The three federal banking agencies (i.e., the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency—collectively, the Agencies) published a final rule (the Rule) on November 23, 2021, requiring “banking organizations” to notify their primary federal regulator within 36 hours in the event of certain types of computer-security incidents. The Rule separately requires “bank service providers” to notify banking organization customers as soon as possible in the event of any incident that has or is reasonably likely to materially affect those customers for four or more hours.
As highlighted previously, three federal banking agencies (the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) recently issued proposed risk management guidance regarding third-party relationships (Proposed Guidance). Among other things, the Proposed Guidance specifies that banking organizations should adopt third-party risk management processes that are commensurate with the identified level of risk and complexity from the third-party relationships, and with the organizational structure of each banking organization.
The proposed guidance also identifies principles that are applicable to each stage of the third-party risk management life cycle, including: (1) developing a plan that outlines the banking organization’s strategy, identifies the inherent risks of the activity with the third party, and details how the banking organization will identify, assess, select, and oversee the third party; (2) performing proper due diligence in selecting a third party; (3) negotiating written contracts that articulate the rights and responsibilities of all parties; (4) having the board of directors and management oversee the banking organization’s risk management processes, maintaining documentation and reporting for oversight accountability, and engaging in independent reviews; (5) conducting ongoing monitoring of the third party’s activities and performance; and (6) developing contingency plans for terminating the relationship in an effective manner. The proposed guidance provides extensive details on all the above identified principles.
The OCC, the Federal Reserve Bank, and the FDIC (collectively, the Banking Regulators) announced an interim final rule on March 9 that revises their capital rules to facilitate implementation of the US Treasury Department’s Emergency Capital Investment Program.
The Agencies issued a joint Fact Sheet that lists considerations for a risk-based approach when it comes to charities and nonprofits. While the Fact Sheet purports to not impose additional obligations on banks, it is hard to view the “considerations” as anything but.
The five federal banking agencies (Federal Reserve, CFPB, FDIC, NCUA, and OCC – collectively Agencies) issued a proposed rule on October 20 on the role of supervisory guidance. The proposal codifies and expands upon a 2018 statement from the same agencies about which we previously reported. In November 2018, the Agencies (aside from the NCUA) received a petition for a rulemaking, as permitted under the Administrative Procedure Act, requesting that the Agencies codify the 2018 statement.
The Financial Crimes Enforcement Network (FinCEN) issued a final rule that requires minimum standards for anti-money laundering (AML) programs for banks lacking a federal functional regulator (the Federal Reserve Board, OCC, FDIC, OTS, NCAU, and SEC), i.e., banks and similar financial institutions that are subject only to state regulation and supervision, and certain international banking entities (collectively, “covered banking entities”).
The Federal Deposit Insurance Corporation (FDIC) announced on July 24 the approval of a final rule that will ease restrictions on banks’ hiring process for individuals with certain criminal offenses on their records. The final rule codifies and revises the current and longstanding FDIC Statement of Policy on this topic and will be effective 30 days after its publication in the Federal Register.
The Federal Deposit Insurance Corporation (FDIC) issued a final rule on June 25 that reaffirms the enforceability of the interest rate terms of loans made by state-chartered banks and insured branches of foreign banks (collectively, state banks) following the sale, assignment, or transfer of the loan. The rule also provides that whether interest on a loan is permissible is determined at the time the loan is made, and is not affected by a change in state law, a change in the relevant commercial paper rate, or the sale, assignment, or other transfer of the loan. The final rule follows the FDIC’s proposed rule on this topic, and will take effect 30 days after publication in the Federal Register.
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the US Department of the Treasury’s Financial Crimes Enforcement Network