On June 6th, the Fed, FDIC and OCC finalized joint Third Party Risk Management (TPRM) guidance. The joint guidance replaces the OCC’s 2013 Third-Party Relationships: Risk Management Guidance, the FDIC’s 2008 Guidance for Managing Third-Party Risk and the Fed’s 2013 Guidance on Managing Outsourcing Risk. The guidance includes risk management principles across all stages of the life cycle of a third-party relationship: planning, due diligence and selection, contract negotiation, ongoing monitoring and termination. As with previous TPRM guidance, this version emphasizes that it is the responsibility of the supervised bank to maintain compliance with laws and regulations. To this end, the guidance outlines numerous considerations for scrutinizing and monitoring third parties, including responsibilities of the board and senior management to oversee TPRM practices.
Relative to the July 2021 proposal, the final guidance clarifies that banks should tailor their TPRM according to their complexity, size, risk profile and the nature of each third-party relationship. Similarly, it explains that the agencies will tailor their supervision of TPRM according to risk and complexity of banks and their third-party relationships. It further enhances the proposal by providing illustrative examples as well as referring to potential TPRM due diligence approaches for banks with limited resources.
The final guidance also clarifies several definitions and expectations:
Our Take
Although it took nearly two years, updates in the agencies’ final TPRM guidance primarily serve to clarify expectations and provide flexibility for banks to manage their third-party risks according to their unique risk characteristics. While the guidance is largely principles-based and does not set out prescriptive requirements, it reminds banks that they are ultimately responsible for compliance with regulatory requirements, including for the services and operations they delegate to third parties. Both the OCC and Fed have listed TPRM as a top supervisory priority in the last year - with a particular focus on growing relationships with fintechs and cloud service providers - and it is clear that they will not hesitate to issue findings if third-party activities violate laws or represent unsafe or unsound practices. Such findings could stem from a variety of third-party practices and activities, including any models they use.
As it is up to banks to ensure that their evaluation and monitoring of third-parties is thorough, they should carefully review this final guidance and conduct a gap analysis to understand where their TPRM practices diverge from the agencies’ recommendations. They may also need to expand their inventory of third-party relationships to reflect the broad definition in the guidance and update their framework for assessing criticality to account for impact to customers. The guidance should also inform enhancements to contract negotiations, monitoring and testing activities, which may need to be expanded significantly to gain assurance that third-party policies, practices, personnel, and models are in compliance with all relevant regulations. Although this final joint guidance is closely aligned with the agencies’ previous expectations, its issuance should be seen as a signal that the agencies are concerned about third-party risk and intend to closely scrutinize banks’ practices to manage it. As they do so, banks should be prepared to adjust to more fluid expectations as the principle-based approach provides the agencies more flexibility to gauge existing and emerging third party risks.
On June 5th, the SEC brought a series of charges against digital asset trading platform Binance, which the complaint describes as “the largest crypto asset trading platform in the world.” The charges allege that the organization secretly allowed high-value US customers to trade on the non-US version of its platform and falsely claimed that its US and non-US platforms were independent. They also allege that Binance commingled customer assets, misled investors about trading controls, and operated unregistered exchanges, broker-dealers and clearing agencies. The following day, the SEC charged digital asset trading platform Coinbase with operating as an unregistered exchange, broker-dealer and clearing agency as well as engaging in an unregistered securities offering through its staking-as-a-service program. Both lawsuits taken together describe 19 different assets as “securities,” although neither includes the two largest digital assets by market capitalization, Bitcoin and Ethereum.
Following these actions, SEC Chair Gary Gensler explained in a speech that the “vast majority” of digital assets fit the definition of a security as they are generally used as investment contracts rather than currency, noting that many assets have websites, social media accounts and marketing events to promote their attractiveness as investments. He stated that, accordingly, firms offering services related to digital assets are either required to register with the SEC or meet requirements for an exemption. Noting that some have accused the agency of not providing a clear path for registration, he pointed to a recent approval of a digital asset broker-dealer and stated that existing rules make the path to registration clear. He then highlighted the agency’s charges against Binance and Coinbase and promised that it will continue to take action against digital asset firms that run afoul of securities laws.
During a House Financial Services Committee (HFSC) hearing on digital assets, Republicans including HFSC Chair Patrick McHenry (R-NC) criticized the SEC’s actions, stating that the agency is “picking winners and losers based on inconsistent factors.” They generally called for regulatory clarity to avoid pushing innovation outside of the US and into jurisdictions that do not provide adequate oversight and supported recent draft legislation introduced by McHenry and Senate Banking Committee Ranking Member Tim Scott (R-SC) that would put most digital assets under the authority of the CFTC. Many Democrats expressed their opposition to the legislation, stating that it would reduce the SEC’s authority and would not prohibit certain conduct such as commingling of investor funds. However, Representatives from both sides expressed a willingness to work together on legislation and supported actions to provide regulatory clarity, including around asset classification.
