How Banks Can Leverage Continuous Auditing, Continuous Monitoring

Continuous auditing and continuous monitoring are one of the most misunderstood and under-utilized concepts in business. While continuous auditing and continuous monitoring, or CA and CM, may be two distinct concepts, they operate under the same development umbrella. When institutions design, build and implement them correctly, both can deliver targeted and dynamic results.

To leverage the power of this methodology, bankers should start by understanding the overlooked differences between the two approaches. Continuous auditing and continuous monitoring are two distinct disciplines.

The first key difference between the two is frequency. A confusing aspect of the CACM methodology is the name. Everyone hears the word “continuous” and believes this type of work goes on forever, without any consideration. That could not be further from the truth. Continuous auditing has a distinct start and finish; in contrast, continuous monitoring can be started and stopped at any time and has no set length of execution.

Like any type of formalized testing, a CA program must contain a time frame in which the work will be performed so a conclusion on the control effectiveness for the same period can be made. Conversely, a CM program can be started, stopped and restarted again for any length of time because it is not being executed to provide a conclusion on the control environment. Rather, it delivers an indication that a specific control or set of controls produces the expected results within acceptable performance limits.

The second key distinction is the testing specifics. The CA approach has detailed control process descriptions that provide information to develop the corresponding steps to be reperformed — in order to confirm the results. In contrast, the CM approach selects a control or controls and verifies the outcomes are within the acceptable limits of the business process requirements. At no time does a CM review, examine or reperform the control steps to validate results. The only information obtained and examined in the CM review is the result. If those results are within the acceptable control parameters, there is no additional verification performed. The CA approach provides a more comprehensive validation of the control environment compared to the CM approach.

Common Uses for the CACM Methodology
One of the most appealing aspects of the CACM methodology is that it can be applied to any business process in any industry. However, there are considerations to include in the evaluation process before selecting your target business processes. The most effective way to communicate these considerations is not by telling you the best business processes to target, but providing you with the business areas that should be avoided when developing your CACM methodology.

This does sound contradictory, but to avoid methodological pitfalls, there are limitations to consider when selecting a target CACM area. While you can apply the CACM methodology to any process, in any industry, it is important to consider using a new methodology to proactively validate your existing control environment and identify potential future challenges.

To do that, there are two areas to avoid when selecting your target CACM business processes: complexity and judgment. Regarding complexity, the methodology is going to ask you to identify the most critical control or controls in the process that directly impact the outcome. It will be difficult, if not impossible, to identify one or two critical controls in any complex business process. With judgment, the process allows for overrides, which potentially creates false positives in the CACM. Even with detailed approval guidelines, the subjective nature of the process makes it a challenging selection for a CACM.

At Baker Tilly, we recommend banks incorporate CACM into their compliance business process. Most compliance processes have very specific, detailed and documented process requirements with almost zero judgment. Compliance rules and regulations do not provide a significant amount of grey area. Those types of processes make it easier to incorporate your CACM process because the business requirements are clear and you will have an easier time selecting the most critical control points.

Continuous auditing and continuous monitoring provides organizations with a proactive review approach that help identify potential control breakdowns. This proactive approach allows organizations to enhance their current control environment, strengthen their compliance processes, mitigate risk and build a stronger business culture to mitigate risk and potentially eliminate future losses.

How Smaller Banks Can Prepare for Climate-Related Credit Risks

In 2021 and 2022, the nation’s financial regulators began sharing their future expectations for banks related to the growing concern of climate risk.

Their particular emphasis is focused on the impact of climate change on an institution’s credit risk. While the near-term direct impact is limited to the country’s largest institutions for now, there is an understanding that it’s only a matter of time until smaller banks will have to address similar regulatory expectations.

What can, and should, bankers at smaller banks be doing about climate risk in their portfolios? How can they prepare for future regulatory expectations? What information do they need to track?

Bank credit risk managers can start with understanding what types and levels of climate risk they have in their portfolios now, and how to track that going forward. It’s crucial they establish a baseline of their risk appetites and thresholds when looking at emerging risks.

Banking agencies are looking at rules intended to disclose how larger banks and other firms are incorporating climate risks into their risk management and overall business framework and strategies. That includes physical risks, such as the risk of financial losses from serious weather events like hurricanes and wildfires, and transition risk that come from shifting to a low-carbon economy and creating so-called “orphaned assets.”

