Top Story Technology Related

The FDIC, OCC, and Federal Reserve yesterday jointly issued a statement reminding banks of potential risks associated with third-party arrangements to deliver bank deposit products and services. The agencies support responsible innovation and banks engaging in these arrangements in a safe and sound manner and in compliance with applicable law. While these arrangements can provide benefits, supervisory experience has identified a range of safety and soundness, compliance, and consumer-related concerns with the management of these arrangements.

The statement details the potential risks and provides examples of effective risk management practices for these arrangements. In addition, the statement reminds banks of relevant existing legal requirements, guidance, and related resources, and provides insights that the agencies have gained through their supervision. The statement does not establish new supervisory expectations.

Separately, the agencies have requested additional information on a broad range of bank-fintech arrangements, including with respect to deposit, payments, and lending products and services. The agencies are seeking input on the nature and implications of bank-fintech arrangements and effective risk management practices. Responses and comments will be accepted for 60 days following publication of the request for information in the Federal Register. [Update: Published 7/31/2024 at 89 FR 61577, with a 61-day comment period ending 9/30/2024.]

The agencies are considering whether additional steps could help ensure banks effectively manage risks associated with these various types of arrangements.

• OCC Bulletin 2024-20
• OCC Bulletin 2024-21
• FDIC FIL-45-2024

FinCEN has updated its Beneficial Ownership Information Frequently Asked Questions to include new information for entities that are disregarded for U.S. tax purposes (Question F.13), as well as updated information that addresses the time frame for obtaining an Employer Identification Number (EIN) from the IRS (Question G.3). An in-page search for "July 24" will take you to the end of each of those new FAQs.

The updated FAQ can be downloaded as a 50-page PDF document, where the two new FAQs begin on pages 31 and 33, respectively.

The FDIC has released a notice of the next meeting of its Board, scheduled for 10:00 a.m. on July 30, 2024. A link to a webcast of this open to public observation meeting can be found at https://www.fdic.gov/news/board-matters/video.html.

Matters to be considered include:

• Notice of Proposed Rulemaking on Brokered Deposit Restrictions.
• Notice of Proposed Rulemaking on Parent Companies of Industrial Banks and Industrial Loan Companies.
• Request for Information on Deposits.
• Final Guidance for Title I Resolution Plan Triennial Full Filers and Extension of Submission Deadline.
• Proposals regarding the Change in Bank Control Act Regulations and Procedures.
• Final Rule on Revisions to the FDIC’s Section 19 Regulations.
• Interim Final Rule on Clarification of Deposit Insurance Coverage for Legacy Branches of U.S. Banks in the Federated States of Micronesia, the Marshall Islands, and Palau.
• Notice of Proposed Rulemaking regarding the Financial Data Transparency Act.

The Treasury Department on Friday reported that OFAC has exposed the identity of two members of a Russian government-related hacktivist group, and imposed sanctions on them. OFAC designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members of the Russian hacktivist group Cyber Army of Russia Reborn (CARR) for their roles in cyber operations against U.S. critical infrastructure. These two individuals are the group’s leader and a primary hacker, respectively.

For identification information on Pankratova and Degtyarenko, see BankersOnline’s July 19, 2024, OFAC Update.

The Federal Reserve Board has reported it has addressed consumer compliance breakdowns by Green Dot, fining the firm $44 million for numerous unfair and deceptive practices and a deficient consumer compliance risk management program.

The Board found that Green Dot violated consumer law in its marketing, selling, and servicing of prepaid debit card products, and its offering of tax return preparation payment services. For example, Green Dot failed to adequately disclose the tax refund processing fee for tax preparation services offered on a third party's website. The firm also blocked access to accounts of legitimate customers receiving unemployment benefits and lacked reasonable policies and procedures to help those customers cure those blocks. In addition, Green Dot did not maintain effective consumer compliance risk management and anti-money laundering programs.