Our Take
The SEC’s continued string of lawsuits, this time against two of the largest digital asset exchanges, along with Gensler’s pledge to continue taking action against digital asset firms that are out of compliance with securities laws puts all industry participants on notice: the agency is coming and the time to act is now. As a key theme of recent enforcement actions has been registration, firms need to either prepare to register their products and services with the agency or develop an alternative plan. Just last week, Crypto.com announced that they will discontinue certain US operations supporting assets that were specifically called out as securities in the SEC’s filings. While the SEC’s view that virtually all digital asset firms must register will be challenged in court and could potentially be tempered by legislation, it will be a long wait for any court decision or Congressional action and any potential outcome remains unclear. In the meantime, the agency’s enforcement streak will continue.
Aside from registration, other key themes of enforcement actions have included failure to segregate customer assets and failure to mitigate conflicts of interest. Having policies and controls to make sure that customer assets are segregated and separating broker, clearing and exchange functions will not only be essential for SEC compliance but will also prepare firms for other regulatory regimes such as the CFTC’s expectations and the New York State digital assets legislation. Firms offering broker-dealer services should also consider whether their customer communications could be construed as investment advice and implement policies and controls around suitability. Fraud and manipulation also remain key concerns for the SEC and other regulators, and as such firms should be scrutinizing all of their public statements to confirm that they do not mislead customers around issues such as the profitability of certain assets, the security of their funds and bankruptcy protections.
On June 1st, the Fed, OCC, FDIC, CFPB, NCUA and FHFA (the Agencies) released a joint proposal that would require that mortgage originators and secondary market issuers adopt quality control standards for the use of automated valuation models (AVMs), which it notes are increasingly used in the mortgage industry as part of the real estate valuation process to reduce costs and increase speed. Specifically, it would require that firms adopt policies, procedures and controls designed to: (a) ensure a high level of confidence in estimates; (b) protect against data manipulation; (c) avoid conflicts of interest; (d) require random sample testing and reviews; and (e) comply with nondiscrimination laws.
The proposal notes that the Agencies debated whether to issue a set of prescriptive rules or principles-based guidance and decided upon the latter. Accordingly, it does not set specific requirements for how institutions are to implement and structure the quality standards for their AVM use, explaining that the principles-based approach provides the flexibility to set quality controls based on the size of the institution as well as the risk and complexity of their practices. As modeling technology continues to evolve, this flexible approach would also allow institutions to refine their policies, practices, procedures, and control systems as appropriate.
In the proposal, the Agencies define the scope of the rule fairly narrowly to cover (a) use for determination of collateral value for credit decisions, which would exclude other uses such as monitoring value over time or validating an already completed valuation; (b) direct use of AVMs in determining the collateral value, which would exclude use of AVMs by qualified appraisers to assist with value determination; (c) valuation of residential collateral as part of consumer lending, which would exclude any application of AVMs in commercial lending, including small business loan underwriting; (d)v valuation of the consumers’ primary dwelling, which would exclude any application of AVMs for underwriting investment properties or second homes; and (e) use only by mortgage originators and secondary market issuers. The proposal will be open for comment for 60 days following publication in the Federal Register.
Our Take
Many industry participants commented that they would prefer that the proposal take a principles-based approach, and while the proposal’s flexibility and lack of prescriptive requirements will largely be welcomed by those commenters, its very high-level principles may not provide sufficient detail for firms to interpret and implement accurately and effectively in certain areas. For example, as many firms, especially smaller organizations, rely on vendor off-the-shelf AVMs, it may not be clear how they can protect against data manipulation if they have no control over or insight into what data their vendors use to develop the models and how the data was processed.
Similarly, we expect that firms using vendor off-the-shelf AVMs will find it difficult to determine how they can comply with applicable nondiscrimination laws. In addition to facing the same transparency obstacles described above, many smaller firms likely have transaction volumes that are too low to meaningfully test valuations for discriminatory biases. Applying commonly-used disparate impact measurement approaches would also be very challenging due to the fact that (a) it is impossible to measure “actual” real estate value as the basis for determining AVM error; and (b) identification of “similarly situated” properties for fair comparison requires significant simplifying assumptions.
Other proposed requirements are more straightforward. For example, firms would be able to comply with the requirements to ensure confidence in estimates and require random sample testing by leveraging existing detailed regulatory guidance, such as the interagency guidance on model risk management. The requirement to “avoid conflicts of interest” may also be straightforward to implement, at least as it relates to the risk that an entity may “cherry pick” one preferred AVM value out of a range of values they can access from different vendor and/or internal automated valuation models. There are existing industry practices for developing and maintaining robust multi-model AVM cascades that encompass measurement and reporting of a range of accuracy, bias and coverage metrics that entities can leverage to address this proposed requirement.
