On February 8, New York DFS Superintendent Benjamin Lawsky announced that the DFS would begin (i) regularly examining insurance companies’ cyber security preparedness; (ii) enhancing regulations that will require insurance providers to meet higher standards of cyber security; and (iii) examining “stronger measures related to the representations and warranties insurance companies receive from third-party vendors.” Lawsky expects the targeted exams to begin in the “coming weeks and months.” The announcement was accompanied by the release of the state agency’s report on cybersecurity in the insurance industry.
On March 2, OCC Comptroller Curry delivered remarks before the Institute of International Bankers regarding BSA/AML compliance obligations for financial institutions. During his remarks, Comptroller Curry emphasized that a top priority for the OCC has been to strengthen BSA/AML compliance at its supervised institutions. In this regard, the OCC has (i) modified its bank examination process so that BSA deficiencies receive proper emphasis in the evaluation of safety and soundness; (ii) focused on the BSA/AML risks posed by third-party relationships; (iii) required that institutions adequately resource their BSA/AML compliance programs; (iv) required institutions to assign accountability for BSA/AML compliance across all business lines presenting BSA/AML risk; and (v) taken enforcement action to enforce BSA/AML compliance when appropriate. Through his remarks, Comptroller Curry also addressed the need to improve the BSA/AML regulatory framework itself. Specifically, Comptroller Curry indicated that the OCC wanted (i) to streamline the SAR reporting process, (ii) to find better ways to use technology to advance BSA/AML goals, and (iii) to increase information sharing by creating safe harbors from civil liability both for financial institutions that file SARs and for financial institutions that share information about financial crimes with each other.
On January 23, the California Department of Business Oversight (DBO) announced a $2.5 million settlement with a national mortgage servicer for failing to provide loan information to the state regulator. According to the consent order, the company must also (i) pay an independent third-party auditor selected by the DBO to ensure the servicer provides all requested information to DBO; (ii) cover administrative costs associated with the case; and (iii) cease acquiring new mortgage servicing rights that include loans secured by California properties until the DBO is satisfied that the servicer can satisfactorily respond to certain requests for information and documentation made in the course of a regulatory exam.
On January 13, the SEC announced its Office of Compliance Inspections and Examinations’ examination priorities for 2015. The examination priorities cover a wide range of financial institutions and focus on three areas: (i) protecting retail investors, especially those saving for or in retirement; (ii) assessing market-wide risks, including cybersecurity compliance and controls; and, (iii) using data analytics to identify signals of potential illegal activity. As to the risks to retail investors, the SEC noted that such investors are being sold products and services that were formerly characterized as alternative or institutional, including private funds, illiquid investments, and structured products. In addition, financial services firms are offering information, advice, products, and services to help retail investors plan for retirement. The SEC intends to assess the risks to retail investors that can arise from these trends.
On July 24, Illinois Governor Pat Quinn signed HB 5342, which amends numerous provisions of state law applicable to state banks and credit unions, including requiring the Illinois Secretary of Financial and Professional Regulation to adopt formal rules that guarantee consistency and due process during the examination process of state-chartered banks. The bill also allows the Secretary to establish guidelines “that (i) define the scope of the examination process and (ii) clarify examination items to be resolved.” In addition, the bill provides that an existing loan secured by an interest in real estate shall not, under certain circumstances, require a new appraisal of the collateral during renewal, refinancing, or restructuring. The changes became effective immediately.
