Recent FFIEC and Wolfsberg Guidance Highlight Payment System Risk
The Society for Worldwide Interbank Financial Telecommunication (SWIFT) system is a messaging service that allows for automated financial communication between banks engaging in correspondent banking and needing to effect cross-border transfers. Recently, there have been two significant developments relevant to this payment mechanism, one of which includes a nearly $81 million heist involving a Bangladeshi central bank account held at the Federal Reserve Bank of New York. Additional cybersecurity attacks have occurred in Ecuador and Vietnam, and, collectively, these events have shed light on vulnerabilities of the payments system. Following the reports of the breach of the Bangladesh central bank, both SWIFT and the Federal Financial Institutions Examination Council (FFIEC) issued reminders to financial institutions of the need to manage the risks associated with interbank messaging and wholesale payment networks. The FFIEC release offered a number of risk mitigation strategies including:
- Conducting ongoing information security assessments;
- Performing security monitoring;
- Protecting against unauthorized access;
- Implementing and regularly testing controls around critical systems; and
- Enhancing security awareness and training programs.
The second recent development relating to SWIFT is the new guidance released by the Wolfsberg Group of International Financial Institutions (Wolfsberg), an association of 13 global banks with a common goal of developing AML-related standards, which supplements its Correspondent Banking Principles issued in 2014 and outlines minimum customer due diligence principles for relationship management applications (RMAs).
An RMA is a service provided by SWIFT to financial institutions that enables them to control to whom they send, and from whom they receive, messages, as well as allowable types of messages that can be exchanged. RMAs help ensure that financial institutions interact only with authorized parties, so that only appropriate messages for which an authorization is in place are sent or received.
This guidance includes due diligence principles for financial institutions to consider adopting to prevent the misuse of RMAs, which, if poorly controlled, may provide non-customers (i.e., institutions with which a financial institution has no other existing relationships but for whom the financial institution facilitates business in which it exchanges a SWIFT message) with direct access to international banking systems and, more specifically, direct payment instructions, when facilitating a customer’s business. Through this type of non-customer exchange, direct payment instructions may be compromised if proper RMA due diligence is not exercised. The principles contained within the guidance include:
- Ensuring that requests to establish an RMA between financial institutions, one of which may not be a customer of the financial institution, are properly monitored and controlled to potentially limit usage or prevent against misuse of RMAs (such as by periodically reviewing the volume of messages sent to and received from non-customer RMAs to identify significant differences between expected and actual activity);
- Segregating customer and non-customer RMA requests and establishing distinct due diligence criteria for each request type;
- Identifying changes in RMA usage from a non-customer to a customer relationship on a timely basis and determining if enhanced due diligence should be applied; and
- Taking into consideration the types of messages used by the member(s) of the SWIFT network and the risks associated with the underlying activity.
Financial institutions should establish guidelines regarding the minimum identification and due diligence requirements for non-customers as well.
Both the Wolfsberg guidance and the FFIEC statement provide insights to financial institutions on the risks of interbank messaging, and the steps to consider in terms of evaluating the risks and vulnerabilities of these services against cyberthreats and other misuse.
Mutual Funds: SEC Proposed Rules on Derivatives
In December 2015, the Securities and Exchange Commission (SEC) proposed new requirements to limit the use of derivatives by mutual funds. These rules will dramatically affect many funds, especially those that use derivatives to achieve leveraged returns. They will require funds to adhere to one of two newly designed limits, one based on notional exposure and the other based on Value at Risk (VaR). The comment period ended on March 28, 2016. No timetable has been stated for the issuance of a final rule.
Derivatives raise issues for mutual funds as they may create liabilities that exceed the carrying value of the instrument, which would be deemed to create a “senior security” which is prohibited by the Investment Company Act of 1940. The current regulatory framework for mutual funds’ use of derivatives has long been understood to require modification. There is currently no regulation that is specifically directed at this use; instead, there is an array of SEC “no-action letters,” enforcement releases, and informal remarks made by SEC staff in public forums that form the current regulatory framework for the use of derivatives. Under this framework, mutual funds may cure a senior security issue by “segregating” liquid assets (usually cash or high-grade debt securities, but listed equities are also permitted) in an amount greater than or equal to the amount of the liability created by the derivative.
