The June issue of the Regulatory Compliance Digest (the Digest) features a summary of the latest updates on third-party relationships used by financial institutions, Small Business Lending Rule guidance, CFPB updates and OFAC’s SSL certificates renewal. The Digest summarizes the latest compliance updates that may impact your institution.

The Regulatory Compliance Digest is intended to keep you informed of regulatory changes in advance of their effective date so your institution can evaluate changes or updates to necessary policies, procedures and processes in place to be compliant at the time of enactment.

Industry Trends & Insights

Interagency Guidance on Third-Party Relationships: Risk Management

Over the past several examination cycles, there has been increased focus on oversight of third-party relationships used by financial institutions. The regulators have finally issued joint guidance on the expectations surrounding the management and oversight of these relationships. The regulators have stressed that oversight is a life cycle process and not static and should consider the level of risk, complexity and size of the banking organization and the nature of the third-party relationship. In addition, the guidance clear reiterates the regulators’ position that the use of third parties does not shift the responsibility for acting in a safe, sound and compliant manner.

The guidance also recognizes that third-party relationships may be both contractual or informal and may include arrangements such as outsourced services, independent consultants, referral arrangements, merchant payment processing services, services provided by affiliates and subsidiaries, and joint ventures.

Risk Management Considerations

The guidance details some specific risk management points that should be assessed and integrated into current programs, or used as building blocks for implementing a first-time program:

  • Develop an inventory of all third-party relationships used by the institution. In addition to a review of contractual relationships, survey the individual business areas to discover any informal relationships.
  • Develop a sound methodology and apply it consistently to all third-party relationships and activities on your inventory to determine which would receive more comprehensive oversight.
  • Perform a risk assessment of each relationship. Understand the service provided and how it is provided. Consider the criticality of the arrangement. Ask the following questions:
    • Would this relationship pose significant risk if the third party fails to meet expectations?
    • Does this relationship have significant customer impacts?
    • Does this relationship have a significant impact on the institution’s financial condition or operations?

Third-Party Life Cycle Management

Effective third-party risk management follows a continuous life cycle for third-party relationships.  The guidance defines the following stages in the relationship lifecycle, some of which may already be part of your vendor selection/management process. Planning:

  • Due Diligence and Third-Party Selection
  • Contract Negotiation
  • Ongoing Monitoring
  • Termination

Furthermore, it discusses considerations that should be reviewed during each stage of the life cycle management process.

Governance

Depending on the size and complexity of your organization, governance can be structured centrally or delegated to department/business units. However, the method chosen does not change the expectations. The governance process must include the following elements to ensure comprehensiveness:

  • Oversight and Accountability: Oversight should be aligned and compliant with the institution’s strategic goals and risk appetite. The Board is ultimately accountable for the relationship and its management.
  • Independent Reviews: The institution needs to conduct periodic independent reviews to assess the adequacy of the third-party risk management process. Results of these reviews should be shared with the Board. In addition, the results of an independent review should be used to strengthen the overall program, which would include amending policies and procedures, enhancing reporting, ensuring the allocation of adequate resources, strengthening internal controls or enhancing/developing program expertise.
  • Documentation and Reporting: Documentation and reporting are key to telling an institution’s risk management story. It is important to provide this support to both the Board and the regulators. Not only does it document the cornerstones of your program, but it also speaks to the Board’s and management’s responsiveness and oversight through documentation of remediation efforts undertaken to address weaknesses and program adjustments, due to changes in strategic goals or risk profile.

Regulatory Supervision

You can be sure that a review of your third-party relationship management program will be at the top of the priority list for your next examination. Through testing and review of documentation, regulators will focus on the:

  • Ability of the institution’s management to oversee and manage its third-party relationships;
  • Impact of third-party relationships on the institution’s risk profile; and,
  • Key aspects of financial and operational performance, including compliance with applicable laws and regulations.

Your regulator may pursue corrective measures, including enforcement actions, when necessary to address violations of laws and regulations, or unsafe or unsound banking practices by both the institution and/or its third party.

Small Business Lending Rule: Small Entity Compliance Guide

In 2010, Congress enacted the Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111-203, 124 Stat. 1376, 2004 (2010) (Dodd-Frank Act). Section 1071 of the Dodd-Frank Act (Section 1071) amended the Equal Credit Opportunity Act (ECOA) to require that financial institutions compile and report certain data regarding certain business credit applications to the Consumer Financial Protection Bureau (CFPB) and to meet certain other requirements. Following notice and comment, the CFPB issued the small business lending rule to implement Section 1071 on March 30, 2023. The small business lending rule is referred to as the “final rule” in this guide.