On July 29, the U.S. House of Representatives passed by voice voteH.R. 5062, a bipartisan bill that would amend the Consumer Financial Protection Act with respect to the supervision of nondepository institutions, to require the CFPB to coordinate its supervisory activities with state regulatory agencies that license, supervise, or examine the offering of consumer financial products or services. The bill declares that the sharing of information with such state entities does not waive any privilege claimed by nondepository institutions under federal or state law regarding such information as to any person or entity other than the CFPB or the state agency. The following day, the House Financial Services Committee approved numerous bills, including two mortgage-related bills. The first, H.R. 4042, would require the Federal Reserve Board, the OCC, and the FDIC to conduct a study to determine the appropriate capital requirements for mortgage servicing assets for any banking institution other than an institution identified by the Financial Stability Board as a global systemically important bank. The bill also would prohibit the implementation of Basel III capital requirements related to mortgage servicing assets for non-systemic banking institutions from taking effect until three months after a report on the study. A second bill, H.R. 5148, would exempt creditors offering mortgages of $250,000 or below from certain property appraisal requirements established by the Dodd-Frank Act.
On July 8, FINRA released a targeted examination letter it sent to 10 firms to assess their compliance with requirements related to order routing and execution quality of customer orders in exchange listed stocks during the period of January 1, 2014 to present. The letters include numerous requests for information, including requests that each firm explain: (i) how it uses reasonable diligence to ascertain the best market for orders that the firm routes for execution to an exchange, or broker-dealer, so that the resultant price is as favorable as possible for its customer under prevailing market conditions; (ii) how the firm’s exchange order-routing decisions are made for customer non-marketable, customer market, and marketable limit orders; and (iii) how the firm reviews the execution quality of such orders. The letters also include requests related to each firm’s use of the “Smart Order Router.”
On June 18, CFPB Deputy Director Steve Antonakes opened the CFPB’s first public Consumer Advisory Board (CAB) meeting with remarks about implementation of the CFPB’s mortgage rules and the Bureau’s approach to enforcing those rules.
Over the past year, the CFPB has attempted to publicly outline and clarify its expectations for mortgage originators and servicers as those companies seek to comply with a host of new rules and requirements while continuing to face significant market challenges. The CFPB’s initial public position, particularly with regard to the new servicing rules, was that “in the early months” after the rules took effect, the CFPB would not look for strict compliance, but rather would assess whether institutions have made “good faith efforts” to come into “substantial compliance.” Read more…
On June 9, the House passed by voice vote H.R. 3211, the Mortgage Choice Act of 2013. The bill would amend TILA’s definition of “points and fees” for purposes of the CFPB’s Ability to Repay and HOEPA rules to exclude from the definition insurance held in impound accounts and amounts received by affiliated companies as a result of their participation in an affiliated business arrangement. The bill now moves to the Senate where a similar bill was introduced last year by Senator Joe Manchin (D-WV) but has not yet been considered by the Senate Banking Committee. Later in the week, the House Financial Services Committee approved numerous additional bills related to the CFPB, including: (i) H.R. 4804, which would establish certain requirements for CFPB examinations, including prohibiting the use of enforcement attorneys; (ii) H.R. 4811, which would establish standards for CFPB guidance, including a notice and comment period, and would declare the CFPB’s fair lending auto finance guidance to have no force or effect; and (iii) H.R. 3770, which would create an independent inspector general for the CFPB.
On May 28, the OCC announced “significant” changes to its large bank supervisory process and its large bank examination force. The OCC plans to “expand the organization, functions, and responsibilities of its large bank lead expert program to improve horizontal perspective and analysis, systemic risk identification, quality control and assurance, and resource prioritization.” The OCC also will establish a formal program under which large bank examiners will rotate to another large bank every five years in cities with multiple large banks. The changes come in response to an international peer review initiated by the OCC. The OCC released a summary of the supervision peer review recommendations and the OCC’s responses, which describe a number of other supervisory changes including, among others: (i) formalizing an enterprise risk management framework that will involve “developing a risk appetite statement, creating a decision-tree process, and enhancing the OCC’s existing National Risk Committee framework and processes”; and (ii) expanding an ongoing review of Matters Requiring Attention “to enhance and standardize MRA definitions, methods for communication, resolution processes, establish consistent tracking mechanisms, and develop a consistent examiner reference guide.” The OCC declined to implement other recommended changes, including, for example, creating more flexibility within the CAMELS rating system or developing potential alternatives to CAMELS.
