Client Alert: ABA’s 2014 Washington Banking Law Committee Meeting
We wanted to share some observations from the American Bar Association’s Banking Law Committee meeting in Washington, D.C., that some of us recently attended. As usual, the meeting assembled senior officials from all of the bank regulatory agencies, and those of us who regularly practice in this area. Although much of the meeting was devoted to large “significantly important financial institutions,” there were important takeaways for our “significantly important” community and regional bank clients that we wanted to pass along in this Client Alert.
Heightened Expectations & Other Cultural Issues
Participants at the meeting said much about governance issues, starting with the OCC’s September 2014 “heightened expectations” issuance.
Those guidelines provide that larger national banks, generally those over $50 billion in assets, should establish and adhere to a formal risk governance framework to manage and control their risk-taking activities, such as by establishing a risk appetite review, monitoring and communication process. That guidance also describes minimum standards for Boards to oversee their bank’s risk governance framework, including by providing active oversight of management and providing for ongoing training. We encourage our clients to become familiar with these guidelines, because we would expect elements of those requirements to quickly trickle down into examinations by all regulators for all banks.
Also discussed was the Workshop on Reforming Culture and Behavior in the Financial Services Industry, hosted last month by the Federal Reserve Bank of New York. In an effort to promote a discussion on how banks can improve their cultures, one of the speakers at the workshop said a bank’s leadership at a minimum must:
- Demonstrate publicly its commitment to high ethical standards;
- Promulgate higher standards of conduct to complement traditional compliance functions;
- Invest in additional training;
- Align financial and career incentives with core principals; and
- Measure behavior with a view to promoting accountability.
These are all important issues addressed in the Board and management training we provide to our clients.
At the meeting, the regulators consistently discussed how recent cyberattacks against banks have focused their attention on the full spectrum of issues surrounding cybersecurity. They responded by conducting targeted examinations in the last few months and issuing responsive guidance, including the following:
- FFIEC: Cybersecurity Preparedness for Community Financial Institutions (May 2014)
- FFIEC: Cybersecurity Assessment General Observations (November 2014)
That guidance, and others, makes it clear that information technology issues can no longer only be confined to the realm of the Chief Information Officer, but need to be diffused throughout the organization, including at the Board level.
Our Technology & Data Integrity Team has handled a number of data breaches for our clients and cannot stress enough the need for an “all-hands” approach to ensure the development of an effective response. One of the best methods we’ve seen to help avoid data breaches is for banks to have strong security protocols surrounding the use by employees of laptop computers and external storage devices.
Bank Secrecy Act/Anti-Money Laundering
There was a consensus among meeting participants that with the financial crisis behind us, regulators will likely continue to increase their scrutiny of BSA/AML programs at banks of all sizes. Having spent significant time recently focusing on BSA/AML issues for our clients, we agree with that consensus. Most significant in that regard is FinCEN’s Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (August 11, 2014).
In that guidance, FinCEN tells banks to strengthen their BSA/AML compliance culture by ensuring that:
- Leadership should be engaged;
- Compliance should not be compromised by revenue interests;
- Information should be shared throughout the organization;
- Leadership should provide adequate human and technological resources;
- The program should be effective and tested by an independent and competent party; and
- Leadership and staff should understand how their BSA reports are used.
We invite you to join us as we frequently host The Anti-Money Laundering Association’s events at our firm, during which we tackle these issues in an informal environment. Email firstname.lastname@example.org to subscribe to our events notices.
Unfair, Deceptive or Abusive Acts or Practices (UDAAP)
Not surprisingly, meeting participants predicted that the issue of alleged unfair, deceptive or abusive acts or practices would continue to be important for banks in the upcoming year. We frequently see this issue arise when customer disclosures appear to be inconsistent with actual bank practices. Banks should be particularly sensitive about engaging in practices that could be deemed “abusive” because they are improperly aimed at what are perceived to be vulnerable customers. Banks need to work with counsel to avoid potential UDAAP violations, such as by reviewing customer disclosures and agreements, and to defend and remedy them after they have been alleged.
OCC Finalizes Its Heightened Standards for Large Financial Institutions (September 2, 2014)
Workshop on Reforming Culture and Behavior in the Financial Services Industry (October 28, 2014)
FFIEC’s Cybersecurity Preparedness for Community Financial Institutions (May 2014)
FFIEC’s Cybersecurity Assessment General Observations (November 2014)
FinCEN’s Advisory to U.S. Financial Institutions on Promoting a Culture of Compliance (August 11, 2014)
The Anti-Money Laundering Association