To understanding a bank’s credit and risk exposure to climate sensitive and carbon sensitive assets, credit managers need to start with identifying, flagging and reporting on loans that are either in geographical areas that are more likely to be impacted by physical climate risks and those that are made to higher carbon industries representing potential transition risk.

How To Use Climate Information to Manage Climate Risk
Can smaller banks apply similar methods to manage their climate credit risk that they’ve used for previously identified emerging risks? Could a bank apply similar approaches it used for commercial real estate and Covid-19 concentrations to identify and track climate concentrations in a loan portfolio to get an overall view of the climate-related credit risk?

A banker could use standard industry codes, also called NAICS Codes, to identify high carbon business or industry concentrations and exposures. Some examples include coal, oil, mining, refining and supporting industries like trucking, drilling and refining, for a few examples.

To address acute climate physical risk a banker could look at using CRE property types like hotels, offices or multifamily for loans in riskier geographic areas like shore and waterways, as well as locations more prone to climate incidents like hurricane, wildfire and floods. There are a few different geo-location codes that can be leveraged for this type of concentration tracking: zip codes, counties, cities or MSA codes.

An example of a bank trying to get ahead of coding for climate is $36.6 billion BankUnited N.A., a regional bank headquartered in Miami Lakes, Florida. The bank’s third line of defense assurance group, credit review, wanted to begin broadly identifying climate exposure and climate related borrowers in their portfolios, to advance the consideration of climate impact from a credit perspective.

In 2022, they started by tagging any borrower reviewed by credit review within routine examinations focused on assessing risk grading and underwriting as “carbon sensitive.” The identification is subjective and is based on matters such as the loan borrower’s industry, business operations, inputs or by-products, location and collateral type and related potential repayment risk. Based on those data points, their analyst makes an assessment as to whether or not to tag the loan as “carbon sensitive.” An example would be a borrower with significant dependence on waterways that are currently experiencing profound and ongoing drought. They report the results at the examination level, as well as on a consolidated basis to management and the second line of defense.

Currently, there remains no plans for near-term regulatory requirements related to climate change or carbon sensitivity reporting or tracking for community banks. Regulators are only considering the largest banks for rules around climate asset management, climate risk management frameworks and policies.

But risk management techniques are always evolving. Forward-looking risk managers at banks of all sizes will want to continue momentum in 2023, to look forward and create a data-driven climate credit risk management program as tools improve and regulations and industry best practices mature. For now, directionally correct views of climate credit risk can potentially be a strategic risk management advantage for even the smallest bank.

Taking Control and Mitigating Risk With a Collateral Management System

For many banks, managing the manifold economic and internal risks has been a stressful and very manual process.

Truly gaining a comprehensive overview of all the collaterals associated with a bank’s lending business is often the top desire we hear from clients, followed by in-depth reporting and collateral management workflow capabilities. Historically, collateral management in wealth management lending has often been a siloed process with each department managing it individually. And the need for additional resources in credit and risk departments has been a growing trend. In our research, the processes in which banks are managing their collaterals vary but often involve collecting data from a variety of sources, tracking in spreadsheets manually, and pulling rudimentary reports from the core banking system that only gives basic aggregated information at best.

Banks need a way to monitor and manage collateral for all their lending products, not just securities-based lending. An enterprise collateral management solution allows credit and risk professionals to:

• Gain an accurate and up-to-date overview of collaterals across different asset and loan types in real-time for marketable securities, if desired.
• Set up multiple credit policies.
• Perform portfolio concentration analysis for more in-depth insights on potential risks.
• Pull pre-defined and custom reports quickly and efficiently.
• Automate collateral release support.
• Assess borrower’s risk across the entire relationship through data visualizations and modules.
• Conduct in-depth “what-if” stress testing for marketable securities to proactively mitigate any potential risks.

Make Decisions and Act With Efficiency
Many organizations are siloed and visibility across groups is an organization struggle. The lack of visibility across teams can cause operation and client-facing staff to struggle with making timely and informed decisions. A digital, streamlined enterprise collateral management solution can create efficiencies for cross-team collaboration. Your bank’s team should look for solutions with features like tools, reports and workflows that enable them to make informed decisions and act with efficiency, including:

• Automatic calculation of collateral release.
• Portfolio concentration analysis to provide more in-depth insights on potential risk.
• Rule-based and streamlined workflows to support collateral call management in scale with efficiency and at a reduced cost.

