The Fed, FDIC, and OCC, as members of the FFIEC, recently announced that the implementation of a streamlined Call Report Form (FFIEC 051) for eligible small institutions—financial institutions with only domestic offices and less than $1 billion in total assets—which is proposed to take effect March 31, 2017. The FFIEC’s action is the result of an ongoing initiative to reduce the burden associated with Call Report requirements for community banks. Among other things, the streamlined Call Report reduces the existing Call Report from 85 to 61 pages, resulting from the removal of approximately 950 (or about 40 percent) of the nearly 2,400 data items in the Call Report. Because the OMB must approve the revisions before they can be implemented, the above-referenced banking agencies have also issued a joint notice reflecting that they have submitted the information collection to OMB for review.
FDIC Releases 2016 Annual Report; Separately, FDIC’s OIG Issues Report Critical of Bank Service Provider Contracts
On February 15, the FDIC released its 2016 Annual Report–which includes, among other things, the audited financial statements of the Deposit Insurance Fund and the Federal Savings and Loan Insurance Corporation (FSLIC) Resolution Fund. The report also provides an overview of key FDIC initiatives, performance results and other aspects of FDIC operations.
Separately, on the same day, the FDIC’s Office of Inspector General (OIG) released an Audit Report (EVAL-17-004) on the adequacy of a small but random sample of contracts between FDIC-supervised institutions and their technology service providers (TSPs), in light of federal law and banking agency guidance on customer privacy-protection and how to properly manage third-party relationships. All sampled contracts had been designated as “critical” or “high” risk to the supervised institutions’ operations. The OIG specifically evaluated, and generally found insufficient, the clarity of contract provisions on TSP obligations regarding: (i) business continuity planning; and (ii) responding to and reporting on cybersecurity incidents. Despite the insufficiencies noted, the OIG acknowledged that because many contracts were negotiated before some of the relevant guidance was issued, “more time is needed to allow FDIC and FFIEC efforts to have a demonstrable” impact on contractual language.
As a result of these findings, the OIG recommended—and FDIC management agreed—that the agency, after allowing appropriate time for current guidance to be implemented, conduct a “full horizontal review to assess” any continued presence of the contractual insufficiencies noted in the report. The FDIC will “prepare” that horizontal review in 2018.
On December 19, the Federal Financial Institutions Examination Council (FFIEC) posted the 2017 version of its Community Reinvestment Act (CRA) Data Entry Software. This software—which is intended to help automate the filing of CRA data—is year-specific, i.e., 2016 reporting requires the 2016 version, not the 2017 version. In November, the FFIEC clarified that it was discontinuing its HMDA Data Entry Software and instead requiring that filers submit HMDA data collected in 2017 using a web interface called the “HMDA Platform.”
On November 7, the Federal Financial Institutions Examination Council (FFIEC) announced the issuance of an updated Uniform Interagency Consumer Compliance Rating System, more commonly known as the “CC Rating System.” In final guidance the FFIEC explains that the new rating system has been re-designed “to better reflect current consumer compliance supervisory approaches and to more fully align the CC Rating System with the Agencies’ current risk-based, tailored examination processes.” The agency also notes that the revisions “were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden” (emphasis added).
Under the new CC Rating System, institutions will be assessed on a 1-to-5 rating scale in three distinct categories: (i) board and management oversight; (ii) compliance program and violations of law; and (iii) consumer harm. The new rating system will be used by all FFIEC member agencies – including CFPB in its evaluation of non-depository institutions. FFIEC member agencies plan to implement the updated rating system on consumer compliance examinations that begin on or after March 31, 2017.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.