Top Story Technology Related

Acting Comptroller of the Currency Michael J. Hsu discussed recovery planning via livestream in remarks May 27 at the Entrepreneurship, Markets and Technology: Regulation's Challenges in a Changing World Conference in Zurich, Switzerland.

In his remarks, Mr. Hsu discussed the importance of recovery planning and how it can mitigate the too-big-to-fail problem. He highlighted the importance of recovery planning at large banks in the context of the bank failures in March 2023 and offered thoughts on expanding recovery planning guidelines to apply to banks with at least $100 billion in assets.

The Office of Foreign Assets Control (OFAC) has amended the Cuban Assets Control Regulations, 31 C.F.R. Part 515 (CACR) to further implement portions of the president’s foreign policy toward Cuba. Among other things, these amendments increase support for internet freedom for the Cuban people and independent Cuban private sector entrepreneurs by expanding authorizations for internet-based services and a range of financial transactions. The rule was published in the Federal Register and became effective today.

OFAC also issued six new, Cuba-related Frequently Asked Questions (FAQs 1174-1179) and amending eight Cuba-related Frequently Asked Questions (FAQs 732, 736, 745, 748, 757, 769, 770, and 785).

The Federal Housing Administration's Mortgagee Letter 2024-10, issued yesterday, requires FHA-approved mortgagees to notify HUD when a cyber incident occurs. The letter, effective immediately, applies to all FHA insurance programs.

The mortgagee letter adds a new section, Significant Cybersecurity Incident, which requires FHA-approved mortgagees to report cyber incidents to HUD within 12 hours of detection. Reports will be made to HUD's FHA Resource Center and to HUDs Security Operations Center.

The FDIC yesterday issued FIL-26-2024 announcing revisions to Call Reports and the FFIEC 002 Report as published [89 FR 45046] on May 22, 2024, in the Federal Register.

Proposed changes were issued on September 28, 2023 (FIL-52-2023) and December 27, 2023 (FIL-68-2023). After considering the comments received on these notices, the agencies are moving forward with certain proposed revisions related to replacing references to “troubled debt restructurings” with “modifications to borrowers experiencing financial difficulty” consistent with ASU 2022-02, the reporting on the internet website addresses of depository institution trade names, and the adoption of the standards for electronic signatures. These updates to the Call Report and FFIEC 002 report forms and instructions will be effective as of the June 30, 2024, report date.

The agencies are implementing revisions related to reporting of loans to NDFIs as of the December 31, 2024, report date. The agencies are also adding a new Memorandum item that would identify the amounts reported as a structured financial product that are guaranteed by U.S. Government agencies or sponsored agencies, which would be effective as of the December 31, 2024, report date.

The agencies are continuing to review comment letters related to loan modifications to borrowers experiencing financial difficulty under ASU 2022-02, as well as the proposed clarification on the reporting of past due loans and proposed reporting of long-term debt requirements, for further changes to the Call Report and the FFIEC 002. Comments on the May 22, 2024, Federal Register notice will be accepted through June 21, 2024.

The FDIC yesterday published its 2024 Risk Review, which provides an overview of banking conditions in 2023 in five broad categories: market risks, credit risks, operational risks, crypto-asset risks, and climate-related financial risks. The market risks areas discussed are liquidity, deposits and funding, and net interest margins and interest rate risk. The credit risks areas discussed are commercial real estate, residential real estate, consumer, agriculture, small business, corporate debt and leveraged lending, nonbanks, and energy.

The discussion of operational risks examines the potential negative impact to banks from cyber threats and illicit activity. The crypto-asset risks section discusses the FDIC’s approach to understanding and evaluating crypto-asset-related markets and activities. The discussion of climate-related financial risks focuses on the physical risk of severe weather and climate events to the banking system.

Monitoring these risks is among the FDIC's top priorities.

The Securities and Exchange Commission this morning announced that The Intercontinental Exchange, Inc. (ICE) agreed to pay a $10 million penalty to settle charges that it caused the failure of nine wholly-owned subsidiaries, including the New York Stock Exchange, to timely inform the SEC of a cyber intrusion as required by Regulation Systems Compliance and Integrity (Regulation SCI).

According to the SEC's Order, in April 2021, a third party informed ICE that ICE was potentially impacted by a system intrusion involving a previously unknown vulnerability in ICE’s virtual private network (VPN). ICE investigated and was immediately able to determine that a threat actor had inserted malicious code into a VPN device used to remotely access ICE’s corporate network. However, the SEC’s order finds that ICE personnel did not notify the legal and compliance officials at ICE’s subsidiaries of the intrusion for several days in violation of ICE’s own internal cyber incident reporting procedures. As a result of ICE’s failures, those subsidiaries did not properly assess the intrusion to fulfill their independent regulatory disclosure obligations under Regulation SCI, which required them to immediately contact SEC staff about the intrusion and provide an update within 24 hours unless they immediately concluded or reasonably estimated that the intrusion had or would have no or a de minimis impact on their operations or on market participants.

