Top Story Security Related

The OCC has requested comment on a proposal to revise its recovery planning guidelines for certain large insured national banks, federal savings associations, and federal branches (banks).

The proposed rulemaking is part of the OCC’s effort to ensure that large banks are adequately prepared and have developed a plan to respond to the financial effects of severe stress, particularly in light of the contagion effects and systemic risks they may pose.

The proposal would:

• Expand recovery planning guidelines to apply to banks with at least $100 billion in assets
• Incorporate a testing standard for recovery plans
• Clarify the role of non-financial risk (including operational and strategic risk) in recovery planning

Comments from the public will be accepted for 30 days following publication of the proposed in the Federal Register.
Publication and comment period update: Published 7/3/2024 at 89 FR 55114. The comment period will close 8/2/2024.

The Treasury Department reported on Friday that OFAC has designated twelve individuals in leadership roles at AO Kapersky Lab.

On Thursday, the Department of Commerce issued a final determination under Executive Order 13873 prohibiting Kaspersky Lab, Inc., its affiliates, subsidiaries and parent companies directly or indirectly from providing anti-virus software and cybersecurity products or services in the United States or to U.S. persons. Commerce reached this determination after an investigation found transactions involving the products and services of Kaspersky Lab, Inc. and its corporate family pose unacceptable risk to U.S. national security or the safety and security of U.S. persons, as outlined in E.O. 13873.

In addition, the Department of Commerce has designated AO Kaspersky Lab and OOO Kaspersky Group (Russia), and Kaspersky Labs Limited (United Kingdom) on the Entity List for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives. These activities are contrary to U.S. national security and foreign policy interests.

For the names and identification information of the designated parties, see the June 21, 2024, BankersOnline OFAC Update.

The FDIC and Federal Reserve Board have jointly announced that, following their joint review of the July 2023 resolution plan submissions of the eight largest and most complex banks, they identified a weakness in the plans from Bank of America, Citigroup, Goldman Sachs, and JPMorgan Chase. The agencies did not identify any weaknesses in the plans from the other banks.

The agencies jointly identified a weakness in the 2023 plan submitted by Citigroup, but reached different conclusions on its severity. The FDIC determined that the Citigroup plan is not credible or would not facilitate an orderly resolution under the U.S. Bankruptcy Code and considers the weakness to be a "deficiency." A deficiency is a weakness that could undermine the feasibility of the plan. The Board concluded that the weakness is only a shortcoming. Under the resolution planning rule of the agencies, when one agency finds a shortcoming in a resolution plan and the other agency finds a deficiency, the plan is deemed to have a shortcoming. As a result, Citigroup's 2023 plan is considered to have a shortcoming. The agencies also previously identified a shortcoming in Citigroup's 2021 plan related to data quality and data management, and that shortcoming remains outstanding.

The agencies provided feedback letters to each of the eight banks that identify areas for continued development of banks' resolution strategies and capabilities. For the four banks with an identified shortcoming, the letters describe the specific weaknesses resulting in the shortcoming and the remedial actions required by the agencies. The shortcomings are to be addressed in the next resolution plans due by July 1, 2025. The feedback letters also specify that each bank, in its 2025 resolution plan submission, should address the topics of contingency planning and obtaining foreign government actions necessary to execute the resolution strategy.

2023 Resolution Plan Feedback Letters:

• Bank of America Corporation
• Bank of New York Mellon Corporation
• Citigroup Inc.
• The Goldman Sachs Group
• JPMorgan Chase & Co.
• Morgan Stanley
• State Street Corporation
• Wells Fargo & Company

The FDIC Board yesterday announced it has approved a final rule to strengthen resolution planning for insured depository institutions (IDIs) with at least $50 billion in total assets. After careful consideration of comments received, the FDIC issued a final rule that incorporates several changes from the agency’s proposed rule published in September of 2023.

Under the rule announced yesterday, the FDIC will require large banks with total assets of at least $100 billion to submit comprehensive resolution plans that meet enhanced standards to support the FDIC’s ability to undertake an efficient and effective resolution under the Federal Deposit Insurance Act should such an institution fail.

The rule will require IDIs with total assets of at least $50 billion but less than $100 billion to submit more limited “informational filings” to assist in their potential resolution. The agency will not require these institutions to develop a resolution strategy and related valuation information as part of their submissions. These institutions are also exempt from submitting certain strategy-related content requirements regarding the institution’s franchise components.