For additional details and a link to the Board's consent order, see "Green Dot fined $44M for UDAP violations and deficient compliance program," in BankersOnline's Penalties webpages.

The OCC has released a list of 11 enforcement actions taken against national banks and federal savings associations and individuals currently and formerly affiliated with OCC-supervised financial institutions.

• The amended cease and desist order previously announced against Citibank, N.A., Sioux Falls, South Dakota.
• A cease and desist order against CNB Bank & Trust, N.A., Carlinville, Illinois, for violations of 12 CFR 21.21 (BSA/AML compliance program), 31 CFR 1020.210 (Customer Due Diligence), and 1020.220 (Customer Identification Program) as well as unsafe or unsound practices relating to the bank’s BSA/AML compliance, and failure to correct previously reported BSA/AML compliance problems.
• A formal agreement with Lincoln FSB of Nebraska, Lincoln, Nebraska, for unsafe or unsound practices, including those relating to strategic planning, liquidity risk management, contingency funding planning, interest rate risk management, and board oversight and corporate governance.
• A cease and desist order against Summit National Bank, Hulett, Wyoming, for unsafe or unsound practices including those related to capital and strategic planning, liquidity risk management, transactions with affiliates, and the bank’s BSA/AML compliance program, and violations including of 12 CFR 21.21 (BSA/AML compliance program).
• Orders of prohibition against the following individuals:
  • Cindy M. Flores, former branch operations associate manager at a Fargo, North Dakota, branch of Wells Fargo Bank, N.A., Sioux Falls, South Dakota, for misappropriating at least $47,600 by diverting funds from customer deposit accounts
  • Randall David Ditzer, former banking center team lead relationship banker at a Prairie Village, Kansas, branch of BOKF, N.A., Tulsa, Oklahoma, for making unauthorized withdrawals from the accounts of an elderly bank customer and depositing the funds into his own accounts.
  • Aaliyah Shaheed, former digital banking representative for Varo Bank N.A., Draper, Utah, who worked remotely from Charlotte, North Carolina, for improperly accessing and modifying customer account information, which resulted in approximately $21,700 of fraudulent transfers.
  • Kathryn Thomure (now known as Kathryn Makler), former business banking specialist at a Farmington, Missouri, branch of U.S. Bank, N.A., Cincinnati, Ohio, for making false representations on two Paycheck Protection Program loan applications to the U.S. Small Business Administration and receiving a loan for approximately $29,300.
  • Valeria Martinez Vazquez, former branch relationship banker at Zions Bancorporation, N.A., Salt Lake City, Utah, for misappropriating approximately $11,100 from a customer’s account.
  • Andre Jackson, former relationship banker at a Kenmore, New York, branch of Bank of America N.A., Charlotte, North Carolina, for misappropriating at least $8,000 in cash from the bank.
  • Cordia Shedde McDonald, former associate banker at a New Rochelle, New York, branch of JPMorgan Chase Bank, N.A., Columbus, Ohio, for misappropriating at least $10,000 in cash from the bank.

Yesterday, the Department of the Treasury announced that the Financial Services Sector Coordinating Council (FSSCC) and Treasury have published a suite of resources to share with financial services institutions on effective practices for their secure cloud adoption journey. These deliverables are the result of a year-long public-private partnership of the Financial and Banking Information Infrastructure Committee (FBIIC) and the FSSCC.

To provide leadership support for this joint effort the U.S. Department of the Treasury established the Cloud Executive Steering Group (CESG) in May 2023 at the direction of the Financial Stability Oversight Council (FSOC), to help close the gaps identified in Treasury's landmark report on the Financial Services Sector’s Adoption of Cloud Services. The documents published yesterday are intended to arm financial institutions of all sizes with effective practices for secure cloud adoption and operations, and to establish a continuing effort and partnership to begin to address the gaps identified in Treasury’s report, which include:

• Establishing a common lexicon that may be used by financial institutions and regulators in discussions regarding cloud.
• Enhancing information sharing and coordination for examination of cloud service providers.
• Assessing existing authorities for cloud service provider (CSP) oversight.
• Establishing best practices for third-party risk associated with cloud service providers, outsourcing, and due diligence processes to increase transparency.
• Providing a roadmap for institutions considering comprehensive or hybrid cloud adoption strategies including an update to the Financial Sector’s Cloud Profile.
• Improving transparency and monitoring of cloud services for better “security by design.”