The standards for bank risk management and customer service today are at some of their highest levels today; management teams are looking for immediate answers to their questions in this uncertain environment. It is essential that banks have a technological solution that equips their team to have the answers at their fingertips to provide the service clients expect and deserve. Now more than ever, financial institutions need a collateral management solution that provides speed, transparency, efficiency and a streamlined digital workflow to support the new hybrid working environment.

Risk, Performance and Banking: What Really Matters

The goal of banks is to create financial stability and profit while building strong relationships with customers, employees and the community. What’s standing between your bank and that goal? Asking that question is the first step to finding out.

Banks measure performance in financial terms: they compare loan rates, customer growth and other key performance indicators (KPIs). But looking at performance in this way only shows how things are going, not why they are going that way or how performance could change in the coming weeks, months or years.

Understanding the “why” requires deeper analysis — an analysis that comes from enterprise risk management, or ERM. ERM is a system for managing risk holistically throughout a financial institution to create value. It’s about identifying, assessing, measuring, monitoring, mitigating and communicating risk — and using that information to build a stronger, more resilient institution.

Why should bank boards care about ERM?

1. Compliance Management. Compliance management is a huge concern for any bank. From federal and state consumer protection and privacy regulations to Bank Secrecy Act/anti-money laundering (BSA/AML) regulation, the number of regulations and the speed of regulatory change can be overwhelming.

Not only can non-compliance hurt individual consumers, it can damage a bank’s ability to offer the best-possible pricing, products and services. Failing to comply can result in costly enforcement actions, fines and lawsuits. It can also lead to limitations on growth.

Banks need to have a strong compliance management system, or CMS. This allows them to identify, measure, monitor and mitigate compliance risk. A CMS can also help banks respond more efficiently to regulatory changes by ensuring they implement changes while minimizing the cost of compliance.

2. Vendor Management. Third-party partners like including vendors, fintech partners and consultants can easily increase the potential risk to a bank or its customers. Data breaches can expose customer data. Outages can prevent customers from accessing the products and services they need. Mistakes can result in compliance violations and consumer harm. Automatic contract renewals can cause the bank to sign long-term contracts with unfavorable pricing.

Managing third-party risk requires a good vendor management program. It’s not just a regulatory requirement; it’s also a best practice. Not only can vendor management help a bank secure lower pricing, this required due diligence and monitoring helps banks identify vendor partners that could help the bank grow and thrive.

3. Findings Management. A bank needs to correct identified problems quickly. But it can be easy to lose track of these problems — whether they are self-identified, examiner or audit findings — with the demands of day-to-day responsibilities.

Every bank should have a findings management program that logs every finding, assigns it to someone responsible for remediation and tracks its remediation. This creates accountability that ensures that no finding is overlooked, whether it’s a consumer complaint, a weakness in a control, a vendor issue or a compliance violation.

Risk Performance Management for High-Performing Banks
Each of these three areas of ERM have the potential to hurt or enhance a bank’s performance. Done well, they can better control costs, strengthen the banks’ resilience and more quickly achieve the board’s strategic goals. One of the most effective ways for a bank to gauge its risk and performance is by leveraging expert solutions that provide the frameworks, tools and knowledge that executives and the board need to maximize the efficiency of the process. These solutions can also serve as an educational primer, showing banks what needs to be done and the best ways to do it efficiently, so the bank can follow a clear, well-informed path forward.

These solutions also make it easy to understand where the threats and opportunities are for an institution. This is especially important as banks try to keep pace with evolving technology and consumer expectations. Having the right risk management tools in place directs the executives and employees to quickly ask the right questions when evaluating new technologies, partners and strategies, and understand what those answers mean.

Whether it’s knowing how regulations impact a new product or service, or assessing the maturity of a vendor’s cybersecurity controls, good risk management means having more information sooner to make better decisions — and that leads to better performance.

3 Common Insurance Gaps at Banks

Banks must take risk management seriously – and part of managing risk is properly insuring property and casualty risk. Below are the three critical, yet commonly overlooked, areas that institutions should be aware of in addressing their property and casualty insurance program.

1. Think Deeply About the Bank’s Entire Risk Profile
Banks are a complicated risk entity without a cookie-cutter insurance blueprint. The bank business model makes banks a natural target for criminal acts, while daily operations leaves the bank exposed to a host of liability claims. We have also recently seen an increase in regulatory scrutiny related to banks, especially banks’ cyber exposure. Another factor working against the bank is the lack of set standards, guidance and/or oversight of their insurance program. These factors combined make banks particularly complicated to insure competently.