On May 6, New York Governor Andrew Cuomo released a report on bank cybersecurity preparedness and directed the New York State Department of Financial Services (DFS) to conduct targeted cybersecurity preparedness assessments of the DFS-regulated banks. The DFS is revising its examination procedures to add questions to assess IT management and governance, incident response and event management, access controls, network security, vendor management, and disaster recovery. DFS plans to release additional details about the timing and content of these examination procedures in the coming weeks. The report follows a year-long survey of 154 DFS-regulated banks, which revealed that “most institutions experienced intrusions or attempted intrusions into their IT systems over the past three years.” The review revealed that third-party payment processor breaches were reported by 18% and 15% of small and large institutions, respectively, and that large institutions also cited mobile banking exploitation, ATM skimming/point-of-sale schemes), and insider access breaches. Last year, the DFS announced a similar inquiry into cyber preparedness at insurance companies it regulates.
On April 30, the CFPB published its second annual report to Congress on its fair lending activities. According to the report, in 2013 federal regulators referred 24 ECOA-related matters to the DOJ—6 by the CFPB—as opposed to only 12 referrals in 2012. The report primarily recaps previously announced research, supervision, enforcement, and rulemaking activities related to fair lending issues, devoting much attention to mortgage and auto finance. However, the Bureau notes that it is conducting ongoing supervision and enforcement in other product markets, including credit card lending. The Bureau also identifies the most frequently cited technical Regulation B violations. Read more…
On April 18, the OCC, FDIC, and Federal Reserve Board released revised Community Reinvestment Act (CRA) examination procedures applicable to institutions with total assets greater than $1.202 billion as of December 31 of either of the previous two calendar years. The procedures incorporate revisions to the CRA interagency questions and answers issued in November 2013. Those revisions generally were intended to: (i) clarify how the agencies consider community development activities that benefit a broader statewide or regional area that includes an institution’s assessment area; (ii) provide guidance related to CRA consideration of, and documentation associated with, investments in nationwide funds; (iii) clarify the consideration of certain community development services, such as service on a community development organization’s board of directors; (iv) address the treatment of loans or investments to organizations that, in turn, invest those funds and use only a portion of the income from their investment to support a community development purpose; and (v) clarify that community development lending performance is always a factor considered in a large institution’s lending test rating.
On April 18, the Federal Reserve Board issued SR 14-4 which updates the Federal Reserve’s loan sampling expectations for state member bank and credit extending nonbank subsidiaries of banking organizations with $10-$50 billion in total consolidated assets. Depending on the structure and size of subsidiary state member banks, the guidance permits examiners to apply the guidance applicable to smaller state member banks when a bank’s subsidiary’s total assets are below $10 billion. The guidance (i) details the loan sampling methodology to be employed by Reserve Banks during the supervisory process; (ii) calls for documentation of loan sample selection methods in scoping memoranda and in the confidential section of the report of examination; and (iii) outlines expectations for following up on examinations with adverse findings. The guidance supersedes the examiner loan sampling expectations described in SR 94-13, “Loan Review Requirements for On-site Examinations.”
On April 15, the SEC’s Office of Compliance Inspections and Examinations announced that it will be conducting cybersecurity examinations of more than 50 registered broker-dealers and registered investment advisers. The examinations will assess each firm’s cybersecurity preparedness and collect information about the industry’s recent experiences with certain types of cyber threats. Specifically, examiners will focus on (i) cybersecurity governance; (ii) identification and assessment of cybersecurity risks; (iii) protection of networks and information; (iv) risks associated with remote customer access and funds transfer requests; (v) risks associated with vendors and other third parties; (vi) detection of unauthorized activity; and (vii) and experiences with certain cybersecurity threats. The SEC included with the announcement a sample document and information request it plans to use in this examination initiative.