Top financial services regulatory issues for 2022

In August 2021, an interagency working group from the Fed, OCC, and FDIC issued guidance for community banks to use when conducting due diligence on fintech companies.¹ Recognizing that the nature of services provided by fintechs can raise an organization’s risk profile, the guidance provides a good starting point to understand what regulators regard as minimum due diligence standards.

In September 2021, the Fed published a paper that complements the interagency guidance and provides an additional resource for community banks when partnering with fintechs.²

Aside from the issuances specific to fintech partnerships, the agencies are expected to finalize the broader policy statement on third-party risk management that was issued for proposal in September 2021.³ This updated guidance will replace a 2008 FDIC document and separate guidance issued by the Fed and OCC in 2013. The goal is to produce one consistently applied approach for use across the industry for third-party risk management. Agencies currently are reviewing comment letters received on the proposal and are expected to issue final interagency guidance during the next few months.

Regulators are certain to continue their ongoing push for financial services organizations to enhance systems and compliance programs to fight increasingly sophisticated financial crimes and money laundering schemes. In fact, there is likely to be even greater pressure on regulated organizations to modernize compliance efforts by taking advantage of enhanced monitoring capabilities powered by many commercially available platforms.

An April 2021 interagency statement on model risk management for bank systems supporting BSA/AML compliance offers some potential insights into regulatory direction.⁴ The statement was designed to clarify the agencies’ general views regarding appropriate practices for BSA/AML model risk management, recognizing that adopting innovative transaction monitoring tools and applying artificial intelligence can complicate model validation. Additionally, banks will need to pay attention to developing rules associated with the implementation of the Anti-Money Laundering Act of 2020, especially related to beneficial ownership reporting.

Cybersecurity remains a top concern for financial services organizations and regulators alike, as banks continue to operate in a broadening ecosystem in which data and information sharing becomes more prevalent. In November 2021, federal banking agencies issued a final rule on the prompt reporting of cyberattacks.⁵ Effective May 1, 2022, banks will be required to notify their primary federal regulator within 36 hours of any computer-security incident that rises to the level of a notification incident, as defined in the rule. The new rule also spells out notification requirements for bank service providers when a computer security incident would cause a material service disruption to their banking clients.

Ransomware risks also are attracting increased regulatory interest, as attacks are occurring with greater frequency at both large and small organizations. The Financial Crimes Enforcement Network (FinCEN) recently updated its ransomware advisory, including a list of red flags to help organizations identify and report suspicious transactions associated with ransomware payments.⁶ Banks and other financial services organizations can review the advisory to stay informed about the increased sophistication of ransomware attacks.

Other cybersecurity-related issuances from the Federal Financial Institutions Examination Council include guidance that encourages banks to evaluate multifactor authentication for online account access and separate guidance that focuses on the importance of effective risk management practices when using services in a cloud environment.

In 2021, both the Fed and the OCC sent strong signals of their interest in financial risks stemming from climate issues. Both Fed Governor Brainard and Acting Comptroller Hsu have been particular advocates on the topic in public speeches. Additionally, nominated Vice Chair of Supervision Sarah Bloom Raskin has strong views on the need for supervisory guidance around climate financial risk for banking organizations.⁷

The Fed also has formed two separate climate-related working groups within the past year. The first of these, the new Supervision Climate Committee, was announced in January 2021 and is led by Kevin Stiroh, the former head of the New York Fed’s Supervision Group.⁸ A few months after that announcement, the Fed formed the Financial Stability Climate Committee, which is charged with identifying, assessing, and addressing climate-related risks to financial stability.⁹

Later in 2021, the U.S. Department of the Treasury’s Financial Stability Oversight Council responded to an executive order from the White House and released its own report on climate-related financial risk.¹⁰ This report is likely to be followed by additional guidance from member agencies, with initial efforts focused on climate financial risk-related stress testing for larger banks in 2022.

For its part, the OCC named its first-ever climate change risk officer in 2021¹¹ and included climate-related risk as a supervisory priority in its Fall 2021 “Semiannual Risk Perspective.”¹² In December 2021, the OCC also published a proposal seeking feedback on draft principles designed to support the identification and management of climate-related financial risks that would apply to national banks with more than $100 million in assets.

While the FDIC was less active on this issue than other agencies in 2021, the expectation is that this will change in 2022 with Chairman Jelena McWilliams’ departure in February. Although various agencies issued some conflicting signals on the subject during 2021, it seems certain that crypto assets will be the subject of considerable regulatory action and guidance in 2022. Outgoing FDIC Chair McWilliams had provided several updates emphasizing the importance of allowing insured banks to participate in crypto markets. It is not yet clear how her resignation will affect the agency’s stance going forward.