It is imperative that banks consider the entirety of their risks in ensuring they have appropriate coverage and limits. Risk factors to consider include ownership structure, recent financial performance, geographic location, loss history, makeup of the board and management, business model and growth projections. When these factors are considered together, a bank can more completely insure its risks as many of the core coverage lines (and policy forms) are unique only to commercial banks.

2. Cyber Exposure Needs to Be Addressed Under Three Separate Policies
When most banks hear cyber insurance, they think of their cyber liability policy. Most carriers consider this computer systems fraud and it is intended to respond to electronic claims when the bank’s funds are lost or stolen. A typical non-bank cyber liability policy will also include a crime component for electronic losses like fraudulent instruction and electronic funds transfer fraud.

However, there are additional coverages specifically available to banks for cyber loss. The second is the bank’s FI Bond. This is a broader policy and can carry much higher limits. Other coverages under the FI Bond include computer systems fraud such as hacker and virus destruction, as well as voice initiated transfer fraud. There is also an option to insure “social engineering” claims through the bond FI policy.

The third policy that may apply in a cyber loss is the bankers professional liability (BPL). If a bank does not carry social engineering on their bond and a customer’s account is hacked through its own system (opposed to the bank’s) the FI bond likely will not cover the customer’s stolen money. A BPL may provide coverage for depositor’s liability in this case.
Bank should make sure that all three of these policies have adequate limits, do not have overlapping coverage, and also do not leave any gaps in coverage.

3. The Areas of Greatest Exposure
Although cyber and D&O are often the first two areas of insurance a bank focuses, we believe more attention should be paid to the bankers professional liability policy. In the most basic sense, BPL covers the bank for losses arising from any service the bank provides to a customer, aside from lending activity. It’s often colloquially called Bankers E&O and is essentially broad form negligence coverage.
Conversely, lender liability is intended to cover that which BPL excludes: wrongful acts arising from a loan or lending activity. It is important that banks have lender liability included within the BPL.

There are two main reasons BPL/lender liability are important:
1. The most frequent claim for banks falls under the BPL/lender liability. In 2021, 51% of bank liability claims fell under BPL or lender liability. Cyber liability and D&O claims constituted 8% and 12% of claims, respectively.
2. Since they are usually insured under the same insuring agreement, they also usually share one limit. A borrower suit that turns into a paid claim would also erode the BPL limit.

Most peer group average BPL and lender liability limits are relatively low; it’s recommended that banks keep their limit at or slightly above average, at a minimum.

Given the complex factors above, how can you know if your bank is protected? Consider the following questions:

  • Are my financial institution and its officers protected from all the types of risk that could hurt us?
  • Do I have a partner I trust to complement my unique business and offer integrated solutions that offer the right amount of coverage?
  • How much time, productivity and fees does it cost the bank to have relationships with multiple brokers and advisors?

Insurance is complex. Threats to the security of your financial organization are ubiquitous. You should have an expert to help you navigate the process and build a tailored solution for your institution.

Current Compliance Priorities in Bank Regulatory Exams

Updated examination practices, published guidance and public statements from federal banking agencies can provide insights for banks into where regulators are likely to focus their efforts in coming months. Of particular focus are safety and soundness concerns and consumer protection compliance priorities.

Safety and Soundness Concerns
Although they are familiar topics to most bank leaders, several safety and soundness matters merit particular attention.

  • Bank Secrecy Act/anti-money laundering (BSA/AML) laws. After the Federal Financial Institutions Examination Council updated its BSA/AML examination manual in 2021, recent subsequent enforcement actions issued by regulators clearly indicate that BSA/AML compliance remains a high supervisory priority. Banks should expect continued pressure to modernize their compliance programs to counteract increasingly sophisticated financial crime and money laundering schemes.
  • In November 2021, banking agencies issued new rules requiring prompt reporting of cyberattacks; compliance was required by May 2022. Regulators also continue to press for multifactor authentication for online account access, increased vigilance against ransomware payments and greater attention to risk management in cloud environments.
  • Third-party risk management. The industry recently completed its first cycle of exams after regulators issued new interagency guidance last fall on how banks should conduct due diligence for fintech relationships. This remains a high supervisory priority, given the widespread use of fintechs as technology providers. Final interagency guidance on third-party risk, expected before the end of 2022, likely will ramp up regulatory activities in this area even further.
  • Commercial real estate loan concentrations. In summer 2022, the Federal Deposit Insurance Corp. observed in its “Supervisory Insights” that CRE asset quality remains high, but it cautioned that shifts in demand and the end of pandemic-related assistance could affect the segment’s performance. Executives should anticipate a continued focus on CRE concentrations in coming exams.

