Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

Preparing for Institutional Risks as Cryptocurrencies Expand

Two words that highlight why digital assets — in particular, cryptocurrencies — are a valuable addition to the financial services ecosystem are “speed” and “access.” However, banks and other organizations that transact in cryptocurrency need to be aware of, and prepare for, unique risks inherent to the digital asset ecosystem.

The technology that supports cryptocurrencies has accelerated the speed of clearing financial transactions. Over the last 25 years, financial institution technology has progressed significantly, but transfers can take several days to clear; international wire transfers take even longer. Cryptocurrency transaction clearing is immediate.

Cryptocurrencies are also increasingly adopted by individuals who have been previously unbanked or “underbanked” and have had difficulty accessing traditional banking systems. Transaction speed, customer experience and an expanding market of digital asset users make cryptocurrencies attractive for more institutions and organizations to adopt, but they need to think about and prepare for a number of risks.

Current State of Regulation
One of the reasons the traditional banking industry is trusted by the public is because of the regulatory environment. Regulations, including those within the Bank Secrecy Act (BSA), outline the customer identification program and know-your-customer requirements for onboarding new customers. While the cryptocurrency ecosystem is often panned for its perceived lack of regulation, there are layers of regulation that some crypto companies must comply with. For example, the BSA applies to money transmitters, like crypto exchanges. U.S. Securities and Exchange Commission Chair Gary Gensler recently noted, when prompted about large crypto exchanges, “It’s a question of whether they’re registered or they’re operating outside of the law and I’ll leave it at that.”

Does that mean that crypto is regulated as strictly as financial institutions? No, but regulation is progressing. President Joe Biden’s March 2022 executive order included a provision requesting the Financial Stability Oversight Council (FSOC) convene and report on the risks of digital assets to the financial system and propose any regulatory modifications needed to mitigate the risks posed to the financial system by cryptocurrency. Treasury Secretary Janet Yellen, who has been tasked with convening the FSOC, has been a vocal proponent of crypto regulation.

The Treasury Department also released a fact sheet outlining how the United States would work with foreign governments in regulating digital assets.

What does that mean for crypto companies? Considering digital assets were mentioned over 40 times in the FSOC 2021 Annual Report, and since the total market cap of crypto has fallen from $3 trillion in November 2021 to $900 billion as of June 28, 2022, it’s likely regulators will propose new requirements.

Risk Management
Emerging or evolving regulation over large exchanges may not be the panacea that enables financial institutions the carte blanche access to offer all cryptocurrency products. However, it is a step toward being able to offer new products or access to products within the confines of a regulatory framework, and it creates a standard against which banks can measure their offerings.

However, risks remain. Retail banking customers still interact with virtual asset service providers that operate under innocuous-sounding names and decentralized crypto exchanges run by decentralized autonomous organizations (DAOs) without the corporate governance or regulatory requirements of financial institutions. As regulation evolves, institutions wishing to participate in this market will still be responsible for monitoring and mitigation activities. The good news is that as these risks have evolved, so have the tools used to monitor and mitigate them.

When it comes to risk, adding a new category of services requires changes throughout the organization that include people, process and technology. The digital asset ecosystem requires a different skill set than traditional banking and capital markets. The lexicon is different, the technology is different and the market is more volatile. Trusted information sources have transitioned from global business publications to social media. Institutions looking to participate are going to need to partner with different service providers to help facilitate programs, build infrastructure and provide access to the knowledge, skills and expertise to be successful. These institutions are also going to need to reassess their strategy, how and where digital assets fit, the organization’s new risks resulting from this strategic shift and how they plan to mitigate those risks.

The crypto market has garnered the attention of the current presidential administration, the regulatory environment is continuing to evolve, retail participation continues to increase and the technology supporting the marketplace has the potential to become more efficient than traditional infrastructure. Banks that aren’t assessing their strategy as it relates to digital asset risk will be left behind. Institutions planning on participating should understand the people, process and technology needed to execute their strategy, as well as the potential risks to the organization. Regardless, the cryptocurrency marketplace has given institutions and those charged with governing them a lot to consider.

A Bank CEO Manages the Risks of Doing Business with Fintechs



Not all banks are comfortable taking on the risks of partnerships with startup fintech companies. Mike Butler is the president and CEO of Radius Bank, a $1 billion asset, Boston-based bank with three offices, and a national customer base serviced through innovative online and mobile technology. He explains how he handles the risk of doing business with fintech companies.

The video includes information on:

  • Radius Bank’s Approach to Vendor Risk Management
  • Regulatory Concerns
  • The “Wall” That Protects Customer Data
This article first appeared in the Bank Director digital magazine.

Avoiding Pitfalls in Your Bank’s Data Processing Agreement


vendor-management-9-23-15.pngA bank’s core processing agreement is often, by far, its most significant vendor agreement. These lengthy and complex agreements are commonly weighted heavily in favor of the vendor and can be rife with traps, such as steep change-in-control and early termination penalties. Nonetheless, many banks enter into core processing agreements without prior review by counsel, or even reading the agreement themselves. In the current regulatory environment, which stresses and scrutinizes vendor risk management and diligence, a bank’s failure to review and negotiate its core processing agreement could easily result in regulatory criticism, as well as unanticipated costs and potential liability.

In the past few years, the bank regulatory agencies have issued new or updated guidance related to vendor diligence and risk management. In those issuances, the regulators express concern that banks’ vendor risk management practices may be inadequate, citing instances in which management has failed to properly assess and understand the risks and costs of their vendor relationships. Regulators are concerned that banks may enter into agreements that are detrimental to the bank’s employees, customers or other stakeholders. Banks are expected to have risk management processes that correspond with the level of risk and complexity of their vendor relationships. Those processes include due diligence, careful vendor selection, contract negotiation, proper termination mechanisms and ensuring proper oversight. Regulators further expect banks to have more comprehensive and rigorous oversight of management of third-party relationships that involve critical activities, which may include significant bank functions, such as payments, clearing, settlements and custody, or significant shared services, such as information technology.