The proposed rule is intended to modernize the regulation of mutual funds’ use of derivatives. Highlights of the proposed rule are:
- Limits on a mutual fund’s use of derivatives by requiring compliance with one of two alternative portfolio limitations as follows:
- Notional value. This limitation would be calculated as 150 percent of the aggregate notional value of a mutual fund’s derivatives and similar exposures.
- Value at Risk. This limitation, less restrictive than the 150 percent limit described above, would be calculated, using the aggregate notional value of a mutual fund’s derivatives and similar exposures, as 300 percent of the mutual fund’s net asset value. It would be available to funds that can demonstrate that the VaR of its portfolio, including derivatives, is less than the VaR without derivatives, and that the derivatives actually reduce risk for that reason.
- Requirements of mutual funds to establish certain risk management measures, including:
- Asset segregation. Under the proposed rule, the segregated assets (also referred to as “cover”) would have to be cash and cash equivalents rather than including listed equities as currently permitted. The rule also proposes that a risk buffer be established to cover the risk associated with an inability to exit a position under stressed market conditions.
- Risk management program. Mutual funds that engage in more than limited derivatives transactions or use complex derivatives would be required to establish a formal derivatives risk management program. The program and the designated risk manager both must be approved and reviewed by the mutual fund’s board of directors.
- The proposed rule sets out detailed requirements for board approval of a mutual fund’s derivatives risk management program and the related reporting. Compliance with these requirements is expensive and may serve as a disincentive for smaller funds to invest in derivatives.
Mutual funds and advisers should continue to monitor developments, as they could soon face new challenges related to the regulation of their use of derivatives. The proposed restrictions and requirements create cost and complexity that will need to be addressed fully, and mutual funds and advisers should evaluate their current operations today to identify the potential impact of these potential requirements.
CFPB Proposes Rules Regarding Payday, Vehicle Title and Certain Other Installment Loans
In the first federal rulemaking focused specifically on short-term lending to date, the Consumer Financial Protection Bureau (CFPB) proposed, in June 2016, a long-anticipated rule related to payday loans designed to protect consumers from potentially abusive practices and require determination of consumers’ ability to repay. The availability and affordability of short-term, small-dollar loans (often referred to as “payday” loans) in general has historically been the subject of contention among consumer advocates, regulatory agencies and payday lenders alike, and, most recently, has been the focus of ongoing study by the CFPB to evaluate potentially predatory practices and impacts to consumers. While lenders have argued that such loans provide a critical and otherwise unfulfilled need for short-term credit to subprime and low-income borrowers (borrowers that might otherwise find it hard to find credit with traditional lenders, such as banks and credit unions), the affordability of and benefit to consumers of these loans has been hotly contested due to the traditionally high cost of credit, high default rates and repetitive borrowing practices associated with these loans.
The CFPB’s proposed rule, which is intended to address these concerns, is broad in nature and applies to both open- and closed-end payday loans, deposit advance products, auto title loans and certain “high-cost” installment loans. While often associated with payday lenders specifically, the proposed rules would apply more broadly to any bank or non-bank (including online) lenders offering loans that meet the criteria of a covered loan. Under the proposed rule, the CFPB delineates between two categories of “covered loans,” as follows:
- Short Term – Loans with a duration of less than 45 days, including payday loans, short-term vehicle title loans, and open-end lines of credit; and
- Long Term – Loans with a duration of more than 45 days, an annual percentage rate (APR) of greater than 36 percent, and terms that either stipulate repayment directly from a consumer’s account or that grant the lender a security interest in a consumer’s vehicle.