The OCC has posted a list and schedule of workshops designed to meet the needs of new directors, experienced directors, and senior management of national community banks and federal savings associations wishing to review fundamentals or get critical updates. Two series of workshops have been scheduled throughout the year:

• Basic Series, which includes Building Blocks (1.5 days in person or 3 hour virtual workshop)
• Risk Management Series, which comprises:
  • Risk Governance (1 day in person or 3 hours virtually)
  • Credit Risk (1 day in person or 3 hours virtually)
  • Operational Risk (1 day in person or 3 hours virtually)
  • Compliance Risk (1 day in person or 3 hours virtually)
  • Capital Markets (1/2 day in person)

The schedule of the workshops and online registration are available on the OCC's website.

The FDIC has sent email notices announcing that it will host four seminars in 2024 (the first on May 30, from 2:00 to 3:30 pm ET) on the final rule governing use of Official Signs and Advertising Statement, Misrepresentations of Insured Status, and Misuse of FDIC’s Name or Logo for bank staff, bank officers, and other stakeholders. The first seminar will be held via Microsoft (MS) Teams on May 30, 2024. The dates for the remaining three seminars will be announced at a later date.

The sessions will offer a broad overview of the final rule that amended Part 328 of the FDIC’s regulations. The FDIC amended its regulations governing use of the official FDIC sign and advertisement statements to reflect how depositors do business with banks today, including through digital and mobile channels. The rule also clarified the FDIC’s regulations on misrepresentations of deposit insurance coverage. The final rule is intended to help consumers understand when they are interacting with an FDIC-insured bank and when their funds are protected by the FDIC’s deposit insurance coverage.

The rule became effective on April 1, 2024, and has a compliance date of January 1, 2025. The sessions are ideal for bank employees and other Part 328 stakeholders looking for further information and guidance on the new final rule.

During the presentation on the final rule, FDIC staff will cover:

• Requirements for all FDIC-insured institutions’ use of FDIC official signs. This includes a new FDIC official digital sign for bank websites, apps, and ATMs, as well as updates to the advertising statement.
• Clarifications on the prohibitions against misrepresentations of deposit insurance coverage and misuse of the FDIC’s name and logo, which apply to any person, including banks and non-bank entities.

During the seminar, FDIC staff will also discuss some of the questions that have been raised by bankers, trade associations, technology companies, vendors, and others.

OFAC has released and will publish on May 10 an interim final rule to amend the Reporting, Procedures and Penalties Regulations (the “Regulations”), to require electronic filing of certain submissions to OFAC and to describe and modify certain reporting requirements related to blocked property and rejected transactions. In particular, the rule would require use of the electronic OFAC Reporting System for submission of reports related to blocked property and rejected transactions, remove the mail option for certain other types of OFAC submissions, describe reports OFAC may require from financial institutions for transactions that meet specified criteria, and add a reporting requirement for any blocked property that is unblocked or transferred.

Additionally, OFAC is clarifying the scope of the reporting requirement for rejected transactions, in part to respond to comments received on the interim final rule OFAC published on June 21, 2019 to amend the Regulations. The interim final rule also modifies the procedures for requests relating to property that is blocked in error and updating the Regulations with respect to the availability of information under the Freedom of Information Act (FOIA) for certain categories of records.

The rule also clarifies that persons may submit a petition for administrative reconsideration to seek removal of a person or property from the List of Specially Designated Nationals and Blocked Persons or any other list of sanctioned persons maintained by OFAC. OFAC is also adding a description of reports OFAC may require financial institutions to provide about transactions that meet specified criteria to aid in the identification of blocked property. Finally, OFAC is making several technical and
conforming edits.

The rule will become effective 90 days after publication (August 8, 2024). Comments on the interim final rule will be accepted for 31 days after publication (through June 10, 2024).

Federal Reserve Financial Services yesterday released the results of studies indicating that U.S. businesses and consumers are rapidly adopting digital, faster and instant payment services, according to studies released today by Federal Reserve Financial Services. Digital wallet use saw especially strong growth in 2023 — efficiency-focused businesses increased their use by 31% over the prior year, and convenience-minded consumers experienced a 32% increase.

These changes, particularly consumers’ use of digital wallets and online banking, are leading to increases in instant and faster payment use cases such as bill payment, mobile wallet funding and defunding, account-to-account transfers, and immediate payroll for employees.

Overall, 86% of businesses and 74% of consumers said they used faster or instant payments in 2023, and most (74% of businesses and 79% of consumers) reported looking to their financial institution to provide these services. Other key findings:

• Younger consumers are leading the move to digital, faster and instant payments. More than half of Generation Z (ages 18-25) and millennials (26-41) now use digital wallets, and 80% of these younger consumers say it is important to be able to make payments by mobile device.
• One in four (25%) consumers are challenged by the slow speed of payments and prefer to have better options for instant money movement to help manage personal finances.
• Businesses are using faster/instant payments because it helps them reduce cost (48%) and provides flexibility to pay and be paid as customers prefer (39%). Additionally, 35% appreciate the 24/7 nature of instant payment services.
• Businesses say key use cases that benefit from instant payments include business-to-business (92%), business-to-person (71%) and account-to-account (40%). Many businesses also believe instant payments will be useful for digital wallet funding/defunding (50%) and earned wage access (25%).

Full reports:

• Business Research Brief
• Consumer Research Brief