U.S. regulators' public statements, recent trends in administrative actions, and feedback in the current examination cycle suggest the following will be the focus of examination and enforcement efforts for federal financial regulators in 2015.
Evaluating the sufficiency of policies, systems and controls limiting or restricting internal access to customer data and mitigating controls to detect and respond to external intrusions. Evaluating the operational, financial and reputational risks associated with remote access devices and networks, and controls to prevent losses to the institution and its clients.
Overdraft fees, compliance with new mortgage lending and servicing rules, originating and servicing student loans, compliance with the new remittance rule of the Consumer Financial Protection Bureau (CFPB), Automated Clearing House (ACH) funds transfer and electronic payments, data accuracy and integrity (including creditors furnishing information to credit reporting agencies, creditors selling debt or outsourcing debt collection, and updating information after reporting, selling, outsourcing), fair lending laws and rules related to the availability of credit, and review for unfair, deceptive, or abusive acts and practices.
Third-Party Relationships: Oversight and Compliance Implementation
Programs for risk management, oversight, and assurance of compliance by service providers, vendors, and other third parties, with particular emphasis on cybersecurity, fair lending and anti-money laundering requirements.
Enterprise Risk Management
Evaluating the extent and degree of board participation in setting appropriate risk tolerance, developing comprehensive risk assessments, ensuring risks are evaluated across business lines and for new products, and holding management accountable for failure to adequately detect risks or taking excessive risks.
Bank Secrecy Act/Anti-Money Laundering/Office of Foreign Assets Control Compliance
Ensuring a fully integrated and dynamic risk-based compliance program is implemented and operational, and that said programs are able to address emerging risks and compliance issues.
Defining and documenting with greater clarity the roles, responsibilities, and reporting lines from business units up through senior management to board committees. Focus will be on the "tone at the top" including board and senior management leadership on affirming and enforcing compliance culture. Increasing focus on need for bank-level risk management and potential for conflicts between the bank's and holding company's risk management and reporting functions.
Documentation and Formalization of Policies and Procedures
Special emphasis on critically evaluating the level of analysis and documentation reflecting restrictions imposed upon and oversight provided to third-party vendors performing banking-related services. Consideration of integration of compliance, audit, enterprise risk management efforts.
Liquidity and Capital, Funding Risk Issues
For larger bank holding companies, the liquidity coverage ratio (LCR) rule went into effect in January 2015 and will be an area of focus. Attention at the largest banks may shift to the soon-to-be-proposed net stable funding ratio rule that will be implemented in 2018. For smaller institutions, focus will be on brokered deposits, core funding, and overreliance on short-term and unstable funding sources. Heightened capital expectations for many banks.
For Larger Banks and Financial Institutions
Systemic risk issues including assessment of potential transmission pathways, counterparty exposures, and funding risk/run risk being created or magnified. Ratcheting up of regulators' expectations on resolution plans and foreign banks' U.S. operations risk assessment. Financial Stability Oversight Council (FSOC) movement on designation of insurance companies and studying asset managers. Increasing focus on application of international capital standard or insurance companies both in the Savings and Loan Holding Company Act and systemically important financial institution (SIFI) context, as well as potentially more broadly for the industry. The cumulative economic impact of heightened regulatory, capital, funding, and liquidity requirements applicable to the largest institutions (particularly those with $250 billion or more in aggregate balance sheet assets) may lead some to consider spinning off business units.
Implementing compliance with Volcker rule provisions limiting and imposing compliance program, recordkeeping, governance, risk management, conflict management, training, audit, certification, and other requirements on the securities and derivatives trading and private investment fund activities of depository institutions and their affiliates will be an area of examination focus, in light of July 21, 2015 compliance date.