In addition to those perennial concerns, several other current priorities are attracting regulatory scrutiny.

  • Crypto and digital assets. The Federal Reserve, the Office of the Comptroller of the Currency, and the FDIC have each issued requirements that banks notify their primary regulator prior to engaging in any crypto and digital asset-related activities. The agencies have also indicated they plan to issue further coordinated guidance on the rapidly emerging crypto and digital asset sector.
  • Climate-related risk. After the Financial Stability Oversight Council identified climate change as an emerging threat to financial stability in October 2021, banking agencies began developing climate-related risk management standards. The OCC and FDIC have issued draft principles for public comment that would initially apply to banks over $100 billion in assets. All agencies have indicated climate financial risk will remain a supervisory priority.
  • Merger review. In response to congressional pressure and a July 2021 presidential executive order, banking agencies are expected to begin reviewing the regulatory framework governing bank mergers soon.

Consumer Protection Compliance Priorities
Banks can expect the Consumer Financial Protection Bureau (CFPB) to sharpen its focus in several high-profile consumer protection areas.

  • Fair lending and unfair, deceptive, or abusive acts and practices (UDAAP). In March 2022, the CFPB updated its UDAAP exam manual and announced supervisory changes that focus on banks’ decision-making in advertising, pricing, and other activities. Expect further scrutiny — and possible complications if fintech partners resist sharing information that might reveal proprietary underwriting and pricing models.
  • Overdraft fees. Recent public statements suggest the CFPB is intensifying its scrutiny of overdraft and other fees, with an eye toward evaluating whether they might be unlawful. Banks should be prepared for additional CFPB statements, initiatives and monitoring in this area.
  • Community Reinvestment Act (CRA) reform. In May 2022, the Fed, FDIC, and OCC announced a proposed update of CRA regulations, with the goal of expanding access to banking services in underserved communities while updating the 1970s-era rules to reflect today’s mobile and online banking models. For its part, the CFPB has proposed new Section 1071 data collection rules for lenders, with the intention of tracking and improving small businesses’ access to credit.
  • Regulation E issues. A recurring issue in recent examinations involves noncompliance with notification and provisional credit requirements when customers dispute credit or debit card transactions. The Electronic Fund Transfer Act and Regulation E rules are detailed and explicit, so banks would be wise to review their disputed transaction practices carefully to avoid inadvertently falling short.

As regulator priorities continue to evolve, boards and executive teams should monitor developments closely in order to stay informed and respond effectively as new issues arise.

Regulatory Crackdown on Deposit Insurance Misrepresentation

Federal banking regulators have recently given clear warnings to banks and fintechs about customer disclosures and the significant risk of customer confusion when it comes to customers’ deposit insurance status.

On July 28, 2022, the Federal Deposit Insurance Corporation and the Federal Reserve issued a joint letter to the crypto brokerage firm Voyager Digital, demanding that it cease and desist from making false and misleading statements about Voyager’s deposit insurance status, in violation of the Federal Deposit Insurance Act, and demanded immediate corrective action.

The letter stated that Voyager made false and misleading statements online, including its website, mobile app and social media accounts. These statements said or suggested that: Voyager is FDIC-insured, customers who invested with the Voyager cryptocurrency platform would receive FDIC insurance coverage for all funds provided to, and held by, Voyager, and the FDIC would insure customers against the failure of Voyager itself.

Contemporaneously with the letter, the FDIC issued an advisory to insured depository institutions regarding deposit insurance and dealings with crypto companies. The advisory addressed the following concerns:

  1. Risk of consumer confusion or harm arising from crypto assets offered by, through or in connection with insured banks. This risk is elevated when a nonbank entity offers crypto assets to the nonbank’s customers, while offering an insured bank’s deposit products.
  2. Inaccurate representations about deposit insurance by nonbanks, including crypto companies, may confuse the nonbank’s customers and cause them to mistakenly believe they are protected against any type of loss.
  3. Customers can be confused about when FDIC insurance applies and what products are covered by FDIC insurance.
  4. Legal risk of insured banks if a crypto company or other third-party partner of the bank makes misrepresentations about the nature and scope of deposit insurance.
  5. Potential liquidity risks to insured banks if customers move funds due to misrepresentations and customer confusion.

The advisory also includes the following risk management and governance considerations for insured banks:

  1. Assess, manage and control risks arising from all third-party relationships, including those with crypto companies.
  2. Measure and control the risks to the insured bank, it should confirm and monitor that these crypto companies do not misrepresent the availability of deposit insurance and should take appropriate action to address any such misrepresentations.
  3. Communications on deposit insurance must be clear and conspicuous.
  4. Insured banks can reduce customer confusion and harm by reviewing and regularly monitoring the nonbank’s marketing material and related disclosures for accuracy and clarity.
  5. Insured banks should have appropriate risk management policies and procedures to ensure that any services provided by, or deposits received from, any third-party, including a crypto company, effectively manage risks and comply with all laws and regulations.
  6. The FDIC’s rules and regulations can apply to nonbanks, such as crypto companies.

At a time when crypto companies are increasingly criticized for courting perceived excessive risk and insufficient transparency in their business practices, the FDIC and other banking agencies are moving to ensure that these companies’ practices do not threaten the banking industry or its customers. On Aug. 19, the FDIC issued letters demanding that five crypto companies cease and desist from making false and misleading statements about their FDIC deposit insurance status and take immediate corrective action.

In addition to the FDIC’s suggestions in its advisory, we suggest both banks and fintech vendors consider the following measures to protect against regulatory criticism or enforcement:

  1. Banks should build the right to review and approve all communications to bank customers into their vendor contracts and joint venture agreements with fintechs and should revisit existing contracts to determine if any adjustments are needed.
  2. Banks should consult with legal counsel as to current and expected regulatory requirements and examination attitudes with respect to banking as a service arrangements.
  3. Fintechs should engage with experienced bank regulatory counsel about the risks inherent in their business and contractual arrangements with insured banks by which the services of the fintech is offered to bank customers.
  4. Banks should conduct appropriate diligence as to their fintech partners’ compliance framework and record.

Additionally, should a bank’s fintech partner go bankrupt, the bank should obtain clarity — to the extent that it’s unclear — as to whether funds on deposit at the bank are property of the bankruptcy estate or property of a non-debtor person or entity; in this case, the fintech’s customers. If funds on deposit are property of non-debtor parties, the bank should be prepared to address such party’s claims, including by obtaining bankruptcy court approval regarding the disposition of such funds on deposit. Additionally, the bank may have claims against the bankrupt fintech entity, including claims for indemnity, and should understand the priority and any setoff rights related to such claims.

Fed Account Guidance Yields More Confusion

In seeking answers from the Federal Reserve Board and one of the regional banks, a crypto fintech’s lawsuit may have forced the regulator to issue guidance on how other companies can gain access to the nation’s vaunted payment rails. 

At issue are which companies are eligible to request master accounts at the 12 Federal Reserve Banks, and in turn, how the Reserve Banks should consider those requests. Central to this debate — and the timing of this guidance — is the Custodia lawsuit.

The day after the Board released the guidance, it asked a judge to dismiss a lawsuit from Custodia, a company that holds a special purpose depository institutions charter from the Wyoming Department of Banking. Custodia, which focuses on digital asset banking, custody and payment solutions, applied for a master account from the Federal Reserve Bank of Kansas City in October 2020, and sued both the Kansas City Fed and the Board this year to force a decision; the Board cited the final guidelines in its justifications for a dismissal. 

“Honestly, it makes the guidelines seem like they were written, in part, to get courts to give [the Board] more deference when it winds up in litigation,” says Julie Hill, a law professor at the University of Alabama who has written about Fed account access. 

Outside of the lawsuit, the guidance speaks to the interest that fintechs and companies with novel bank charters have shown in opening Fed accounts. A Fed account comes with access to the payment rails; the entire banking as a service (BaaS) business line is premised on banks serving as intermediaries and account holders for fintechs to send and store customer money. 

If the path to applying for a master account becomes clearer, institutions with novel banking charters could bypass bank partnerships, and request and operate these accounts directly. But experts tell Bank Director that the Aug. 15 guidance codifies existing practices while offering little insight into how nonbanks can get these accounts — leaving most fintechs and bank partners where they started. 

Companies that want Fed accounts request access from one of the 12 Reserve Banks, depending on which district the company is located in. The final guidance that the Federal Reserve Board issued is directed to those Reserve Banks; its involvement in these regional banks’ decision-making indicates that the Board is trying make these decisions consistent across regions and may be involved in individual requests as well, experts say.

The Fed’s guidance includes six principles that the regional Reserve Banks should use when evaluating these requests, along with a three-tiered review framework for the amount of due diligence and scrutiny that the Reserve Banks should apply to requests submitted by different types of institutions. 

But observers still see shortcomings in the guidance. Several experts pointed out that the guidance doesn’t address which companies are eligible to apply, which is the first hurdle nonbanks must address before requesting an account. It was one of the most frequently asked questions that companies submitted to the regulator, says Matthew Bisanz, a partner in Mayer Brown’s financial services regulatory and enforcement practice. 

The guidance retains the “substantial discretion” that Reserve Banks have in deciding approvals, meaning that institutions still do not have a clear path to account access, according to a Mayer Brown client note. The process is so unclear that these accounts are granted via requests rather than applications that regulators would normally employ, Hill points out.

Observers are waiting to see how the guidance figures into the Custodia case. Hill says that Custodia is an interesting test case; the company is in a strong position to request an account and addresses many of the regulator’s stated risk concerns. It has an ABA routing number and applied to become a member of the Kansas City Fed, which could advance it from tier three to tier two in the review framework. The company also accepts U.S. dollar deposits but does not have FDIC deposit insurance, which is one factor in the tier one considerations.

What’s Next
Hill says the next step for the Reserve Banks is potentially getting together to develop a sort of operating procedure, which could make the request and decision-making process more consistent across regions. And fintechs that might be interested in a novel bank charter may want to reach out to sympathetic lawmakers in Congress and explain their cause. Custodia and other crypto companies have found a champion in Sen. Cynthia Lummis, R-Wyo., and an ally in Sen. Pat Toomey, R-Pa., both of whom have raised concerns with the Fed and could author legislation that is more accommodative to novel banking charters that the Fed would need to follow. 

In the meantime, companies that want a Fed account and aren’t interested in becoming bank holding companies or partnering with a BaaS bank may find themselves in limbo for a while. Bisanz points out that in litigation, the Fed cited a case that said delays of three to five years are not unreasonable; Custodia brought its lawsuit to expedite a decision. For novel banks, waiting years for a decision may as well mean the death of a business model. 

“There is no guarantee of an application under these guidelines, and there is no guarantee of a decision,” Bisanz says. “Nothing in these guidelines says that the Reserve Banks will act expeditiously. People should read the guidelines, consider applying — but also be ready to sit tight.”

Preparing for Institutional Risks as Cryptocurrencies Expand

Two words that highlight why digital assets — in particular, cryptocurrencies — are a valuable addition to the financial services ecosystem are “speed” and “access.” However, banks and other organizations that transact in cryptocurrency need to be aware of, and prepare for, unique risks inherent to the digital asset ecosystem.

The technology that supports cryptocurrencies has accelerated the speed of clearing financial transactions. Over the last 25 years, financial institution technology has progressed significantly, but transfers can take several days to clear; international wire transfers take even longer. Cryptocurrency transaction clearing is immediate.

Cryptocurrencies are also increasingly adopted by individuals who have been previously unbanked or “underbanked” and have had difficulty accessing traditional banking systems. Transaction speed, customer experience and an expanding market of digital asset users make cryptocurrencies attractive for more institutions and organizations to adopt, but they need to think about and prepare for a number of risks.

Current State of Regulation
One of the reasons the traditional banking industry is trusted by the public is because of the regulatory environment. Regulations, including those within the Bank Secrecy Act (BSA), outline the customer identification program and know-your-customer requirements for onboarding new customers. While the cryptocurrency ecosystem is often panned for its perceived lack of regulation, there are layers of regulation that some crypto companies must comply with. For example, the BSA applies to money transmitters, like crypto exchanges. U.S. Securities and Exchange Commission Chair Gary Gensler recently noted, when prompted about large crypto exchanges, “It’s a question of whether they’re registered or they’re operating outside of the law and I’ll leave it at that.”

Does that mean that crypto is regulated as strictly as financial institutions? No, but regulation is progressing. President Joe Biden’s March 2022 executive order included a provision requesting the Financial Stability Oversight Council (FSOC) convene and report on the risks of digital assets to the financial system and propose any regulatory modifications needed to mitigate the risks posed to the financial system by cryptocurrency. Treasury Secretary Janet Yellen, who has been tasked with convening the FSOC, has been a vocal proponent of crypto regulation.