The principal tenet of the proposed rule is a requirement that lenders evaluate a consumer’s ability to repay or otherwise adhere to strict loan terms and conditions. Under the proposed rule, lenders will be required to verify a consumer’s net income and debt obligations, forecast reasonable living expenses, and assess the consumer’s ability to repay in consideration of these projections. Notably absent from the rules, however, are definitive affordability thresholds by which to measure ability to repay, such as a specific debt to income ratio. Further, in order to validate consumers’ debt obligations, lenders will be required to obtain data from consumer reporting agencies and, in turn, will be required to furnish information to these agencies in a manner that is accurate and compliant with the Fair Credit Reporting Act.
Alternatively, lenders may avoid the ability to repay standards by meeting a specific set of conditions under the proposed rule and providing certain disclosures to consumers; importantly, these alternatives differ between covered short- and long-term loans and are generally more restrictive for covered short-term loans.
As an alternative to the ability to repay standards for long-term loans, for instance, lenders may adhere to the National Credit Union Administration’s (NCUA) regulations for the Payday Alternative Loans program, which limits interest rates to 28 percent or less, among other criteria.
The proposed rule also suggests certain restrictions related to lenders’ practices of obtaining payment from consumers, which apply to both short- and long-term covered loans; specifically, to prevent repeated and unsuccessful attempts to obtain payment from a consumer’s checking or savings account that may result in excessive fees. Under the proposed rule, lenders would be required to provide notice to consumers between three and seven days prior to each attempt to collect payment. The proposed rule prohibits continued collection after two attempts have failed until renewed authorization is obtained from the consumer.
The nature of the proposed rule issued by the CFPB is likely to result in significant operational and compliance impacts to payday lenders that will materially alter the industry landscape and reduce the overall availability of consumer lending products to consumers requiring short-term liquidity. The comment period closes in September 2016. Financial institutions should take steps to determine if they offer such products and evaluate the impact of the proposed rule on their product offerings and compliance program.
Limited-Purpose National Bank Charters for Fintech Companies?
The number of financial technology, or “fintech,” companies, is growing rapidly as technologies evolve and customers and institutions more widely accept and use them. Financial technology affects all aspects of the financial system, from payments to savings to lending, yet most of these companies – often non-bank “startups” – are not directly supervised by a U.S. federal regulator and do not face – as many argue – a uniform set of regulatory standards. Generally, firms do, however, face myriad state- and federal-level legal and regulatory requirements, including basic matters of licensing (such as having to register a state-licensed lender, or as a money-service business) and the various requirements and limitations associated with their registration (such as usury laws, consumer disclosure requirements, etc.). For many reasons, this operating framework can be costly and burdensome from a legal and compliance perspective, and a potential barrier to entry that could limit future financial innovation.
As a potential solution, some fintech companies have advocated for the ability to apply for a limited-purpose national bank charter, which could afford the advantage of allowing them to operate under uniform federal regulations and supervision by a single regulator. Many depository institutions have viewed this positively, arguing that it could help level the playing field, so long as fintech companies are not subject only to limited safety and soundness supervision and examination. The Office of the Comptroller of the Currency (OCC) has publicly considered this idea and has previously highlighted both the value of nonbank fintech companies obtaining a national charter as well as the implications of such charters, including the need for such firms to adhere to the same safety and soundness and consumer protection requirements expected of depository institutions. The OCC historically has issued charters to limited-purpose institutions that only offer narrow product lines, such as credit cards.
The debate over regulation and supervision of fintechs will continue, and action at a federal level is possible. Financial institutions and fintech companies should continue to monitor developments in this space. In particular, fintech companies should consider evaluating the potential advantages and costs associated with obtaining a national bank charter should such an option become available. Depository institutions should continue to monitor the competitive impacts associated with fintech companies, including the likelihood that such companies might obtain national bank charters.
It is important to note that this newsletter is provided for general information purposes only and is not intended to serve as legal analysis or advice. Companies should seek the advice of legal counsel or other appropriate advisers on specific questions and practices as they relate to their unique circumstances.