The Latest News from Federal Financial Regulatory Agencies

Here is a quick rundown on the latest news from various federal financial regulatory agencies.

The FDIC

On August 20, the Federal Deposit Insurance Corporation (FDIC) announced that it was modifying its Statement of Policy for Section 19 of the Federal Deposit Insurance Act, which is explained in its financial institution letter, FIL-42-2018.

The OCC

On August 17, the Office of the Comptroller of the Currency (OCC) published its Enforcement Actions and Terminations for August 2018. Most notable were three actions against TCF National Bank in regard to violations of the Federal Trade Commission Act (FTCA) in connection with its ATM and one-time debit cards. The Cease and Desist Order, the Civil Money Penalty for $3 million, and the Restitution Order of $25 million were all the result of alleged deceptive acts or practices in the bank’s overdraft protection Opt-in process.

The NCUA

On August 17, the National Credit Union Administration (NCUA) named 26-year agency veteran, Matthew J. Bilouris, as the Director of its Office of Consumer Financial Protection.

The CFPB

On August 10, the Consumer Financial Protection Bureau (CFPB) published its final rule  amending the Gramm-Leach-Bliley Act, which provides an exemption from sending annual privacy notices as per Regulation P. In order to qualify for the exemption, financial institutions must meet the following two criteria:

  1. “Must not share nonpublic personal information about customers except as described in certain statutory exceptions.”
  2. “Must not have changed its policies or procedures with regard to disclosing nonpublic personal information from those that the institution described in the most recent privacy notice it sent.”

The Federal Reserve

On August 10, the Federal Reserve imposed an $8.6 million fine on Citigroup for alleged unsafe and unsound practices stemming from the “improper execution of residential mortgage-related documents” at one of its subsidiaries.

FinCEN

On August 8, the Financial Crimes Enforcement Network (FinCEN) extended its limited exception from beneficial owner requirements on legal entity customers for another 30 days. FinCEN initially instated the exception in May, just five days after the beneficial ownership rule went into effect on May 11. This relieved financial institutions from having to collect beneficial ownership information on certain financial products that automatically renew, such as certificates of deposit, that were opened prior to May 11.

That 90-day exception expired on August 9, but this latest move extends it to September 8.

 

Federal Banking Regulators Mete Out $1.078 Billion in CMPs Since April

pexels-photo-164527.jpeg
Photo by Pixabay on Pexels.com

On May 25, the Federal Deposit Insurance Corporation (FDIC) published its April enforcement actions, which included four orders to pay civil money penalties (CMPs), totaling $160,000. That’s not much of a story, but further digging reveals that between the FDIC, the Office of the Comptroller of the Currency (OCC), the Financial Crimes Enforcement Network (FinCEN), the Consumer Financial Protection Bureau (CFPB), and the Federal Reserve Board (FRB), federal banking regulators handed out $1,078,384,245 in CMPs from early April to early May.

(No enforcement actions were found for this time period on the National Credit Union Administration’s website.)

A closer look at these enforcement actions adds interesting context to the hefty fine total.

Both Individuals and Institutions Fined

In addition to the FDIC’s four orders to pay a CMP, the OCC issued seven such enforcement actions, while FinCEN and the CFPB issued one each, and the FRB issued two, for a total of 17 enforcement actions involving monetary fines. Those actions break down as follows:

  • Seven levied against institution-affiliated individuals: These current and former executives and/or directors were fined a total of $410,000, with CMPs ranging from $5,000 to $175,000.
  • Seven levied against traditional financial institutions: PNC Bank and Wells Fargo were each fined twice and three other banks were fined once by various agencies for a total of $1,069,974,245 in CMPs. The OCC and CFPB-combined $1 billion fine against Wells Fargo represents the majority of the bank fines. However, two other banks were still hit with significant fines: The OCC fined PNC $15 million and the FRB fined Goldman Sachs $54.75 million.
  • One levied against a casino: Per the USA PATRIOT Act’s broader definition of “financial institution,” FinCEN fined a casino (or card club) $8 million.

The Alleged and Admitted Violations

The seven institution-affiliated individuals were fined for a variety of reasons, including conducting unsafe and unsound practices, such as masking reporting losses; violating previous consent orders or failing to correct deficiencies cited in them; understating the allowance for loan and lease losses (ALLL) leading to a false or misleading CALL Report; and causing “the Bank to pay for personal expenditures without disclosure or authorization.”

The remaining CMPs levied against institutions involve the following laws or regulations:

  • Three institutions allegedly violated flood-related regulations: This includes a $5,000 fine from the FDIC, a $12,000 fine from the FRB, and a $207,245 fine from the OCC.
  • Two institutions allegedly violated the Federal Trade Commission Act (FTCA): The OCC fined PNC $15 million for deceptive acts or practices in violation of the FTCA, and it fined Wells Fargo $500 million for unsafe and unsound practices in violation of the same.
  • One institution allegedly violated the Consumer Financial Protection Act (CFPA): The CFPB fined Wells Fargo $1 billion for unfair and deceptive acts in violation of the CFPA, however it credited the OCC’s $500 million CMP towards the satisfaction of its own fine.
  • One institution admittedly violated the Bank Secrecy Act (BSA): FinCEN’s $8 million enforcement action against the above-referenced casino was due to its failure to establish and implement an effective anti-money laundering program as per the BSA.
  • One institution allegedly conducted unsafe and unsound practices in its Foreign Exchange Trading Business: The FRB fined Goldman Sachs “for deficiencies in Goldman’s internal controls and oversight of traders who buy and sell U.S. dollars and foreign currencies for the firm’s own accounts and for customers.”