On June 14th, the OCC released its spring 2023 Semiannual Risk Perspective. The report covers recent bank failures, explaining that rising interest rates have caused depreciation in investment portfolios while noting that liquidity levels have increased following the failures. It notes that credit risk remains moderate in aggregate, although signs of stress in commercial real estate (CRE) are increasing and the impact of inflation and rising interest rates are causing credit conditions to deteriorate. As it did in its previous risk perspective, the OCC continues to describe operational risk as “elevated,” citing cybersecurity threats as well as risks associated with increased digitization, reliance on third parties, and use of aging technologies - which is discussed further in a “special topic” section. Similarly, it also notes elevated compliance risk due to the rapid pace of technological innovation and new offerings.
The report also provides an update on the OCC’s work regarding climate-related risk, noting that it is currently considering comments on the draft risk management principles it published last December and working with the Fed and FDIC on next steps. Meanwhile, it notes that the OCC is continuing to conduct supervision of climate-related financial risk management practices at banks with over $100 billion in total consolidated assets and states that it “anticipates that all large banks will need to increase their capabilities, investments in data, and sophistication of their analysis to be fully effective” in climate-related risk management. It also highlights risks related to digital assets, including volatility, high-risk lending, excessive leverage, interconnectedness, concentration and lack of comprehensive regulation.
In a press briefing alongside the report, Acting Comptroller Michael Hsu stated that OCC examiners are “on the balls of their feet” regarding issues such as concentration risk, capital and liquidity, and strong risk management across all areas (“not just headlines”). He also stated that banks should have communications programs in place that can respond clearly, credibly and promptly to questions from stakeholders regarding their condition and risk profiles. In response to questions, Hsu noted that the recent bank failures have pushed back the timeline for releasing a final Community Reinvestment Act rule, but he explained that the agency is still working “urgently” on the issue.
Our Take
The OCC’s latest risk perspective highlights a similar set of risks to past editions and the priorities in the Fed’s recent Supervision and Regulation Report. As the OCC was not the primary regulator of any of the failed banks and did not issue a report specifically on the failures, this risk perspective provides insight into the OCC’s views on the dynamics contributing to ongoing stress. These views closely align with the Fed’s and FDIC’s concerns about banks with concentrations in CRE, indicating that all of the bank regulators are closely monitoring this sector for further deterioration. Apart from economic conditions, the risk perspective devotes significant attention to the risks related to technology and digitalization. In light of the OCC’s warning about the cybersecurity implications of evolving technology, banks should consistently review the latest security practices and capabilities of malicious actors to maintain their ability to detect, assess and respond to threats. Banks should also note the OCC’s dedicated discussion of the risk of continued use of aging technology and end-of-life (EOL) systems as it indicates that examiners have seen issues with these practices across a number of banks. Accordingly, as banks consider technology investments, they should carefully weigh the costs of not updating legacy technologies which could include increased outages, security vulnerabilities, and manual workarounds.
On June 12th, FINRA released a concept proposal for a liquidity risk management rule intended to ensure that its members maintain sufficient liquidity under both normal and stressed conditions. The proposed rule would require broker-dealers to maintain a liquidity risk management program that includes capabilities for liquidity stress testing, a contingency funding plan and notification and reporting requirements to FINRA within prescribed timelines. FINRA expects that 125 members would be subject to the potential rule.
The proposal would also require that firms maintain sufficient liquidity on a current basis and lists eight conditions under which firms would be presumed to have insufficient liquidity. Specifically, firms will be presumed to have insufficient liquidity when (1) funds are borrowed from non-bank affiliates; (2) borrowing more than 70% of customer debit balances that are secured by customer assets; (3) the reserve formula calculation is performed on an ad-hoc basis and outside regular scheduled calculations; (4) loan facilities, other than intraday, are reduced by more than 50% on a rolling 90-day basis; (5) secured financing agreements are reduced by more than 50% on a rolling 90-day basis; (6) intraday credit facilities at settlement banks or the member’s CCP intraday credit facility are reduced by more than 50% on a rolling 90-day basis; (7) the member firm has lost or is notified of losing access to settlement bank services; or (8) a CCP revokes membership at the CCP of a member firm or material restriction by CCP or settlement bank.
Firms that meet any one of the above conditions will have two business days to notify FINRA followed by a window of five days to rebut the presumption that it does not have sufficient liquidity. FINRA would be able to direct a member to take necessary measures, including restricting or suspending business, if the determination is ultimately made that the member lacks sufficient liquidity.
Our Take
This concept release reflects FINRA’s view that there is substantial variance in liquidity risk management practices across its members with instances of insufficient liquidity risk management still prevalent across those that are not affiliated with a bank holding company. Even before this concept is finalized, FINRA and SEC oversight of liquidity risk management is likely to continue to tighten, particularly in light of ongoing stress across the financial sector. As such, impacted firms should not wait to assess whether they meet any of the insufficient liquidity conditions and evaluate their current practices and capabilities against those outlined in the proposal. Even larger firms with more mature liquidity risk management programs may find that they need to make incremental enhancements to align with FINRA’s expectations for more standardized practices across its members.
These notable developments hit our radar this week: