser/Investment Company examination program.