The Million and Billion Dollar Fines

If you haven’t kept count, of the eight institutional fines, five of them exceeded a million dollars, three of them consisted of multi-million dollar CMPs, and Wells Fargo’s total fine hit the $1 billion mark.

Perhaps it is worth noting that the other three institutional fines ($5,000, $12,000 and $207,245) were the flood-related violations.

While the Trump administration’s deregulation stance is providing some much welcomed regulatory relief, this month’s worth of CMPs indicates that compliance with remaining laws and regulations is still a priority for federal banking regulators.

 

The OCC’s Risk Outlook

This week the Office of the Comptroller of the Currency (OCC) published its Semiannual Risk Perspective, which gives bank compliance officers and risk managers an important glimpse into the federal banking agency’s current outlook on risk.

Here is a brief summary of the report.

The Basics of the OCC’s Semiannual Risk Perspective

Every six months, the OCC’s National Risk Committee (NRC) issues the agency’s Semiannual Risk Perspective. According to the introduction to the Perspective, the NRC is made up of senior OCC supervisory and policy officials who meet quarterly.

The NRC is responsible for monitoring “the condition of the federal banking system and identifying key risks,” as well as monitoring emerging threats.

This Spring 2018 Semiannual Risk Perspective was published on May 24, 2018, and is based on data as of March 31, 2018, except where otherwise noted.

Overall Report Card

The Perspective’s Executive Summary provides an overall status of the banking system:

  • Condition of Federal Banking System: Strong
  • Comparison of System’s Condition: 2017 and 2018 show improvement over 2016
  • Economic Environment: Supports loan growth and profitability
  • Asset Quality: Sound
  • Capital and Liquidity: Near historical highs
  • Earnings: Improving
  • Overall Risk Management Practices: Incrementally improving

On Operational Risk

The OCC reports that “Operational Risk is elevated as banks adapt business models, transform technology and operating processes, and respond to evolving cyber threats.”

Specific threats to operational risk include the following:

  • Ever increasing threat of cyber attacks
  • Growing bank reliance on third-party vendors to perform critical functions
  • Concentration of third-party risk due to the “consolidation among large technology service providers”
  • Evolving business and operating models that include new delivery channels, products, and services

On Compliance Risk

The OCC warns that Compliance Risk “remains elevated,” with particular concern in the following areas:

  • Bank Secrecy Act (BSA) Compliance Challenges: The combination of the “dynamic nature” of money laundering along with “evolving delivery channels” makes complying with the BSA difficult. The OCC warns banks that are “engaging in such offerings” to refine and update their BSA compliance programs to ensure they are adequately mitigating the associated risks.
  • BSA and Anti-Money Laundering (AML) Compliance Risk Management Systems: The OCC notes that, such BSA/AML risk management systems “often do not keep pace with evolving risks, resource constraints, changes in business models, and regulatory changes.”
  • OFAC Sanctions: The OCC questions whether bank OFAC compliance programs are keeping pace with the increasing number and complexity of sanctions programs.
  • Overall Regulatory Complexity: The number of amended regulations and/or highly complex requirements continue to present challenges for banks.
  • Specific Complexity of TRID: The OCC acknowledges the continued bank struggle to incorporate the Truth-in-Lending RESPA Integrated Disclosure (TRID) forms.

On Interest Rate Risk

The OCC states that, “There is uncertainty in how bank deposits will react to increasing interest rates. Banks may experience unexpected adverse shifts in liability mix or increasing costs that may adversely affect earnings or increase liquidity risk.”

Read the OCC’s complete Semiannual Risk Perspective for Spring 2018 for an even more in-depth analysis of the current state of banking in the United States.

 

Wells Fargo Consent Orders Are Must-Reads for Bank Risk Management

pexels-photo-259027.jpegIt has been 10 days since news broke that the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) filed consent orders against Wells Fargo, resulting in a combined $1 billion civil money penalty (CMP). Many headlines about this story focused on the bank’s mortgage and auto lending practices. In reality, there is a more informative story here, especially for anyone involved in bank risk management or compliance.

Of course the 16-page OCC Consent Order for Civil Money Penalty, the 35-page OCC Cease and Desist Order, and the 35-page CFPB Consent Order are not as thrilling to read as a New York Times bestseller, but they are telling. And reading through the orders provides more details than the news blips about them, details that bank risk management and compliance officers can find useful in strengthening their own risk management and compliance practices.

