On June 10, the OCC released Bulletin 2016-20 to inform national banks, federal savings associations, and federal branches and agencies of foreign banks (OCC-supervised institutions) of recent temporary amendments to the Servicemembers Civil Relief Act (SCRA). As previously covered in InfoBytes and as outlined in the OCC’s Bulletin, the Foreclosure Relief and Extension for Servicemembers Act 2015 extends through December 31, 2017 the SCRA provision that protects servicemembers against sale, foreclosure, or seizure of property based on a breach of a secured obligation without a court order or waiver for one year following completion of their service. The OCC’s Bulletin notes that HUD updated its “Servicemembers Civil Relief Act Notice Disclosure” (Form 92070) to reflect the temporary extensions.
On June 22, the OCC named Beverly Cole its Deputy Comptroller for Compliance Supervision. Effective July 2016, Cole will serve as the operational executive responsible for developing and promulgating compliance operational protocols, examination strategies, and schedules. Cole started at the OCC in 1979 as an Assistant National Bank Examiner. In 1984, she left the OCC to work in the banking industry, but she returned to the OCC three years later. Throughout her tenure with the OCC, Cole has served in various supervisory roles overseeing banks of all sizes.
FFIEC Issues Cybersecurity Statement, Comments on Recent Attacks on Interbank Messaging and Payment Networks
On June 7, the FFIEC issued a statement on behalf of its members (the OCC, Federal Reserve, FDIC, NCUA, CFPB, and State Liaison Committee) advising financial institutions to “actively manage the risks associated with interbank messaging and wholesale payment networks.” According to the statement, recent cyber attacks against interbank networks and wholesale payment systems have demonstrated the ability to: (i) bypass information security controls and compromise a financial institution’s wholesale payment origination environment; (ii) “obtain and use valid operator credentials with the authority to create, approve, and submit messages”; (iii) make use of sophisticated understanding of funds transfer operations and operational controls; (iv) disable security logging and reporting by using highly customized malware, as well as conceal and delay detection of fraudulent transactions with the use of other operational controls; and (v) quickly transfer stolen funds across multiple jurisdictions. Read more…
On May 25, the OCC announced that it terminated a 2011 consent order related to mortgage servicing, as well as 2013 and 2015 amended orders, against a San Francisco-based bank after determining that it now complies with the orders. For previous violations of the original 2011 order, the OCC assessed a $70 million civil money penalty against the bank. Specifically, the OCC alleges that the bank (i) failed to correct identified deficiencies in the original and amended orders in a timely fashion, thus violating the original order from October 1, 2014 through August 31, 2015; (ii) filed payment change notices in bankruptcy courts that did not comply with bankruptcy rules and safe and sound banking practices between December 1, 2011 and March 31, 2015; and (iii) made escrow calculations that led to incorrect loan modification denials that constituted unsafe or unsound banking practices between March 2013 and October 2014. The bank will pay the $70 million penalty to the U.S. Treasury. The termination of the orders ends business restrictions that had been mandated in June 2015.
On May 24, the OCC entered into an agreement with a New York-based federal savings bank over the bank’s allegedly unsafe or unsound banking practices “relating to strategic and capital planning, concentration risk management, and board and management oversight at the [b]ank, and violations of law relating to Bank Secrecy Act (BSA) internal controls and BSA officer requirements.” Pursuant to the agreement, the bank’s Board must, among other things, revise and adopt a written program of internal control policies and procedures that the bank must implement to ensure ongoing compliance with the BSA. The policies and procedures must include, at a minimum, (i) effective customer due diligence and enhanced due diligence processes at account opening and thereafter; (ii) adequate methodology to ensure proper risk rating of customer accounts at their opening and thereafter; (iii) effective evaluations and investigations of suspicious activity system alerts; (iv) effective suspicious activity investigation process; and (v) periodic validation of the bank’s automated BSA monitoring system settings.