Meanwhile, Acting Comptroller Hsu has cautioned the industry against moving too quickly into these new areas of risk. Since 2020, the OCC has issued a series of four interpretive letters on the subject. The most recent, issued in November 2021, provided additional clarity to the earlier guidance, and it made a point of “reaffirm(ing) the primacy of safety and soundness.”¹³ It is worth noting that on Jan. 18, 2022, the OCC conditionally approved the charter application from Social Finance, Inc. to create SoFi Bank, but it placed limitations on SoFi Bank’s crypto activities in an effort to reinforce the bank’s safety and soundness.

One highly anticipated development in this area is the Fed’s review of the potential benefits and risks of issuing a U.S. digital currency, as central banks around the world experiment with the concept. The Fed issued its long-awaited report on Jan. 20, 2022, which includes more than 20 questions on which it is soliciting comments and responses through May 20. The Fed is specifically interested in input on whether and how a central bank digital currency might improve the domestic payments system.

Banks and other financial services organizations will need to pay particularly close attention to various agencies’ positions and guidance regarding the risks associated with cryptocurrencies.

Operational resilience – that is, a bank’s ability to withstand and recover from disruptions and continue operations – does not always generate headlines, but the subject has become a part of examination dialogue in a growing number of banks over the past 12 to 18 months. The focus began to intensify after August 2020, when the Basel Committee issued a consultative paper outlining principles for operational resilience across seven categories.¹⁴ Two months later, U.S. agencies issued their own document, “Sound Practices to Strengthen Operational Resilience,”¹⁵ which is largely consistent with the Basel publication.

Although the U.S. guidance applies only to banks with more than $250 billion in assets, the agencies have been discussing many of the same principles with smaller organizations. The guidance outlines seven categories that are similar – but not identical – to those in the Basel paper, and it offers a list of 37 practices for specifically managing cybersecurity risk.

More recently, the FDIC conducted a “tech sprint” event on operational resilience in October 2021. Intended to be the first of several such events, this tech sprint involved three weeks of brainstorming and meetings with FDIC and community bank subject matter experts to identify data, tools, or other capabilities to help banks develop a greater understanding of their true resilience to any hazard.

The increased emphasis on operational resilience signals a potentially broader application of similar principles in banks under $250 billion in assets. The agencies are particularly interested in how well financial services organizations are prepared to handle threats and emerging advances to their information technology systems, operations, people, and facilities.

With director Chopra now at the helm of CFPB, that agency’s supervisory efforts are likely to accelerate in several key areas. The bureau’s impact, even in banks with less than $10 billion in assets, could grow as it continues to work closely with the prudential regulators who conduct on-site consumer compliance exams in those smaller banks.

Fair lending issues have been a primary area of focus since the CFPB’s earliest days, and the emphasis in this area almost certainly will increase in 2022. The bureau continues to expand and refine the complaint database on its website. This database often is a starting point for supervisory efforts and an area where the CFPB interacts extensively with the other banking agencies if it detects trends in complaints or has concerns about an organization’s efforts to respond and remediate. With the CFPB’s sharpened focus on financial services organizations' marketing strategies, fintech and other third-party partnerships, and consumer complaints, it is important for organizations to perform robust fair lending risk assessments and remedy any gaps.

Other potentially impactful recent actions by the CFPB include new guidance for Home Mortgage Disclosure Act (HMDA) reporting, effective March 1, 2022,¹⁶ and the issuance of a proposed new rule on small business lending data collection under the Equal Credit Opportunity Act, which was issued in at the end of August 2021.¹⁷ Earlier versions of the rule would have exempted organizations under a certain asset size from this new rule, but the most recent version removes that exemption.

A final area of uncertainty is the current lack of clarity regarding the risks associated with providing banking services to marijuana-related businesses (MRBs). Because of the inconsistencies between state and federal marijuana laws, many financial services organizations remain reluctant to establish relationships with state-licensed cannabis distributors and related companies.

For several years, cannabis businesses and other advocates have lobbied for passage of the Secure and Fair Enforcement (SAFE) Banking Act, which would shield national banks from federal criminal prosecution when working with state-licensed MRBs.

In November 2021, the House of Representatives attached the SAFE Banking Act bill to its version of the 2022 National Defense Authorization Act, marking the fifth time the House has tried to advance cannabis banking reform within the past two years. Ultimately, however, the SAFE Banking Act provision was withdrawn from the legislation, so efforts to speed financial transactions by MRBs are expected to resume in 2022.

In the meantime, financial services organizations that want to provide banking services to MRBs should consult with their primary regulator and review related FinCEN guidance around BSA expectations for MRBs.