 5 Telling Facts in Consent Orders Against Wells Fargo

  1. The Financial Hit Goes Beyond $1 Billion: Most TV and print outlets announced that Wells Fargo was fined $1 billion by the two regulatory agencies. That is true in that their net CMP was $1 billion. It is interesting to note, however, that the OCC fined the bank $500 million and the CFPB fined it $1 billion for a total of $1.5 billion in CMPs, although the CFPB agreed to accept the $500,000 collected by the OCC as part of its settlement. In addition, the orders call on the bank to develop remediation plans for customers it is alleged to have harmed, which will lead to additional costs for the bank.
  2. The OCC Focus Is on Risk Management: While news stories ran with the mortgage and auto lending practice allegations, likely because that was the message in the CFPB order, the OCC focuses first and foremost on risk management before addressing the other two issues. The order’s opening paragraph states that, “The OCC has identified deficiencies in the Bank’s enterprise-wide compliance risk management program that constituted reckless unsafe or unsound practices and resulted in violations of the unfair acts or practices provision of Section 5 of the Federal Trade Commission Act…”
  3. The Alleged Risk Management Deficiencies Extend in Time and Scope: The OCC claims that, “Since at least 2011, the Bank has failed to implement and maintain a compliance risk management program commensurate with the Bank’s size, complexity and risk profile.” The alleged deficiencies also impacted almost every aspect of the program, including the plan’s execution, the expertise of the personnel involved, the assessment and testing of the plan, the reporting to the Board, and its overall implementation.
  4. UDAP and UDAAP Used by OCC and CFPB: As discussed before in this blog, unfair, deceptive or abusive acts or practices (UDAAP) and its cousin unfair and deceptive acts and practices (UDAP) are often handy regulations for regulatory agencies to cite because of their broad scope. In addition to the OCC’s unfair claim outlined in point #2, the CFPB alleges unfair acts and practices in violation of the Consumer Financial Protection Act (CFPA) in regard to Wells Fargo’s mortgage and auto lending practices. On the former, the CFPB claims that the bank “unfairly failed to follow the mortgage-interest-rate-lock process it explained to some prospective borrowers.” On the latter, it claims the bank “operated its Force-Placed Insurance program in an unfair manner.”
  5. Vendor Management Comes into Play: Both the OCC and the CFPB orders indicate that the auto lending practices in question involved the bank’s vendor, reinforcing the fact that banks are ultimately responsible for the functions being performed by their vendors.

The moral of this story for banks and credit unions of all sizes: make sure that 1) your risk management practices are appropriate for your risk profile; 2) nothing you or your vendors are doing in word or deed can be deemed unfair, deceptive or abusive; and 3) you are routinely monitoring your vendors to ensure that they are fully and effectively complying with all the rules and regulations that apply to your institution and to them.

 

OCC Warns Banks Against Complacency

By Mary Crotty, Freelance Writer for Banks and Third-Party Service Providers

Twice a year the Office of the Comptroller of the Currency (OCC) releases a summary of current and emerging risk trends for the banking system. The OCC’s latest “Semiannual Risk Perspective for Fall 2017” (Perspective) was published last Friday, January 18, and is based on financial data compiled and analyzed through June 30, 2017.

While noting a strong economy and continued improvement in overall bank performance, the Perspective does sound some warning bells. “The current operating environment presents strategic risk for many banks in increasingly diverse ways. Thus, this report emphasizes the need for vigilance by bank management at this point in the economic cycle.”

OCC-Noted Risk Areas

  • Credit Policy and Practices: The OCC warns that banks are slowly loosening their commercial credit underwriting practices due to increased competition. It also noted an increased concentration in Commercial Real Estate (CRE), a trend it noted could hurt the entire financial system if not monitored and checked.
  • Cybersecurity Programs: Cyber criminals continue to evolve their methods and tools faster than bank cybersecurity programs can keep up.
  • Vendor Management Programs: Banks’ increasing reliance on third-party service providers, especially for critical functions, continues to concern the OCC.
  • Bank Secrecy Act (BSA) Compliance: Just like cybercrime, money laundering continues to evolve into an ever more complex crime that creates significant problems for banks. The OCC warns that banks are struggling to comply with the BSA, even before the related Customer Due Diligence (CDD) Final Rule goes into effect on May 11, 2018.
  • Consumer Protection Compliance: According to the Perspective, consumer compliance risk management continues to be an issue for banks “due to the increasing complexity in consumer compliance regulations.”
  • Current Expected Credit Loss (CECL) Model: The OCC also warns that the “current expected credit losses standard for which implementation begins in 2020 may pose operational and strategic risk to some banks when measuring and assessing the collectability of financial assets.”

Avoid Complacency

The Perspective reads like a road map for determining what areas will receive the most attention during upcoming regulatory examinations. There are two things your bank can do right now to improve its performance on such examinations:

  1. Review the following policies and make sure processes and procedures reflect any updates: Credit Policy, Cybersecurity Policy, Vendor Management Policy, Bank Secrecy Act Policy, UDAAP Policy and other consumer protection policies.
  2. Reiterate your bank’s policy stances by communicating them with your employees.