Clear explanations for the utility and application of the documents can be found on the U.S. Treasury website. The website also includes links to the FSSCC-led outputs so that financial institutions can consult them at any part of their cloud services adoption journey and risk management process.

Six federal agencies — The CFPB, FDIC, FHFA, Federal Reserve Board, NCUA, and OCC — have jointly announced their issuance of a final rule required by the Dodd-Frank Act and designed to help ensure the credibility and integrity of models used in valuations for certain mortgages secured by a consumer's principal dwelling. In particular, the rule will implement quality control standards for automated valuation models (AVMs) used by mortgage originators and secondary market issuers in valuing those homes. The final rule is substantially similar to the proposal issued in June 2023.

Under the final rule, the agencies will require institutions that engage in certain transactions secured by a consumer's principal dwelling to adopt policies, practices, procedures, and control systems designed to:

• ensure a high level of confidence in estimates
• protect against data manipulation
• seek to avoid conflicts of interest
• require random sample testing and reviews
• comply with nondiscrimination laws

The agencies said that, driven in part by advances in database and modeling technology and the availability of larger property datasets, AVMs are being used with increasing frequency as part of the real estate valuation process. While advances in AVM technology and data availability have the potential to reduce costs and turnaround times of the property valuation process, it is important that institutions using AVMs take appropriate steps to ensure the credibility and integrity of the valuations produced. It is also important that the AVMs institutions use adhere to quality control standards designed to comply with applicable nondiscrimination laws.

The CFPB and the OCC previously announced their approvals of the rule, which will become effective on the first day of the calendar quarter following 12 months after publication in the Federal Register (if it is published by September 30, it will become effective October 1, 2025).

• FDIC FIL-43-2024

PUBLICATION UPDATE: Published [89 FR 64538] in the 8/7/2024 Federal Register, with an effective date of 10/1/2025.

The OCC has reported that Acting Comptroller of the Currency Michael J. Hsu yesterday discussed three long-term trends that are reshaping banking in remarks at the Exchequer Club.

Mr. Hsu’s written remarks in support of his appearance discussed the increasing number and size of large banks, the complexity of bank-nonbank relationships, and the rise in polarization. Mr. Hsu described how the OCC is uniquely positioned to address each trend.

The White House’s Office of Information and Regulatory Affairs has released its Spring 2024 Unified Agenda of Regulatory and Deregulatory Actions, or URA. This semi-annual report details each federal agency’s upcoming plans to issue or rescind regulations.

The Consumer Financial Protection Bureau’s agenda includes four proposed rule actions, addressing the Fair Credit Reporting Act, or FCRA, mortgage servicing, the Financial Data Transparency Act and consumer financial product contracts under Regulation AA. The bureau released last month the initial part of its FCRA rulemaking and a final rule regarding the attributes a standard-setting body must demonstrate in order to be recognized by the CFPB for purposes of the personal data rights rule; the Bureau plans to finalize the remainder of the proposed rule regarding personal data rights rule in October. The proposed rules for mortgage servicing were issued last week and the Regulation AA proposal is expected in September.

According to the URA, the CFPB projects it will release final rules on non-sufficient fund fees in October and on overdraft fees in January 2025.

On the BSA/AML front, FinCEN expects an August 2024 unveiling of its final AML/CFT rules applicable to investment advisers and certain real estate professionals. FinCEN reported an October target for its proposed revisions to the Customer Due Diligence rule, and is aiming for a May 2025 reveal of proposed rules on 314(b) information sharing protections.