This guide (dated May 2023) includes a detailed summary of the final rule’s requirements. Except when specifically needed to explain the final rule, this guide does not discuss other laws, regulations or regulatory guidance that may apply. The content of this guide does not include any rules, bulletins, guidance or other interpretations issued or released after the date on the guide’s cover page.

CFPB Issues Guidance to Rein in Creation of Fake Accounts to Harvest Fees

On May 10, 2023, the CFPB issued a new circular affirming that a bank may violate federal law if it unilaterally reopens a deposit account to process transactions after a consumer has already closed it. The CFPB has observed in complaints that even after a consumer completes all the required steps to close an account, their bank has “reopened” the closed account and assessed overdraft and nonsufficient funds fees. Consumers have reported to the CFPB that financial institutions have also charged account maintenance fees upon reopening, even if the consumer was not required to pay account maintenance fees prior to account closure.

The circular confirms that banks may risk violating the Consumer Financial Protection Act’s prohibition on unfair acts or practices by unilaterally reopening closed accounts. Consumers may incur overdraft, nonsufficient funds or monthly maintenance fees when a closed account is reopened by the bank. This practice may also enable third parties to access a consumer’s funds without consent. If reopening the account overdraws the account, banks may also furnish negative information to consumer reporting companies if consumers do not settle negative balances quickly. Consumers often cannot reasonably avoid the risk of substantial injury caused by this practice because they cannot control a third party’s attempt to debit or deposit money, the process and timing of account closure, or the terms of deposit account agreements.

CFPB Issues Rule To Facilitate Orderly Wind Down of LIBOR

On April 28, 2023, the CFPB issued an interim final rule amending the agency’s 2021 LIBOR transition rule. The interim final rule contains updates to reflect the subsequent enactment of the Adjustable Interest Rate (LIBOR) Act and issuance of an implementing regulation by the Board of Governors of the Federal Reserve Board System. This interim final rule will further facilitate the orderly transition of those consumer loans that currently use the LIBOR index to other indices in anticipation of the planned cessation U.S. Dollar (USD) LIBOR after June 30, 2023.

Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) previously issued a joint alert (2022 Alert) urging financial institutions to be vigilant against efforts by individuals and entities to evade BIS export controls implemented in connection with the Russian Federation’s (Russia) further invasion of Ukraine. This supplemental joint alert provides financial institutions additional information regarding new BIS export control restrictions related to Russia, as well as reinforces ongoing U.S. Government engagements and initiatives designed to further constrain and prevent Russia from accessing needed technology and goods to supply and replenish its military and defense industrial base.

Important Technical Notice for Users of the OFAC Website on SSL Certificates

The U.S. Department of Treasury is initiating the annual renewal of the public-trusted certificate securing www.treasury.gov website, including OFAC sanctions list downloads. The existing certificate (expiring May 18, 2023) will be replaced on May 15, 2023 at 8PM EDT. This process will take roughly 1 hour for the replacement certificate to be fully distributed worldwide.

If your application pins or otherwise trusts the serial number of the existing certificate as part your application functionality, you may need to update your configuration to trust the renewed certificate. The renewed public certificate, effective May 15, 2023 at 8PM EDT, can be downloaded via the following URL: https://s3.amazonaws.com/www.treasury.gov-2023-certificate/www.treasury.gov-2023-2024-Renewed-Certificate.zip. To prevent loss in functionality, please ensure your applications trust this server, intermediate and root certificate, by the May 15, 2023 replacement date.

Have Questions?

If you would like to discuss any compliance matters for your institution, please contact your Cherry Bekaert Advisor or reach out to the Firm’s Risk Advisory regulatory compliance team today.

DISCLAIMER

External links to other websites outside of www.cbh.com are being provided as a convenience and for informational purposes only. The links do not constitute an endorsement or an approval by Cherry Bekaert of any of the information, products, services or opinions of the organization or individual. Cherry Bekaert bears no responsibility for the accuracy, legality or content of the external websites or for that of subsequent links. Contact the external website for answers to questions regarding its content.

Janet Golonka

Risk Advisory Services

Director, Cherry Bekaert Advisory LLC

Contributor

Connect With Us

Janet Golonka

Risk Advisory Services

Director, Cherry Bekaert Advisory LLC