The new rule strengthens the existing IDI resolution planning framework under 12 CFR § 360.10 by requiring a full resolution submission from most covered IDIs every three years with limited supplements filed in the off years. Covered IDIs affiliated with U.S. global systemically important banking organizations must file a full resolution submission every two years.

The final rule will take effect on October 1, 2024, and the first submissions are expected next year.

• Fact sheet
• FIL-34-2024
• Statement by Acting Comptroller of the Currency Michael J. Hsu
• Statement by CFPB Director Rohit Chopra
• Publication update: Published at 89 FR 56620 in the 7/9/2024 Federal Register

Yesterday, Treasury Secretary Janet L. Yellen announced that OFAC had sanctioned eight Mexico-based targets affiliated with La Nueva Familia Michoacana drug cartel for trafficking fentanyl, cocaine, and methamphetamine into the United States. In addition to narcotics trafficking, La Nueva Familia Michoacana smuggles migrants from Mexico into the United States.

Concurrently, Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a Supplemental Advisory to highlight critical new information to help U.S. banks and other financial institutions guard against activity associated with the illicit fentanyl supply chain. The advisory includes new trends and red flags that can be indicators of activity associated with the procurement of precursor chemicals and manufacturing equipment used for the synthesis of illicit fentanyl and other synthetic opioids. Reporting from financial institutions of suspected financial transactions involving illicit fentanyl and narcotics trafficking plays a key role in law enforcement investigations and Treasury’s sanctions efforts globally.

For the names and identification information of the designated parties, see the June 20, 2024, BankersOnline OFAC Update.

FinCEN has issued a FIN-2024-A002) to alert U.S. financial institutions to new trends in the illicit fentanyl supply chain and urge vigilance in identifying and reporting suspicious activity associated with Mexico-based transnational criminal organizations and their illicit procurement of fentanyl precursor chemicals and manufacturing equipment from People’s Republic of China-based suppliers. The supplemental advisory builds off FinCEN’s 2019 advisory with new typologies and red flags to identify and report suspicious transactions, and fulfills the requirement in Section 3202 of the recently enacted FEND Off Fentanyl Act.

• FinCEN news release
• Treasury Department news release
• Remarks by Treasury Secretary Janet L. Yellen

FinCEN recently issued a report of efforts through May 2024 to educate small businesses and other key stakeholders about new beneficial ownership reporting requirements. The report also included a list of upcoming events at which FinCEN representatives will provide information on the regulation.

The OCC has reported the key issues facing the federal banking system in its Semiannual Risk Perspective for Spring 2024.

The OCC reported that the overall condition of the federal banking system remains sound. However, the maturing economic cycle may cause consumer headwinds. It is important for banks to continue identifying material risks and their interconnected impacts. Continuous risk management improvement remains appropriate as this allows banks to guard against complacency.

The OCC highlighted credit, market, operational, and compliance risks as the key risk themes in the report.

Yesterday, the Treasury Department reported that OFAC has designated a network of two individuals and seven entities that provide major sources of revenue for U.S.-designated Republika Srpska President Milorad Dodik and his family. Dodik has used his official position to accumulate personal wealth through companies linked to himself and to Igor Dodik.

For the names and identification information of the designated parties and links to new Balkans-related General Licenses, see the June 18, 2024, BankersOnline OFAC Update.

The OCC has released information on enforcement actions taken against national banks and federal savings associations and individuals currently or formerly affiliated with banks the OCC supervises.

• A Formal Agreement with Credit Suisse AG New York Branch, New York, NY, to address deficiencies in the branch’s compliance related to the Bank Secrecy Act and other anti-money laundering laws and regulations. The branch’s execution of this formal agreement was a condition for the branch’s conversion to a federal license. The provisions of the formal agreement are substantially the same as a December 2020 written agreement between the branch and the Federal Reserve Bank of New York and the New York State Department of Financial Services.
• A Formal Agreement with Touchmark National Bank, Alpharetta, GA, for unsafe or unsound practices, including those relating to the bank’s strategic planning, board and management oversight, liquidity risk management, interest risk management, credit risk management, audit, and information technology.

The OCC also issued Orders of Prohibition against:

• Manuel Alejandro Ramirez Perez, former relationship banker and credit solutions advisor at Bonita Springs and North Naples, Florida, branches of Bank of America, N.A., Charlotte, NC, for improperly accessing customer accounts and providing information on those accounts to a third-party individual.
• Aviana Rivera, former personal banker at a Bryan, Texas, branch of First National Bank Texas, Killeen, TX, for embezzling $11,500 from the account of a bank customer.