Regulators conducting bank examinations expect to see adequate risk management policies and procedures in place. Proper due diligence, negotiation, and oversight for data processing contracts should be integral to those procedures. Contrary to what many may think, the terms of data processing agreements are negotiable. Some of the most unfavorable terms may be eliminated simply by emphasizing the regulatory or business necessity for those changes during negotiations. Key terms to address in the negotiation process include termination provisions, regulatory provisions, audit rights and performance standards, among others.

A less obvious concern with core processing agreements arises in the context of a bank merger or acquisition. Steep termination fees in a data processing contract can change the economics of a bank acquisition transaction, making the selling bank a less attractive target and negatively impacting shareholder returns on the sale. It is typical for the initial proposal of a data processing agreement to include contract termination fees equal to roughly 80 percent of the remaining fees payable during the term of the contract. In most cases, these termination fees are negotiable, and data processing providers may be receptive to a graduated termination fee schedule, such that termination fees are less severe later in the term of the contract. In addition, termination fee calculations in core processing agreements are often complex. As such, it will be important for bank management to understand the practical implications of those calculations. Data processing providers will often attempt to recoup any past credits or rebates through the termination fee formula. Understanding and negotiating these termination provisions on the front end can save millions of dollars for the acquiring bank, and ultimately increase returns for the bank’s shareholders.

If your bank is considering a new data processing vendor, or reaching the expiration of your current term and considering renewing with your old vendor, you should work through your regulatory vendor risk management and due diligence checklists before entering into a new contract. We further encourage you to identify a dedicated team, with access to bank counsel, to review and negotiate any proposed agreement. If your institution is considering a future sale or other business combination transaction, then negotiating your data processing contract is of paramount concern. Ultimately, an ignored termination provision in your core processing agreement has the potential to undermine a potential merger or materially impair shareholder returns.

Doing an Acquisition? Don’t Forget the CRA Rating


bank-ratings-9-2-15.pngAs we move further away from the recent economic crisis, an increasing number of financial institutions are considering becoming buyers or sellers. It is therefore important that potential acquirers position themselves to be attractive suitors, and sellers demonstrate that they are healthy candidates. Although much of this focus is directed toward an institution’s overall safety and soundness and numerous other factors, one issue that should not be overlooked is its record of meeting the credit needs of its local communities when measured against the requirements of the Community Reinvestment Act.

CRA Primary Factors
There are two relevant factors related to CRA. First, an acquiring institution’s CRA rating can dictate whether a potential deal will receive regulatory approval. Depending on the severity, a potential acquirer with a less than “satisfactory” rating, or even one with more narrow weaknesses in its CRA program, will find it difficult if not impossible to obtain regulatory approval for any transaction until it improves its rating and its internal CRA program. Also, the CRA condition of the seller is significant, and the buyer should determine how that will impact the bank after consummation.

Even an institution with an “outstanding” CRA rating can still face difficulties executing a transaction. The CRA allows individuals and community groups to take an active part in the regulatory application and approval process of a transaction by providing a mechanism for the submission of public comments regarding any perceived CRA compliance weakness or criticism of a party to the transaction. Because the CRA rating is publicly reported, unlike the institution’s other confidential examination ratings, this becomes an easy target. By taking advantage of the publicly available data concerning financial institutions, including CRA ratings, groups located far outside the acquirer’s market area can file comment letters that pass the very low threshold set by regulators to entertain these protests. In some cases, these activist groups have been able to extract significant commitments from acquirers just to get deals done.

Regulatory Approval Process
Most often, these public comments do not, in and of themselves, prevent an otherwise viable transaction from occurring. They can, however, significantly slow down a pending transaction. Under current procedures, written public comments are included as part of the record that the federal agencies review in the evaluation of an application for a transaction. In connection with these public comments, the regulators may make several requests for additional information before ultimately determining whether those public comments will impact their approval of the proposal. This process can take several months, and can even drag on for significantly longer. From deal uncertainty, to the potential that key talent will leave in the wake of a long transition, to the potential for major shifts in the market or rapid economic change, delaying the closing of a transaction while this process unfolds can be quite costly and damaging for the parties involved.

The importance of the CRA comment process to banking M&A has existed for decades, although historically, it generally has been confined to transactions involving very large financial institutions, such as the recent CIT Group-OneWest Bank acquisition. With the current paucity of larger bank transactions, smaller deals are attracting more public scrutiny and suffering significant delays of, in some cases, many months. Discussions and negotiations with the regulators on this issue may be difficult and frustrating. If CRA comments are submitted to regulators for a particular transaction, it is important to quickly develop with legal counsel a clear strategy to address and resolve any issues that have been raised.

Practical Takeaways
To mitigate the CRA risk in M&A transactions, the following are some strategies that an organization should consider, either as a buyer or a seller:

  • Continue to develop a strong CRA program and strategy.
  • Proactively develop or deepen relationships with local community groups.
  • Be extremely careful and consult with legal counsel when deciding whether and how to respond to broad “informational” questionnaires from community groups.
  • Engage with banking regulators early in the transaction process regarding each party’s CRA status, strengths and potential challenges.
  • In the transaction agreement, consider specifically providing for community-based outreach or support programs following the transaction.
  • Provide clear evidence of community support by both parties, pre- and post-transaction, in the deal announcement.
  • Take all protests seriously, and be cognizant that all communication and information may become public.