On December 19, the Federal Financial Institutions Examination Council (FFIEC) posted the 2017 version of its Community Reinvestment Act (CRA) Data Entry Software. This software—which is intended to help automate the filing of CRA data—is year-specific, i.e., 2016 reporting requires the 2016 version, not the 2017 version. In November, the FFIEC clarified that it was discontinuing its HMDA Data Entry Software and instead requiring that filers submit HMDA data collected in 2017 using a web interface called the “HMDA Platform.”
The Fed, FDIC, and OCC, as members of the FFIEC, recently announced that the implementation of a streamlined Call Report Form (FFIEC 051) for eligible small institutions—financial institutions with only domestic offices and less than $1 billion in total assets—which is proposed to take effect March 31, 2017. The FFIEC’s action is the result of an ongoing initiative to reduce the burden associated with Call Report requirements for community banks. Among other things, the streamlined Call Report reduces the existing Call Report from 85 to 61 pages, resulting from the removal of approximately 950 (or about 40 percent) of the nearly 2,400 data items in the Call Report. Because the OMB must approve the revisions before they can be implemented, the above-referenced banking agencies have also issued a joint notice reflecting that they have submitted the information collection to OMB for review.
On November 7, the Federal Financial Institutions Examination Council (FFIEC) announced the issuance of an updated Uniform Interagency Consumer Compliance Rating System, more commonly known as the “CC Rating System.” In final guidance the FFIEC explains that the new rating system has been re-designed “to better reflect current consumer compliance supervisory approaches and to more fully align the CC Rating System with the Agencies’ current risk-based, tailored examination processes.” The agency also notes that the revisions “were not developed to set new or higher supervisory expectations for financial institutions and their adoption will represent no additional regulatory burden” (emphasis added).
Under the new CC Rating System, institutions will be assessed on a 1-to-5 rating scale in three distinct categories: (i) board and management oversight; (ii) compliance program and violations of law; and (iii) consumer harm. The new rating system will be used by all FFIEC member agencies – including CFPB in its evaluation of non-depository institutions. FFIEC member agencies plan to implement the updated rating system on consumer compliance examinations that begin on or after March 31, 2017.
On October 17, the FFIEC published a Frequently Asked Questions guide related to the Cybersecurity Assessment Tool (Assessment) that was released in Summer 2015. Developed to assist financial institutions identify risks and to assess cybersecurity preparedness, use of the Assessment is voluntary. The FAQs guide explains that management may use the Assessment to determine an institution’s cybersecurity maturity level within five different domains: (i) Cybersecurity Risk Management and Oversight; (ii) Threat Intelligence and Collaboration; (iii) Cybersecurity Controls; (iv) External Dependency Management; and (v) Cyber Incident Management and Resilience. The FAQs guide clarifies that “the Assessment is not designed to identify an overall cybersecurity maturity level.” Regarding third-party oversight, FAQ number 10 explains that the Assessment may be used as a resource for management’s “oversight of third parties as part of the institution’s comprehensive third-party management program.” Additional topics addressed in the FAQs include, but are not limited to, the following: (i) how the Assessment aligns with the National Institute of Standards and Technology Cybersecurity Framework; (ii) whether an automated version of the Assessment will be released; (iii) the Assessment’s ability to determine an institution’s Inherent Risk Profile; and (iv) the expectations for Inherent Risk Profile levels to align with an institution’s Cybersecurity Maturity.
On September 9, the FFIEC updated its Information Security booklet, a key element of its Information Technology Examination Handbook. The booklet is intended to provide examiners with guidance on assessing a financial institution’s information security operations, and is divided into the following four main sections: (i) Governance of the Information Security Program; (ii) Information Security Program Management; (iii) Security Operations; and (iv) Information Security Program Effectiveness. In addition to offering technology-centric recommendations such as encryption, the booklet advises firms to create security processes and risk assessment “commensurate with their operational complexities.” It also advises financial institutions to “have strong board and senior management support, promote integration of security activities and controls throughout the institution’s business processes, and establish clear accountability for carrying out security responsibilities.” As expected, the booklet highlights the importance of implementing effective oversight of third-party service providers. Pursuant to sub-section II.C.20, in order to ensure effective oversight of third-party service providers, management should, among other things, determine when third-parties identify, measure, mitigate, monitor, and report cyber risks so as to “facilitate a comprehensive understanding of the institution’s exposure to third-party cyber threats.”