The Treasury Department also released a fact sheet outlining how the United States would work with foreign governments in regulating digital assets.

What does that mean for crypto companies? Considering digital assets were mentioned over 40 times in the FSOC 2021 Annual Report, and since the total market cap of crypto has fallen from $3 trillion in November 2021 to $900 billion as of June 28, 2022, it’s likely regulators will propose new requirements.

Risk Management
Emerging or evolving regulation over large exchanges may not be the panacea that enables financial institutions the carte blanche access to offer all cryptocurrency products. However, it is a step toward being able to offer new products or access to products within the confines of a regulatory framework, and it creates a standard against which banks can measure their offerings.

However, risks remain. Retail banking customers still interact with virtual asset service providers that operate under innocuous-sounding names and decentralized crypto exchanges run by decentralized autonomous organizations (DAOs) without the corporate governance or regulatory requirements of financial institutions. As regulation evolves, institutions wishing to participate in this market will still be responsible for monitoring and mitigation activities. The good news is that as these risks have evolved, so have the tools used to monitor and mitigate them.

When it comes to risk, adding a new category of services requires changes throughout the organization that include people, process and technology. The digital asset ecosystem requires a different skill set than traditional banking and capital markets. The lexicon is different, the technology is different and the market is more volatile. Trusted information sources have transitioned from global business publications to social media. Institutions looking to participate are going to need to partner with different service providers to help facilitate programs, build infrastructure and provide access to the knowledge, skills and expertise to be successful. These institutions are also going to need to reassess their strategy, how and where digital assets fit, the organization’s new risks resulting from this strategic shift and how they plan to mitigate those risks.

The crypto market has garnered the attention of the current presidential administration, the regulatory environment is continuing to evolve, retail participation continues to increase and the technology supporting the marketplace has the potential to become more efficient than traditional infrastructure. Banks that aren’t assessing their strategy as it relates to digital asset risk will be left behind. Institutions planning on participating should understand the people, process and technology needed to execute their strategy, as well as the potential risks to the organization. Regardless, the cryptocurrency marketplace has given institutions and those charged with governing them a lot to consider.

How High Inflation, High Rates Will Impact Banking

In the latest episode of The Slant Podcast, former Comptroller of the Currency Gene Ludwig believes the combination of high inflation and rising interest rates present unique risks to the banking industry. Ludwig expects that higher interest rates will lead to more expensive borrowing for many businesses while also increasing their operating costs. This could ultimately result in “real credit risk problems that we haven’t seen for some time.”

While the banking industry is well capitalized and asset quality levels are still high, Ludwig says the combination of high inflation and rising interest rates will be a challenge for younger bankers who have never experienced an environment like this before.

Ludwig knows a lot about banking, but his journey after leaving the Comptroller of the Currency’s office has been an interesting one. After completing his five-year term as comptroller in 1998, Ludwig could have returned to his old law firm of Covington & Burling LLP and resumed his legal practice. Looking back on it, he says he was motivated by two things. One was to put “food on the table” for his family because he left the comptroller’s office “with negative net worth – [and] it was negative by a lot.”

His other motivation was to find ways of fixing people’s problems from a broader perspective than the law sometimes allows. “I love the practice of law,’’ he says. “It’s intellectually satisfying.” But from his perspective, the law is just one way to solve a problem. Ludwig says he was looking for a way to “solve problems more broadly and bring in lawyers when they’re needed.” This led to a prolonged burst of entrepreneurial activity in which Ludwig established several firms in the financial services space. His best known venture is probably the Promontory Financial Group, a regulatory consulting firm that he eventually sold to IBM.

Ludwig’s most recent initiative is the Ludwig Institute for Shared Economic Prosperity, which he started in 2019. Ludwig believes the American dream has vanished for many median- and low-income families, and the institute has developed a new metric which makes a more accurate assessment of how inflation is hurting those families than traditional measurements such as the Consumer Price Index — which he says drastically understates the impact.

Ludwig hopes the Institute’s work gives policymakers in Washington, D.C., a clearer sense of how desperate the situation is for millions of American families and leads to positive action.

This episode, and all past episodes of The Slant Podcast, are available on Bank DirectorSpotify and Apple Music.